From 6c0f603f027b1ba615c7c8cb851625f50e25ef22 Mon Sep 17 00:00:00 2001 From: Nicholas Smith Date: Tue, 5 Sep 2023 20:03:18 +1000 Subject: [PATCH 1/8] luci-app-strongswan-ipsec: add package Signed-off-by: Nicholas Smith --- .../luci-app-strongswan-ipsec/Makefile | 15 ++ .../luci-static/resources/view/ipsec.js | 168 ++++++++++++++++++ .../root/etc/config/ipsec | 46 +++++ .../menu.d/luci-app-strongswan-ipsec.json | 15 ++ .../rpcd/acl.d/luci-app-strongswan-ipsec.json | 11 ++ 5 files changed, 255 insertions(+) create mode 100644 applications/luci-app-strongswan-ipsec/Makefile create mode 100644 applications/luci-app-strongswan-ipsec/htdocs/luci-static/resources/view/ipsec.js create mode 100644 applications/luci-app-strongswan-ipsec/root/etc/config/ipsec create mode 100644 applications/luci-app-strongswan-ipsec/root/usr/share/luci/menu.d/luci-app-strongswan-ipsec.json create mode 100644 applications/luci-app-strongswan-ipsec/root/usr/share/rpcd/acl.d/luci-app-strongswan-ipsec.json diff --git a/applications/luci-app-strongswan-ipsec/Makefile b/applications/luci-app-strongswan-ipsec/Makefile new file mode 100644 index 0000000000..5dbbe2124f --- /dev/null +++ b/applications/luci-app-strongswan-ipsec/Makefile @@ -0,0 +1,15 @@ +# Copyright 2021 Nicholas Smith (nicholas@nbembedded.com) +# This is free software, licensed under the GNU General Public License v2. + +include $(TOPDIR)/rules.mk + +PKG_LICENSE:=GPL-2.0-or-later +PKG_MAINTAINER:=Nicholas Smith + +LUCI_TITLE:=LuCI support for IPSec via Strongswan +LUCI_DESCRIPTION:=Allows configuration of Strongswan IPSec settings +LUCI_DEPENDS:=+strongswan-ipsec + +include ../../luci.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/applications/luci-app-strongswan-ipsec/htdocs/luci-static/resources/view/ipsec.js b/applications/luci-app-strongswan-ipsec/htdocs/luci-static/resources/view/ipsec.js new file mode 100644 index 0000000000..53acf71e8e --- /dev/null +++ b/applications/luci-app-strongswan-ipsec/htdocs/luci-static/resources/view/ipsec.js @@ -0,0 +1,168 @@ +'use strict'; +'require view'; +'require form'; +'require tools.widgets as widgets'; + +return view.extend({ + render: function() { + var m, s, o; + + m = new form.Map('ipsec', + _('IPsec Configuration'), + _("Configure IPsec for secure VPN connections.")); + + // IPsec General Settings + s = m.section(form.TypedSection, 'ipsec', _('IPsec General Settings')); + s.anonymous = true; + + o = s.option(widgets.ZoneSelect, 'zone', _('Zone'), _('Firewall zone that has to match the defined firewall zone')); + o.default = 'lan'; + o.multiple = true; + + o = s.option(widgets.NetworkSelect, 'listen', _('Listen Interfaces'), _('Interfaces that accept VPN traffic')); + o.datatype = 'interface'; + o.placeholder = _('Select an interface or leave empty for all interfaces'); + o.default = 'wan'; + o.multiple = true; + + o = s.option(form.Value, 'debug', _('Debug Level'), _('Logs written to /var/log/charon.log')); + o.default = '0'; + o.datatype = "uinteger"; + + // Remote Configuration + s = m.section(form.TypedSection, 'remote', _('Remote Configuration')); + s.anonymous = false; + + o = s.option(form.Flag, 'enabled', _('Enabled'), _('Configuration is enabled or not')); + + o = s.option(form.Value, 'gateway', _('Gateway (Remote Endpoint)'), _('Public IP address or FQDN name of the tunnel remote endpoint')); + o.datatype = 'or(hostname,ipaddr)'; + + o = s.option(form.Value, 'local_gateway', _('Local Gateway'), _('IP address or FQDN of the tunnel local endpoint')); + o.datatype = 'or(hostname,ipaddr)'; + + o = s.option(form.Value, 'local_sourceip', _('Local Source IP'), _('Virtual IP(s) to request in IKEv2 configuration payloads requests')); + o.datatype = 'ipaddr'; + + o = s.option(form.Value, 'local_ip', _('Local IP'), _('Local address(es) to use in IKE negotiation')); + o.datatype = 'ipaddr'; + + o = s.option(form.Value, 'local_identifier', _('Local Identifier'), _('Local identifier for IKE (phase 1)')); + o.datatype = 'string'; + o.placeholder = "C=US, O=Acme Corporation, CN=headquarters" + + o = s.option(form.Value, 'remote_identifier', _('Remote Identifier'), _('Remote identifier for IKE (phase 1)')); + o.datatype = 'string'; + o.placeholder = "C=US, O=Acme Corporation, CN=soho" + + o = s.option(form.ListValue, 'authentication_method', _('Authentication Method'), _('IKE authentication (phase 1).')); + o.value('psk', "Pre-shared Key"); + o.value('pubkey', "Public Key"); + o.required = true; + + o = s.option(form.Value, 'pre_shared_key', _('Pre-Shared Key'), _('The pre-shared key for the tunnel if authentication is psk')); + o.datatype = 'string'; + o.password = true; + o.depends('authentication_method', 'psk'); + + o = s.option(form.Flag, 'mobike', _('MOBIKE'), _('MOBIKE (IKEv2 Mobility and Multihoming Protocol)')); + o.default = '1'; + + o = s.option(form.ListValue, 'fragmentation', _('IKE Fragmentation'), _('Use IKE fragmentation (yes, no, force, accept)')); + o.value('yes'); + o.value('no'); + o.value('force'); + o.value('accept') + o.default = 'yes'; + + o = s.option(form.ListValue, 'crypto_proposal', _('Crypto Proposal'), _('List of IKE (phase 1) proposals to use for authentication')); + o.value('encryption_algorithm'); + o.value('hash_algorithm'); + o.value('dh_group'); + o.value('prf_algorithm'); + + o = s.option(form.Value, 'tunnel', _('Tunnel'), _('Name of ESP/AH (phase 2) section')); + o.required = true + + o = s.option(form.Value, 'authentication_method', _('Authentication Method'), _('IKE