6 'require tools.widgets as widgets';
7 'require strongswan_algorithms';
9 function validateTimeFormat(section_id, value) {
10 if (value && !value.match(/^\d+[smhd]$/)) {
11 return _('Number must have suffix s, m, h or d');
17 function addAlgorithms(o, algorithms) {
18 algorithms.forEach(function (algorithm) {
19 if (strongswan_algorithms.isInsecure(algorithm)) {
20 o.value(algorithm, '%s*'.format(algorithm));
27 function sectionNameCheck(extra_class) {
28 var el = form.GridSection.prototype.renderSectionAdd.apply(this, arguments),
29 nameEl = el.querySelector('.cbi-section-create-name');
30 ui.addValidator(nameEl, 'uciname', true, function(v) {
32 ...uci.sections('ipsec', 'remote'),
33 ...uci.sections('ipsec', 'tunnel'),
34 ...uci.sections('ipsec', 'crypto_proposal'),
36 if (sections.find(function(s) {
37 return s['.name'] == v;
39 return _('Remotes, Encryption Proposals and Tunnels may not share the same names.') + ' ' +
40 _('Use combinations like tunnel1_phase1 that do not exceed 15 characters.');
42 if (v.length > 15) return _('Name length shall not exceed 15 characters');
50 return uci.load('network');
56 m = new form.Map('ipsec', _('strongSwan Configuration'),
57 _('Configure strongSwan for secure VPN connections.'));
60 // strongSwan General Settings
61 s = m.section(form.TypedSection, 'ipsec', _('General Settings'));
65 o = s.option(widgets.ZoneSelect, 'zone', _('Zone'),
66 _('Firewall zone that has to match the defined firewall zone'));
70 o = s.option(widgets.NetworkSelect, 'listen', _('Listening Interfaces'),
71 _('Interfaces that accept VPN traffic'));
72 o.datatype = 'interface';
73 o.placeholder = _('Select an interface or leave empty for all interfaces');
78 o = s.option(form.Value, 'debug', _('Debug Level'),
79 _('Trace level: 0 is least verbose, 4 is most'));
81 o.datatype = 'range(0,4)';
83 // Remote Configuration
84 s = m.section(form.GridSection, 'remote', _('Remote Configuration'),
85 _('Define Remote IKE Configurations.'));
87 s.nodescriptions = true;
88 s.renderSectionAdd = sectionNameCheck
90 o = s.tab('general', _('General'));
91 o = s.tab('authentication', _('Authentication'));
92 o = s.tab('advanced', _('Advanced'));
94 o = s.taboption('general', form.Flag, 'enabled', _('Enabled'),
95 _('Configuration is enabled or not'));
98 o = s.taboption('general', form.Value, 'gateway', _('Gateway (Remote Endpoint)'),
99 _('IP address or FQDN name of the tunnel remote endpoint'));
100 o.datatype = 'or(hostname,ipaddr)';
103 o = s.taboption('general', form.Value, 'local_gateway', _('Local Gateway'),
104 _('IP address or FQDN of the tunnel local endpoint'));
105 o.datatype = 'or(hostname,ipaddr)';
108 o = s.taboption('general', form.Value, 'local_sourceip', _('Local Source IP'),
109 _('Virtual IP(s) to request in IKEv2 configuration payloads requests'));
110 o.datatype = 'ipaddr';
113 o = s.taboption('general', form.Value, 'local_ip', _('Local IP'),
114 _('Local address(es) to use in IKE negotiation'));
115 o.datatype = 'ipaddr';
118 o = s.taboption('general', form.MultiValue, 'crypto_proposal', _('Crypto Proposal'),
119 _('List of IKE (phase 1) proposals to use for authentication'));
120 o.load = function (section_id) {
124 var sections = uci.sections('ipsec', 'crypto_proposal');
125 if (sections.length == 0) {
126 this.value('', _('Please create a Proposal first'));
128 sections.forEach(L.bind(function (section) {
129 if (section.is_esp != '1') {
130 this.value(section['.name']);
135 return this.super('load', [section_id]);
139 o = s.taboption('general', form.MultiValue, 'tunnel', _('Tunnel'),
140 _('The Tunnel containing the ESP (phase 2) section'));
141 o.load = function (section_id) {
145 var sections = uci.sections('ipsec', 'tunnel');
146 if (sections.length == 0) {
147 this.value('', _('Please create a Tunnel first'));
149 sections.forEach(L.bind(function (section) {
150 this.value(section['.name']);
154 return this.super('load', [section_id]);
158 o = s.taboption('authentication', form.ListValue, 'authentication_method',