authentication (phase 1)')); + o.datatype = 'string'; + + s = m.section(form.TypedSection, 'ipsec', _('IPsec General Settings')); + s.anonymous = true; + + o = s.option(form.ListValue, 'encryption_algorithm', _('Encryption Algorithm'), _('Encryption method (aes128, aes192, aes256, 3des)')); + o.value('aes128'); + o.value('aes192'); + o.value('aes256'); + o.value('3des'); + o.required = true + + o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'), _('Hash algorithm (md5, sha1, sha2, ...)')); + o.value('md5'); + o.value('sha1'); + o.value('sha2'); + o.value('sha256'); + o.value('sha384'); + o.value('sha512'); + o.value('sha3_256'); + o.value('sha3_384'); + o.value('sha3_512'); + o.value('blake2s256'); + o.value('blake2b512'); + o.value('blake2s256'); + o.value('blake2b512'); + o.value('whirlpool'); + o.value('tiger'); + o.required = true + + o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'), _('Diffie-Hellman exponentiation (modp768, modp1024, ...)')); + o.value('modp768'); + o.value('modp1024'); + o.value('modp1536'); + o.value('modp2048'); + o.value('modp3072'); + o.value('modp4096'); + o.required = true + + o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'), _('Pseudo-Random Functions to use with IKE')); + o.value('prf_hmac_md5'); + o.value('prfmd5') + o.value('prfsha1') + o.value('prfsha256') + o.value('pfsha384') + o.value('prfsha512') + + // Tunnel Configuration + s = m.section(form.TypedSection, 'tunnel', _('Tunnel Configuration')); + s.anonymous = false; + + o = s.option(form.Value, 'local_subnet', _('Local Subnet'), _('Local network(s)')); + o.placeholder = "192.168.1.1/24" + o.required = true + + o = s.option(form.Value, 'remote_subnet', _('Remote Subnet'), _('Remote network(s)')); + o.placeholder = "192.168.2.1/24" + o.required = true + + o = s.option(form.Value, 'local_nat', _('Local NAT'), _('NAT range for tunnels with overlapping IP addresses')); + o.datatype = 'subnet'; + + o = s.option(form.ListValue, 'crypto_proposal', _('Crypto Proposal (Phase 2)'), _('List of ESP (phase two) proposals')); + o.value('encryption_algorithm'); + o.value('hash_algorithm'); + o.value('dh_group'); + o.value('prf_algorithm'); + o.required = true + + o = s.option(form.ListValue, 'startaction', _('Start Action'), _('Action on initial configuration load')); + o.value('none'); + o.value('start'); + o.value('route'); + o.default = 'route'; + + o = s.option(form.Value, 'updown', _('Up/Down Script Path'), _('Path to script to run on CHILD_SA up/down events')); + o.datatype = 'filepath'; + + return m.render(); + } +}); diff --git a/applications/luci-app-strongswan-ipsec/root/etc/config/ipsec b/applications/luci-app-strongswan-ipsec/root/etc/config/ipsec new file mode 100644 index 0000000000..20ef4dd84d --- /dev/null +++ b/applications/luci-app-strongswan-ipsec/root/etc/config/ipsec @@ -0,0 +1,46 @@ +config 'ipsec' + # useful so traffic isn't sourced from internal addresses, + # which would then requiring NATting and port 4500, etc. + list 'interface' 'wan' + option 'zone' 'lan' + +config 'remote' 'acme' + option 'enabled' '0' + # address of wan device + option 'local_ip' '6.6.6.6' + # peer has routable DHCP'd address which changes + option 'gateway' 'acme.example.com' + option 'authentication_method' 'psk' + option 'local_identifier' 'C=US, O=Acme Corporation, CN=headquarters' + option 'remote_identifier' 'C=US, O=Acme Corporation, CN=soho' + option 'local_cert' 'headquarters.crt' + option 'local_key' 'headquarters.key' + option 'ca_cert' 'acme.crt' + option 'rekeytime' '4h' + option 'keyingretries' '0' + option 'mobike' '0' + option 'fragmentation' '1' + list 'crypto_proposal' 'ike_proposal' + list 'tunnel' 'tun_soho' + +config 'crypto_proposal' 'ike_proposal' + option 'encryption_algorithm' 'aes256gcm' + # no hash_algorithm allowed with AEAD + option 'dh_group' 'modp3072' + option prf_algorithm 'prfsha512' + +# we don't specify subnets because we're going to use XFRM-interfaced based routes instead +config 'tunnel' 'tun_soho' + list 'local_subnet' '0.0.0.0/0' + list 'remote_subnet' '0.0.0.0/0' + option 'if_id' '357' + option 'rekeytime' '1h' + # other end is behind NAT or we'd use 'route' to initiate + option 'startaction' 'none' + option 'closeaction' 'none' + list 'crypto_proposal' 'esp_proposal' + +config 'crypto_proposal' 'esp_proposal' + option 'encryption_algorithm' 'aes256gcm' + # no hash_algorithm with allowed with AEAD + option 'dh_group' 'modp3072' \ No newline at end of file diff --git a/applications/luci-app-strongswan-ipsec/root/usr/share/luci/menu.d/luci-app-strongswan-ipsec.json b/applications/luci-app-strongswan-ipsec/root/usr/share/luci/menu.d/luci-app-strongswan-ipsec.json new file mode 100644 index 0000000000..8fc3e9c8c2 --- /dev/null +++ b/applications/luci-app-strongswan-ipsec/root/usr/share/luci/menu.d/luci-app-strongswan-ipsec.json @@ -0,0 +1,15 @@ +{ + "admin/vpn/strongswan-ipsec": { + "title": "Strongswan IPSec", + "order": 90, + "action": { + "type": "view", + "path": "strongswan-ipsec" + }, + "depends": { + "acl": [ + "luci-app-strongswan-ipsec" + ] + } + } +} diff --git a/applications/luci-app-strongswan-ipsec/root/usr/share/rpcd/acl.d/luci-app-strongswan-ipsec.json b/applications/luci-app-strongswan-ipsec/root/usr/share/rpcd/acl.d/luci-app-strongswan-ipsec.json new file mode 100644 index 0000000000..3b940b8281 --- /dev/null +++ b/applications/luci-app-strongswan-ipsec/root/usr/share/rpcd/acl.d/luci-app-strongswan-ipsec.json @@ -0,0 +1,11 @@ +{ + "luci-app-strongswan-ipsec": { + "description": "Grant access to luci-app-strongswan-ipsec", + "read": { + "uci": [ "ipsec" ] + }, + "write": { + "uci": [ "ipsec" ] + } + } +} From b783e4c88cb63508a9d9a869b7ed967edb9f07ed Mon Sep 17 00:00:00 2001 From: Lukas Voegl Date: Fri, 3 Nov 2023 14:52:19 +0100 Subject: [PATCH 2/8] luci-app-ipsec: rename to luci-app-strongswan-swanctl Signed-off-by: Lukas Voegl --- applications/luci-app-strongswan-ipsec/Makefile | 15 --------------- .../luci/menu.d/luci-app-strongswan-ipsec.json | 15 --------------- .../rpcd/acl.d/luci-app-strongswan-ipsec.json | 11 ----------- .../luci-app-strongswan-swanctl/Makefile | 17 +++++++++++++++++ .../view/strongswan-swanctl/swanctl.js} | 10 +++++----- .../root/etc/config/ipsec | 0 .../menu.d/luci-app-strongswan-swanctl.json | 15 +++++++++++++++ .../rpcd/acl.d/luci-app-strongswan-swanctl.json | 11 +++++++++++ 8 files changed, 48 insertions(+), 46 deletions(-) delete mode 100644 applications/luci-app-strongswan-ipsec/Makefile delete mode 100644 applications/luci-app-strongswan-ipsec/root/usr/share/luci/menu.d/luci-app-strongswan-ipsec.json delete mode 100644 applications/luci-app-strongswan-ipsec/root/usr/share/rpcd/acl.d/luci-app-strongswan-ipsec.json create mode 100644 applications/luci-app-strongswan-swanctl/Makefile rename applications/{luci-app-strongswan-ipsec/htdocs/luci-static/resources/view/ipsec.js => luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js} (95%) rename applications/{luci-app-strongswan-ipsec => luci-app-strongswan-swanctl}/root/etc/config/ipsec (100%) create mode 100644 applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json create mode 100644 applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json diff --git a/applications/luci-app-strongswan-ipsec/Makefile b/applications/luci-app-strongswan-ipsec/Makefile deleted file mode 100644 index 5dbbe2124f..0000000000 --- a/applications/luci-app-strongswan-ipsec/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2021 Nicholas Smith (nicholas@nbembedded.com) -# This is free software, licensed under the GNU General Public License v2. - -include $(TOPDIR)/rules.mk - -PKG_LICENSE:=GPL-2.0-or-later -PKG_MAINTAINER:=Nicholas Smith - -LUCI_TITLE:=LuCI support for IPSec via Strongswan -LUCI_DESCRIPTION:=Allows configuration of Strongswan IPSec settings -LUCI_DEPENDS:=+strongswan-ipsec - -include ../../luci.mk - -# call BuildPackage - OpenWrt buildroot signature diff --git a/applications/luci-app-strongswan-ipsec/root/usr/share/luci/menu.d/luci-app-strongswan-ipsec.json b/applications/luci-app-strongswan-ipsec/root/usr/share/luci/menu.d/luci-app-strongswan-ipsec.json deleted file mode 100644 index 8fc3e9c8c2..0000000000 --- a/applications/luci-app-strongswan-ipsec/root/usr/share/luci/menu.d/luci-app-strongswan-ipsec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "admin/vpn/strongswan-ipsec": { - "title": "Strongswan IPSec", - "order": 90, - "action": { - "type": "view", - "path": "strongswan-ipsec" - }, - "depends": { - "acl": [ - "luci-app-strongswan-ipsec" - ] - } - } -} diff --git a/applications/luci-app-strongswan-ipsec/root/usr/share/rpcd/acl.d/luci-app-strongswan-ipsec.json b/applications/luci-app-strongswan-ipsec/root/usr/share/rpcd/acl.d/luci-app-strongswan-ipsec.json deleted file mode 100644 index 3b940b8281..0000000000 --- a/applications/luci-app-strongswan-ipsec/root/usr/share/rpcd/acl.d/luci-app-strongswan-ipsec.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "luci-app-strongswan-ipsec": { - "description": "Grant access to luci-app-strongswan-ipsec", - "read": { - "uci": [ "ipsec" ] - }, - "write": { - "uci": [ "ipsec" ] - } - } -} diff --git a/applications/luci-app-strongswan-swanctl/Makefile b/applications/luci-app-strongswan-swanctl/Makefile new file mode 100644 index 0000000000..0e847c7bf5 --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/Makefile @@ -0,0 +1,17 @@ +# Copyright 2021 Nicholas Smith (nicholas@nbembedded.com) +# Copyright (C) 2023 TDT AG +# +# This is free software, licensed under the GNU General Public License v2. + +include $(TOPDIR)/rules.mk + +PKG_LICENSE:=GPL-2.0-or-later +PKG_MAINTAINER:=Nicholas Smith , Lukas Voegl + +LUCI_TITLE:=LuCI support for strongSwan via swanctl +LUCI_DESCRIPTION:=Configuration for strongSwan based on swanctl +LUCI_DEPENDS:=+strongswan-swanctl + +include ../../luci.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/applications/luci-app-strongswan-ipsec/htdocs/luci-static/resources/view/ipsec.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js similarity index 95% rename from applications/luci-app-strongswan-ipsec/htdocs/luci-static/resources/view/ipsec.js rename to applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js index 53acf71e8e..d2e7103afa 100644 --- a/applications/luci-app-strongswan-ipsec/htdocs/luci-static/resources/view/ipsec.js +++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js @@ -8,11 +8,11 @@ return view.extend({ var m, s, o; m = new form.Map('ipsec', - _('IPsec Configuration'), - _("Configure IPsec for secure VPN connections.")); + _('strongSwan Configuration'), + _("Configure strongSwan for secure VPN connections.")); - // IPsec General Settings - s = m.section(form.TypedSection, 'ipsec', _('IPsec General Settings')); + // strongSwan General Settings + s = m.section(form.TypedSection, 'ipsec', _('strongSwan General Settings')); s.anonymous = true; o = s.option(widgets.ZoneSelect, 'zone', _('Zone'), _('Firewall zone