159 _('Authentication Method'), _('IKE authentication (phase 1)'));
161 o.value('psk', 'Pre-shared Key');
162 o.value('pubkey', 'Public Key');
164 o = s.taboption('authentication', form.Value, 'local_identifier', _('Local Identifier'),
165 _('Local identifier for IKE (phase 1)'));
166 o.datatype = 'string';
167 o.placeholder = 'C=US, O=Acme Corporation, CN=headquarters';
170 o = s.taboption('authentication', form.Value, 'remote_identifier', _('Remote Identifier'),
171 _('Remote identifier for IKE (phase 1)'));
172 o.datatype = 'string';
173 o.placeholder = 'C=US, O=Acme Corporation, CN=soho';
176 o = s.taboption('authentication', form.Value, 'pre_shared_key', _('Pre-Shared Key'),
177 _('The pre-shared key for the tunnel'));
178 o.datatype = 'string';
182 o.depends('authentication_method', 'psk');
184 o = s.taboption('authentication', form.Value, 'local_cert', _('Local Certificate'),
185 _('Certificate pathname to use for authentication'));
187 o.depends('authentication_method', 'pubkey');
190 o = s.taboption('authentication', form.Value, 'local_key', _('Local Key'),
191 _('Private key pathname to use with above certificate'));
195 o = s.taboption('authentication', form.Value, 'ca_cert', _('CA Certificate'),
196 _("CA certificate that need to lie in remote peer's certificate's path of trust"));
198 o.depends('authentication_method', 'pubkey');
202 o = s.taboption('advanced', form.Flag, 'mobike', _('MOBIKE'),
203 _('MOBIKE (IKEv2 Mobility and Multihoming Protocol)'));
207 o = s.taboption('advanced', form.ListValue, 'fragmentation', _('IKE Fragmentation'),
208 _('Use IKE fragmentation'));
216 o = s.taboption('advanced', form.Value, 'keyingtries', _('Keying Retries'),
217 _('Number of retransmissions attempts during initial negotiation'));
218 o.datatype = 'uinteger';
222 o = s.taboption('advanced', form.Value, 'dpddelay', _('DPD Delay'),
223 _('Interval to check liveness of a peer'));
224 o.validate = validateTimeFormat;
228 o = s.taboption('advanced', form.Value, 'inactivity', _('Inactivity'),
229 _('Interval before closing an inactive CHILD_SA'));
230 o.validate = validateTimeFormat;
233 o = s.taboption('advanced', form.Value, 'rekeytime', _('Rekey Time'),
234 _('IKEv2 interval to refresh keying material; also used to compute lifetime'));
235 o.validate = validateTimeFormat;
238 o = s.taboption('advanced', form.Value, 'overtime', _('Overtime'),
239 _('Limit on time to complete rekeying/reauthentication'));
240 o.validate = validateTimeFormat;
243 o = s.taboption('advanced', form.ListValue, 'keyexchange', _('Keyexchange'),
244 _('Version of IKE for negotiation'));
245 o.value('ikev1', 'IKEv1 (%s)', _('deprecated'));
246 o.value('ikev2', 'IKEv2');
247 o.value('ike', 'IKE (%s, %s)'.format(_('both'), _('deprecated')));
251 // Tunnel Configuration
252 s = m.section(form.GridSection, 'tunnel', _('Tunnel Configuration'),
253 _('Define Connection Children to be used as Tunnels in Remote Configurations.'));
255 s.nodescriptions = true;
256 s.renderSectionAdd = sectionNameCheck;
258 o = s.tab('general', _('General'));
259 o = s.tab('advanced', _('Advanced'));
261 o = s.taboption('general', form.DynamicList, 'local_subnet', _('Local Subnet'),
262 _('Local network(s)'));
263 o.datatype = 'subnet';
264 o.placeholder = '192.168.1.1/24';
267 o = s.taboption('general', form.DynamicList, 'remote_subnet', _('Remote Subnet'),
268 _('Remote network(s)'));
269 o.datatype = 'subnet';
270 o.placeholder = '192.168.2.1/24';
273 o = s.taboption('general', form.Value, 'local_nat', _('Local NAT'),
274 _('NAT range for tunnels with overlapping IP addresses'));
275 o.datatype = 'subnet';
278 o = s.taboption('general', form.ListValue, 'if_id', ('XFRM Interface ID'),
279 _('XFRM interface ID set on input and output interfaces'));
280 o.load = function (section_id) {
284 var xfrmSections = uci.sections('network').filter(function (section) {
285 return section.proto == 'xfrm';
288 xfrmSections.forEach(L.bind(function (section) {