that has to match the defined firewall zone')); @@ -87,7 +87,7 @@ return view.extend({ o = s.option(form.Value, 'authentication_method', _('Authentication Method'), _('IKE authentication (phase 1)')); o.datatype = 'string'; - s = m.section(form.TypedSection, 'ipsec', _('IPsec General Settings')); + s = m.section(form.TypedSection, 'ipsec', _('strongSwan General Settings')); s.anonymous = true; o = s.option(form.ListValue, 'encryption_algorithm', _('Encryption Algorithm'), _('Encryption method (aes128, aes192, aes256, 3des)')); diff --git a/applications/luci-app-strongswan-ipsec/root/etc/config/ipsec b/applications/luci-app-strongswan-swanctl/root/etc/config/ipsec similarity index 100% rename from applications/luci-app-strongswan-ipsec/root/etc/config/ipsec rename to applications/luci-app-strongswan-swanctl/root/etc/config/ipsec diff --git a/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json b/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json new file mode 100644 index 0000000000..2f0c5c5d1f --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json @@ -0,0 +1,15 @@ +{ + "admin/vpn/strongswan-swanctl": { + "title": "strongSwan IPsec", + "order": 90, + "action": { + "type": "view", + "path": "strongswan-swanctl/swanctl" + }, + "depends": { + "acl": [ + "luci-app-strongswan-swanctl" + ] + } + } +} diff --git a/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json b/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json new file mode 100644 index 0000000000..4f022c9463 --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json @@ -0,0 +1,11 @@ +{ + "luci-app-strongswan-swanctl": { + "description": "Grant access to luci-app-strongswan-swanctl", + "read": { + "uci": [ "ipsec" ] + }, + "write": { + "uci": [ "ipsec" ] + } + } +} From 108cd004b609cab9c08ab6f63a3cd43414a99bf6 Mon Sep 17 00:00:00 2001 From: Lukas Voegl Date: Wed, 8 Nov 2023 16:39:34 +0100 Subject: [PATCH 3/8] luci-app-strongswan-swanctl: remove ipsec config Signed-off-by: Lukas Voegl --- .../root/etc/config/ipsec | 46 ------------------- 1 file changed, 46 deletions(-) delete mode 100644 applications/luci-app-strongswan-swanctl/root/etc/config/ipsec diff --git a/applications/luci-app-strongswan-swanctl/root/etc/config/ipsec b/applications/luci-app-strongswan-swanctl/root/etc/config/ipsec deleted file mode 100644 index 20ef4dd84d..0000000000 --- a/applications/luci-app-strongswan-swanctl/root/etc/config/ipsec +++ /dev/null @@ -1,46 +0,0 @@ -config 'ipsec' - # useful so traffic isn't sourced from internal addresses, - # which would then requiring NATting and port 4500, etc. - list 'interface' 'wan' - option 'zone' 'lan' - -config 'remote' 'acme' - option 'enabled' '0' - # address of wan device - option 'local_ip' '6.6.6.6' - # peer has routable DHCP'd address which changes - option 'gateway' 'acme.example.com' - option 'authentication_method' 'psk' - option 'local_identifier' 'C=US, O=Acme Corporation, CN=headquarters' - option 'remote_identifier' 'C=US, O=Acme Corporation, CN=soho' - option 'local_cert' 'headquarters.crt' - option 'local_key' 'headquarters.key' - option 'ca_cert' 'acme.crt' - option 'rekeytime' '4h' - option 'keyingretries' '0' - option 'mobike' '0' - option 'fragmentation' '1' - list 'crypto_proposal' 'ike_proposal' - list 'tunnel' 'tun_soho' - -config 'crypto_proposal' 'ike_proposal' - option 'encryption_algorithm' 'aes256gcm' - # no hash_algorithm allowed with AEAD - option 'dh_group' 'modp3072' - option prf_algorithm 'prfsha512' - -# we don't specify subnets because we're going to use XFRM-interfaced based routes instead -config 'tunnel' 'tun_soho' - list 'local_subnet' '0.0.0.0/0' - list 'remote_subnet' '0.0.0.0/0' - option 'if_id' '357' - option 'rekeytime' '1h' - # other end is behind NAT or we'd use 'route' to initiate - option 'startaction' 'none' - option 'closeaction' 'none' - list 'crypto_proposal' 'esp_proposal' - -config 'crypto_proposal' 'esp_proposal' - option 'encryption_algorithm' 'aes256gcm' - # no hash_algorithm with allowed with AEAD - option 'dh_group' 'modp3072' \ No newline at end of file From 366f3fc1759dc5b82c0d4a4df2da304ecde12294 Mon Sep 17 00:00:00 2001 From: Lukas Voegl Date: Fri, 3 Nov 2023 15:00:25 +0100 Subject: [PATCH 4/8] luci-app-strongswan-swanctl: reformat Signed-off-by: Lukas Voegl --- .../view/strongswan-swanctl/swanctl.js | 284 ++++++++++-------- 1 file changed, 156 insertions(+), 128 deletions(-) diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js index d2e7103afa..659461bbc6 100644 --- a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js +++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js @@ -4,165 +4,193 @@ 'require tools.widgets as widgets'; return view.extend({ - render: function() { - var m, s, o; + render: function () { + var m, s, o; - m = new form.Map('ipsec', - _('strongSwan Configuration'), - _("Configure strongSwan for secure VPN connections.")); + m = new form.Map('ipsec', _('strongSwan Configuration'), + _('Configure strongSwan for secure VPN connections.')); - // strongSwan General Settings - s = m.section(form.TypedSection, 'ipsec', _('strongSwan General Settings')); - s.anonymous = true; + // strongSwan General Settings + s = m.section(form.TypedSection, 'ipsec', + _('strongSwan General Settings')); + s.anonymous = true; - o = s.option(widgets.ZoneSelect, 'zone', _('Zone'), _('Firewall zone that has to match the defined firewall zone')); - o.default = 'lan'; - o.multiple = true; + o = s.option(widgets.ZoneSelect, 'zone', _('Zone'), + _('Firewall zone that has to match the defined firewall zone')); + o.default = 'lan'; + o.multiple = true; - o = s.option(widgets.NetworkSelect, 'listen', _('Listen Interfaces'), _('Interfaces that accept VPN traffic')); - o.datatype = 'interface'; - o.placeholder = _('Select an interface or leave empty for all interfaces'); - o.default = 'wan'; - o.multiple = true; + o = s.option(widgets.NetworkSelect, 'listen', _('Listen Interfaces'), + _('Interfaces that accept VPN traffic')); + o.datatype = 'interface'; + o.placeholder = _('Select an interface or leave empty for all interfaces'); + o.default = 'wan'; + o.multiple = true; - o = s.option(form.Value, 'debug', _('Debug Level'), _('Logs written to /var/log/charon.log')); - o.default = '0'; - o.datatype = "uinteger"; + o = s.option(form.Value, 'debug', _('Debug Level'), + _('Logs written to /var/log/charon.log')); + o.default = '0'; + o.datatype = 'uinteger'; - // Remote Configuration - s = m.section(form.TypedSection, 'remote', _('Remote Configuration')); - s.anonymous = false; + // Remote Configuration + s = m.section(form.TypedSection, 'remote', _('Remote Configuration')); + s.anonymous = false; - o = s.option(form.Flag, 'enabled', _('Enabled'), _('Configuration is enabled or not')); + o = s.option(form.Flag, 'enabled', _('Enabled'), + _('Configuration is enabled or not')); - o = s.option(form.Value, 'gateway', _('Gateway (Remote Endpoint)'), _('Public IP address or FQDN name of the tunnel remote endpoint')); - o.datatype = 'or(hostname,ipaddr)'; + o = s.option(form.Value, 'gateway', _('Gateway (Remote Endpoint)'), + _('Public IP address or FQDN name of the tunnel remote endpoint')); + o.datatype = 'or(hostname,ipaddr)'; - o = s.option(form.Value, 'local_gateway', _('Local Gateway'), _('IP address or FQDN of the tunnel local endpoint')); - o.datatype = 'or(hostname,ipaddr)'; + o = s.option(form.Value, 'local_gateway', _('Local Gateway'), + _('IP address or FQDN of the tunnel local endpoint')); + o.datatype = 'or(hostname,ipaddr)'; - o = s.option(form.Value, 'local_sourceip', _('Local Source IP'), _('Virtual IP(s) to request in IKEv2 configuration payloads requests')); - o.datatype = 'ipaddr'; + o = s.option(form.Value, 'local_sourceip', _('Local Source IP'), + _('Virtual IP(s) to request in IKEv2 configuration payloads requests')); + o.datatype = 'ipaddr'; - o = s.option(form.Value, 'local_ip', _('Local IP'), _('Local address(es) to use in IKE negotiation')); - o.datatype = 'ipaddr'; + o = s.option(form.Value, 'local_ip', _('Local IP'), + _('Local address(es) to use in IKE negotiation')); + o.datatype = 'ipaddr'; - o = s.option(form.Value, 'local_identifier', _('Local Identifier'), _('Local identifier for IKE (phase 1)')); - o.datatype = 'string'; - o.placeholder = "C=US, O=Acme Corporation, CN=headquarters" + o = s.option(form.Value, 'local_identifier', _('Local Identifier'), + _('Local identifier for IKE (phase 1)')); + o.datatype = 'string'; + o.placeholder = 'C=US, O=Acme Corporation, CN=headquarters'; - o = s.option(form.Value, 'remote_identifier', _('Remote Identifier'), _('Remote identifier for IKE (phase 1)')); - o.datatype = 'string'; - o.placeholder = "C=US, O=Acme Corporation, CN=soho" + o = s.option(form.Value, 'remote_identifier', _('Remote Identifier'), + _('Remote identifier for IKE (phase 1)')); + o.datatype = 'string'; + o.placeholder = 'C=US, O=Acme Corporation, CN=soho'; - o = s.option(form.ListValue, 'authentication_method', _('Authentication Method'), _('IKE authentication (phase 1).')); - o.value('psk', "Pre-shared Key"); - o.value('pubkey', "Public Key"); - o.required = true; + o = s.option(form.ListValue, 'authentication_method', + _('Authentication Method'), _('IKE authentication (phase 1).')); + o.value('psk', 'Pre-shared Key'); + o.value('pubkey', 'Public Key'); + o.required = true; - o = s.option(form.Value, 'pre_shared_key', _('Pre-Shared Key'), _('The pre-shared key for the tunnel if authentication is psk')); - o.datatype = 'string'; - o.password = true; - o.depends('authentication_method', 'psk'); + o = s.option(form.Value, 'pre_shared_key', _('Pre-Shared Key'), + _('The pre-shared key for the tunnel if authentication is psk')); + o.datatype = 'string'; + o.password = true; + o.depends('authentication_method', 'psk'); - o = s.option(form.Flag, 'mobike', _('MOBIKE'), _('MOBIKE (IKEv2 Mobility and Multihoming Protocol)')); - o.default = '1'; + o = s.option(form.Flag, 'mobike', _('MOBIKE'), + _('MOBIKE (IKEv2 Mobility and Multihoming Protocol)')); + o.default = '1'; - o = s.option(form.ListValue, 'fragmentation', _('IKE Fragmentation'), _('Use IKE fragmentation (yes, no, force, accept)')); - o.value('yes'); - o.value('no'); - o.value('force'); - o.value('accept') - o.default = 'yes'; + o = s.option(form.ListValue, 'fragmentation', _('IKE Fragmentation'), + _('Use IKE fragmentation (yes, no, force, accept)')); + o.value('yes'); + o.value('no'); + o.value('force'); + o.value('accept'); + o.default = 'yes'; - o = s.option(form.ListValue, 'crypto_proposal', _('Crypto Proposal'), _('List of IKE (phase 1) proposals to use for authentication')); - o.value('encryption_algorithm'); - o.value('hash_algorithm'); - o.value('dh_group'); - o.value('prf_algorithm'); + o = s.option(form.ListValue, 'crypto_proposal', _('Crypto Proposal'), + _('List of IKE (phase 1) proposals to use for authentication')); + o.value('encryption_algorithm'); + o.value('hash_algorithm'); + o.value('dh_group'); + o.value('prf_algorithm'); - o = s.option(form.Value, 'tunnel', _('Tunnel'), _('Name of ESP/AH (phase 2) section')); - o.required = true + o = s.option(form.Value, 'tunnel', _('Tunnel'), + _('Name of ESP/AH (phase 2) section')); + o.required = true; - o = s.option(form.Value, 'authentication_method', _('Authentication Method'), _('IKE authentication (phase 1)')); - o.datatype = 'string'; + o = s.option(form.Value, 'authentication_method', + _('Authentication Method'), _('IKE authentication (phase 1)')); + o.datatype = 'string'; - s = m.section(form.TypedSection, 'ipsec', _('strongSwan General Settings')); - s.anonymous = true; + s = m.section(form.TypedSection, 'ipsec', + _('strongSwan General Settings')); + s.anonymous = true; - o = s.option(form.ListValue, 'encryption_algorithm', _('Encryption Algorithm'), _('Encryption method (aes128, aes192, aes256, 3des)')); - o.value('aes128'); - o.value('aes192'); - o.value('aes256'); - o.value('3des'); - o.required = true + o = s.option(form.ListValue, 'encryption_algorithm', + _('Encryption Algorithm'), _('Encryption method (aes128, aes192, aes256, 3des)')); + o.value('aes128'); + o.value('aes192'); + o.value('aes256'); + o.value('3des'); + o.required = true; - o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'), _('Hash algorithm (md5, sha1, sha2, ...)')); - o.value('md5'); - o.value('sha1'); - o.value('sha2'); - o.value('sha256'); - o.value('sha384'); - o.value('sha512'); - o.value('sha3_256'); - o.value('sha3_384'); - o.value('sha3_512'); - o.value('blake2s256'); - o.value('blake2b512'); - o.value('blake2s256'); - o.value('blake2b512'); - o.value('whirlpool'); - o.value('tiger'); - o.required = true + o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'), + _('Hash algorithm (md5, sha1, sha2, ...)')); + o.value('md5'); + o.value('sha1'); + o.value('sha2'); + o.value('sha256'); + o.value('sha384'); + o.value('sha512'); + o.value('sha3_256'); + o.value('sha3_384'); + o.value('sha3_512'); + o.value('blake2s256'); + o.value('blake2b512'); + o.value('blake2s256'); + o.value('blake2b512'); + o.value('whirlpool'); + o.value('tiger'); + o.required = true; - o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'), _('Diffie-Hellman exponentiation (modp768, modp1024, ...)')); - o.value('modp768'); - o.value('modp1024'); - o.value('modp1536'); - o.value('modp2048'); - o.value('modp3072'); - o.value('modp4096'); - o.required = true + o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'), + _('Diffie-Hellman exponentiation (modp768, modp1024, ...)')); + o.value('modp768'); + o.value('modp1024'); + o.value('modp1536'); + o.value('modp2048'); + o.value('modp3072'); + o.value('modp4096'); + o.required = true; - o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'), _('Pseudo-Random Functions to use with IKE')); - o.value('prf_hmac_md5'); - o.value('prfmd5') - o.value('prfsha1') - o.value('prfsha256') - o.value('pfsha384') - o.value('prfsha512') + o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'), + _('Pseudo-Random Functions to use with IKE')); + o.value('prf_hmac_md5'); + o.value('prfmd5'); + o.value('prfsha1'); + o.value('prfsha256'); + o.value('pfsha384'); + o.value('prfsha512'); - // Tunnel Configuration - s = m.section(form.TypedSection, 'tunnel', _('Tunnel Configuration')); - s.anonymous = false; + // Tunnel Configuration + s = m.section(form.TypedSection, 'tunnel', _('Tunnel Configuration')); + s.anonymous = false; - o = s.option(form.Value, 'local_subnet', _('Local Subnet'), _('Local network(s)')); - o.placeholder = "192.168.1.1/24" - o.required = true + o = s.option(form.Value, 'local_subnet', _('Local Subnet'), + _('Local network(s)')); + o.placeholder = '192.168.1.1/24'; + o.required = true; - o = s.option(form.Value, 'remote_subnet', _('Remote Subnet'), _('Remote network(s)')); - o.placeholder = "192.168.2.1/24" - o.required = true + o = s.option(form.Value, 'remote_subnet', _('Remote Subnet'), + _('Remote network(s)')); + o.placeholder = '192.168.2.1/24'; + o.required = true; - o = s.option(form.Value, 'local_nat', _('Local NAT'), _('NAT range for tunnels with overlapping IP addresses')); - o.datatype = 'subnet'; + o = s.option(form.Value, 'local_nat', _('Local NAT'), + _('NAT range for tunnels with overlapping IP addresses')); + o.datatype = 'subnet'; - o = s.option(form.ListValue, 'crypto_proposal', _('Crypto Proposal (Phase 2)'), _('List of ESP (phase two) proposals')); - o.value('encryption_algorithm'); - o.value('hash_algorithm'); - o.value('dh_group'); - o.value('prf_algorithm'); - o.required = true + o = s.option(form.ListValue, 'crypto_proposal', + _('Crypto Proposal (Phase 2)'), _('List of ESP (phase two) proposals')); + o.value('encryption_algorithm'); + o.value('hash_algorithm'); + o.value('dh_group'); + o.value('prf_algorithm'); + o.required = true; - o = s.option(form.ListValue, 'startaction', _('Start Action'), _('Action on initial configuration load')); - o.value('none'); - o.value('start'); - o.value('route'); - o.default = 'route'; + o = s.option(form.ListValue, 'startaction', _('Start Action'), + _('Action on initial configuration load')); + o.value('none'); + o.value('start'); + o.value('route'); + o.default = 'route'; - o = s.option(form.Value, 'updown', _('Up/Down Script Path'), _('Path to script to run on CHILD_SA up/down events')); - o.datatype = 'filepath'; + o = s.option(form.Value, 'updown', _('Up/Down Script Path'), + _('Path to script to run on CHILD_SA up/down events')); + o.datatype = 