289 this.value(section.ifid,
290 '%s (%s)'.format(section.ifid, section['.name']));
293 return this.super('load', [section_id]);
298 o = s.taboption('general', form.ListValue, 'startaction', _('Start Action'),
299 _('Action on initial configuration load'));
306 o = s.taboption('general', form.ListValue, 'closeaction', _('Close Action'),
307 _('Action when CHILD_SA is closed'));
314 o = s.taboption('general', form.MultiValue, 'crypto_proposal',
315 _('Crypto Proposal (Phase 2)'),
316 _('List of ESP (phase two) proposals. Only Proposals with checked ESP flag are selectable'));
317 o.load = function (section_id) {
321 var sections = uci.sections('ipsec', 'crypto_proposal');
322 if (sections.length == 0) {
323 this.value('', _('Please create an ESP Proposal first'));
325 sections.forEach(L.bind(function (section) {
326 if (section.is_esp == '1') {
327 this.value(section['.name']);
332 return this.super('load', [section_id]);
336 o = s.taboption('advanced', form.Value, 'updown', _('Up/Down Script Path'),
337 _('Path to script to run on CHILD_SA up/down events'));
341 o = s.taboption('advanced', form.Value, 'lifetime', _('Lifetime'),
342 _('Maximum duration of the CHILD_SA before closing'));
343 o.validate = validateTimeFormat;
346 o = s.taboption('advanced', form.ListValue, 'dpdaction', _('DPD Action'),
347 _('Action when DPD timeout occurs'));
355 o = s.taboption('advanced', form.Value, 'rekeytime', _('Rekey Time'),
356 _('Duration of the CHILD_SA before rekeying'));
357 o.validate = validateTimeFormat;
360 o = s.taboption('advanced', form.Flag, 'ipcomp', _('IPComp'),
361 _('Enable ipcomp compression'));
365 o = s.taboption('advanced', form.ListValue, 'hw_offload', _('H/W Offload'),
366 _('Enable Hardware offload'));
373 o = s.taboption('advanced', form.Value, 'priority', _('Priority'),
374 _('Priority of the CHILD_SA'));
375 o.datatype = 'uinteger';
378 o = s.taboption('advanced', form.Value, 'replay_window', _('Replay Window'),
379 '%s; %s'.format(_('Replay Window of the CHILD_SA'),
380 _('Values larger than 32 are supported by the Netlink backend only')));
381 o.datatype = 'uinteger';
385 s = m.section(form.GridSection, 'crypto_proposal',
386 _('Encryption Proposals'),
387 _('Configure Cipher Suites to define IKE (Phase 1) or ESP (Phase 2) Proposals.'));
389 s.nodescriptions = true;
390 s.renderSectionAdd = sectionNameCheck;
392 o = s.option(form.Flag, 'is_esp', _('ESP Proposal'),
393 _('Whether this is an ESP (phase 2) proposal or not'));
395 o = s.option(form.ListValue, 'encryption_algorithm',
396 _('Encryption Algorithm'),
397 _('Algorithms marked with * are considered insecure'));
398 o.default = 'aes256gcm128';
399 addAlgorithms(o, strongswan_algorithms.getEncryptionAlgorithms());
400 addAlgorithms(o, strongswan_algorithms.getAuthenticatedEncryptionAlgorithms());
403 o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'),
404 _('Algorithms marked with * are considered insecure'));
405 strongswan_algorithms.getEncryptionAlgorithms().forEach(function (algorithm) {
406 o.depends('encryption_algorithm', algorithm);
408 o.default = 'sha512';
410 addAlgorithms(o, strongswan_algorithms.getHashAlgorithms());
412 o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'),
413 _('Algorithms marked with * are considered insecure'));
414 o.default = 'modp3072';
415 addAlgorithms(o, strongswan_algorithms.getDiffieHellmanAlgorithms());
417 o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'),
418 _('Algorithms marked with * are considered insecure'));
419 o.validate = function (section_id, value) {
420 var encryptionAlgorithm = this.section.formvalue(section_id, 'encryption_algorithm');
422 if (strongswan_algorithms.getAuthenticatedEncryptionAlgorithms().includes(
423 encryptionAlgorithm) && !value) {
424 return _('PRF Algorithm must be configured when using an Authenticated Encryption Algorithm');
430 o.depends('is_esp', '0');
431 addAlgorithms(o, strongswan_algorithms.getPrfAlgorithms());
git.99rst.org / openwrt-luci.git / blob