'filepath'; - return m.render(); - } + return m.render(); + } }); From 3f33bed487f7df791c94ef1a1976a34a17dd44a0 Mon Sep 17 00:00:00 2001 From: Lukas Voegl Date: Fri, 3 Nov 2023 15:06:14 +0100 Subject: [PATCH 5/8] luci-app-strongswan-swanctl: improve sections and options Signed-off-by: Lukas Voegl --- .../view/strongswan-swanctl/swanctl.js | 97 +++++++++++++------ 1 file changed, 67 insertions(+), 30 deletions(-) diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js index 659461bbc6..59d0db3f4a 100644 --- a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js +++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js @@ -1,6 +1,7 @@ 'use strict'; 'require view'; 'require form'; +'require uci'; 'require tools.widgets as widgets'; return view.extend({ @@ -9,10 +10,10 @@ return view.extend({ m = new form.Map('ipsec', _('strongSwan Configuration'), _('Configure strongSwan for secure VPN connections.')); + m.tabbed = true; // strongSwan General Settings - s = m.section(form.TypedSection, 'ipsec', - _('strongSwan General Settings')); + s = m.section(form.TypedSection, 'ipsec', _('General Settings')); s.anonymous = true; o = s.option(widgets.ZoneSelect, 'zone', _('Zone'), @@ -20,74 +21,87 @@ return view.extend({ o.default = 'lan'; o.multiple = true; - o = s.option(widgets.NetworkSelect, 'listen', _('Listen Interfaces'), + o = s.option(widgets.NetworkSelect, 'listen', _('Listening Interfaces'), _('Interfaces that accept VPN traffic')); o.datatype = 'interface'; o.placeholder = _('Select an interface or leave empty for all interfaces'); o.default = 'wan'; o.multiple = true; + o.rmempty = false; o = s.option(form.Value, 'debug', _('Debug Level'), - _('Logs written to /var/log/charon.log')); + _('Trace level: 0 is least verbose, 4 is most')); o.default = '0'; - o.datatype = 'uinteger'; + o.datatype = 'range(0,4)'; // Remote Configuration - s = m.section(form.TypedSection, 'remote', _('Remote Configuration')); - s.anonymous = false; + s = m.section(form.GridSection, 'remote', _('Remote Configuration'), + _('Define Remote IKE Configurations.')); + s.addremove = true; + s.nodescriptions = true; o = s.option(form.Flag, 'enabled', _('Enabled'), _('Configuration is enabled or not')); + o.rmempty = false; o = s.option(form.Value, 'gateway', _('Gateway (Remote Endpoint)'), - _('Public IP address or FQDN name of the tunnel remote endpoint')); + _('IP address or FQDN name of the tunnel remote endpoint')); o.datatype = 'or(hostname,ipaddr)'; + o.rmempty = false; o = s.option(form.Value, 'local_gateway', _('Local Gateway'), _('IP address or FQDN of the tunnel local endpoint')); o.datatype = 'or(hostname,ipaddr)'; + o.modalonly = true; o = s.option(form.Value, 'local_sourceip', _('Local Source IP'), _('Virtual IP(s) to request in IKEv2 configuration payloads requests')); o.datatype = 'ipaddr'; + o.modalonly = true; o = s.option(form.Value, 'local_ip', _('Local IP'), _('Local address(es) to use in IKE negotiation')); o.datatype = 'ipaddr'; + o.modalonly = true; o = s.option(form.Value, 'local_identifier', _('Local Identifier'), _('Local identifier for IKE (phase 1)')); o.datatype = 'string'; o.placeholder = 'C=US, O=Acme Corporation, CN=headquarters'; + o.modalonly = true; o = s.option(form.Value, 'remote_identifier', _('Remote Identifier'), _('Remote identifier for IKE (phase 1)')); o.datatype = 'string'; o.placeholder = 'C=US, O=Acme Corporation, CN=soho'; + o.modalonly = true; o = s.option(form.ListValue, 'authentication_method', - _('Authentication Method'), _('IKE authentication (phase 1).')); + _('Authentication Method'), _('IKE authentication (phase 1)')); + o.modalonly = true; o.value('psk', 'Pre-shared Key'); o.value('pubkey', 'Public Key'); - o.required = true; o = s.option(form.Value, 'pre_shared_key', _('Pre-Shared Key'), - _('The pre-shared key for the tunnel if authentication is psk')); + _('The pre-shared key for the tunnel')); o.datatype = 'string'; o.password = true; + o.modalonly = true; o.depends('authentication_method', 'psk'); o = s.option(form.Flag, 'mobike', _('MOBIKE'), _('MOBIKE (IKEv2 Mobility and Multihoming Protocol)')); o.default = '1'; + o.modalonly = true; o = s.option(form.ListValue, 'fragmentation', _('IKE Fragmentation'), - _('Use IKE fragmentation (yes, no, force, accept)')); + _('Use IKE fragmentation')); o.value('yes'); o.value('no'); o.value('force'); o.value('accept'); o.default = 'yes'; + o.modalonly = true; o = s.option(form.ListValue, 'crypto_proposal', _('Crypto Proposal'), _('List of IKE (phase 1) proposals to use for authentication')); @@ -96,9 +110,24 @@ return view.extend({ o.value('dh_group'); o.value('prf_algorithm'); - o = s.option(form.Value, 'tunnel', _('Tunnel'), - _('Name of ESP/AH (phase 2) section')); - o.required = true; + o = s.option(form.MultiValue, 'tunnel', _('Tunnel'), + _('Name of ESP (phase 2) section')); + o.load = function (section_id) { + this.keylist = []; + this.vallist = []; + + var sections = uci.sections('ipsec', 'tunnel'); + if (sections.length == 0) { + this.value('', _('Please create a Tunnel first')); + } else { + sections.forEach(L.bind(function (section) { + this.value(section['.name']); + }, this)); + } + + return this.super('load', [section_id]); + }; + o.rmempty = false; o = s.option(form.Value, 'authentication_method', _('Authentication Method'), _('IKE authentication (phase 1)')); @@ -109,15 +138,16 @@ return view.extend({ s.anonymous = true; o = s.option(form.ListValue, 'encryption_algorithm', - _('Encryption Algorithm'), _('Encryption method (aes128, aes192, aes256, 3des)')); + _('Encryption Algorithm'), + '%s (aes128, aes192, aes256, 3des)'.format(_('Encryption method'))); o.value('aes128'); o.value('aes192'); o.value('aes256'); o.value('3des'); - o.required = true; + o.rmempty = false; o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'), - _('Hash algorithm (md5, sha1, sha2, ...)')); + '%s (md5, sha1, sha2, ...)'.format(_('Hash algorithm'))); o.value('md5'); o.value('sha1'); o.value('sha2'); @@ -133,17 +163,17 @@ return view.extend({ o.value('blake2b512'); o.value('whirlpool'); o.value('tiger'); - o.required = true; + o.rmempty = false; o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'), - _('Diffie-Hellman exponentiation (modp768, modp1024, ...)')); + '%s (modp768, modp1024, ...)'.format(_('Diffie-Hellman exponentiation'))); o.value('modp768'); o.value('modp1024'); o.value('modp1536'); o.value('modp2048'); o.value('modp3072'); o.value('modp4096'); - o.required = true; + o.rmempty = false; o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'), _('Pseudo-Random Functions to use with IKE')); @@ -155,22 +185,27 @@ return view.extend({ o.value('prfsha512'); // Tunnel Configuration - s = m.section(form.TypedSection, 'tunnel', _('Tunnel Configuration')); - s.anonymous = false; + s = m.section(form.GridSection, 'tunnel', _('Tunnel Configuration'), + _('Define Connection Children to be used as Tunnels in Remote Configurations.')); + s.addremove = true; + s.nodescriptions = true; - o = s.option(form.Value, 'local_subnet', _('Local Subnet'), + o = s.option(form.DynamicList, 'local_subnet', _('Local Subnet'), _('Local network(s)')); + o.datatype = 'subnet'; o.placeholder = '192.168.1.1/24'; - o.required = true; + o.rmempty = false; - o = s.option(form.Value, 'remote_subnet', _('Remote Subnet'), + o = s.option(form.DynamicList, 'remote_subnet', _('Remote Subnet'), _('Remote network(s)')); + o.datatype = 'subnet'; o.placeholder = '192.168.2.1/24'; - o.required = true; + o.rmempty = false; o = s.option(form.Value, 'local_nat', _('Local NAT'), _('NAT range for tunnels with overlapping IP addresses')); o.datatype = 'subnet'; + o.modalonly = true; o = s.option(form.ListValue, 'crypto_proposal', _('Crypto Proposal (Phase 2)'), _('List of ESP (phase two) proposals')); @@ -183,13 +218,15 @@ return view.extend({ o = s.option(form.ListValue, 'startaction', _('Start Action'), _('Action on initial configuration load')); o.value('none'); + o.value('trap'); o.value('start'); - o.value('route'); - o.default = 'route'; + o.default = 'trap'; + o.modalonly = true; o = s.option(form.Value, 'updown', _('Up/Down Script Path'), _('Path to script to run on CHILD_SA up/down events')); - o.datatype = 'filepath'; + o.datatype = 'file'; + o.modalonly = true; return m.render(); } From bec5159369599a165130e924f4785789b70257a5 Mon Sep 17 00:00:00 2001 From: Lukas Voegl Date: Fri, 3 Nov 2023 15:14:30 +0100 Subject: [PATCH 6/8] luci-app-strongswan-swanctl: add crypto proposal section Signed-off-by: Lukas Voegl --- .../resources/strongswan_algorithms.js | 143 +++++++++++++++ .../view/strongswan-swanctl/swanctl.js | 166 +++++++++++------- 2 files changed, 242 insertions(+), 67 deletions(-) create mode 100644 applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js new file mode 100644 index 0000000000..1ebbe59084 --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js @@ -0,0 +1,143 @@ +'use strict'; +'require baseclass'; + +return baseclass.extend({ + + _encryptionAlgorithms: new Map([ + ['3des', true], + ['cast128', true], + ['blowfish128', true], + ['blowfish192', true], + ['blowfish256', true], + ['null', true], + ['aes128'], + ['aes192'], + ['aes256'], + ['aes128ctr'], + ['aes192ctr'], + ['aes256ctr'], + ['camellia128'], + ['camellia192'], + ['camellia256'], + ['camellia128ctr'], + ['camellia192ctr'], + ['camellia256ctr'] + ]), + + _authenticatedEncryptionAlgorithms: new Map([ + ['aes128ccm64'], + ['aes192ccm64'], + ['aes256ccm64'], + ['aes128ccm96'], + ['aes192ccm96'], + ['aes256ccm96'], + ['aes128ccm128'], + ['aes192ccm128'], + ['aes256ccm128'], + ['aes128gcm64'], + ['aes192gcm64'], + ['aes256gcm64'], + ['aes128gcm96'], + ['aes192gcm96'], + ['aes256gcm96'], + ['aes128gcm128'], + ['aes192gcm128'], + ['aes256gcm128'], + ['aes128gmac'], + ['aes192gmac'], + ['aes256gmac'], + ['camellia128ccm64'], + ['camellia192ccm64'], + ['camellia256ccm64'], + ['camellia128ccm96'], + ['camellia192ccm96'], + ['camellia256ccm96'], + ['camellia128ccm128'], + ['camellia192ccm128'], + ['camellia256ccm128'], + ['chacha20poly1305'] + ]), + + _hashAlgorithms: new Map([ + ['md5', true], + ['md5_128', true], + ['sha1', true], + ['sha1_160', true], + ['aesxcbc'], + ['aescmac'], + ['aes128gmac'], + ['aes192gmac'], + ['aes256gmac'], + ['sha256'], + ['sha384'], + ['sha512'], + ['sha256_96'] + ]), + + _dhAlgorithms: new Map([ + ['modp768', true], + ['modp1024', true], + ['modp1536', true], + ['modp2048'], + ['modp3072'], + ['modp4096'], + ['modp6144'], + ['modp8192'], + ['modp1024s160', true], + ['modp2048s224', true], + ['modp2048s256', true], + ['ecp192', true], + ['ecp224'], + ['ecp256'], + ['ecp384'], + ['ecp521'], + ['ecp224bp'], + ['ecp256bp'], + ['ecp384bp'], + ['ecp512bp'], + ['curve25519'], + ['curve448'] + ]), + + _prfAlgorithms: new Map([ + ['prfmd5', true], + ['prfsha1', true], + ['prfaesxcbc'], + ['prfaescmac'], + ['prfsha256'], + ['prfsha384'], + ['prfsha512'] + ]), + + _getAlgorithmNames: function (algorithms) { + return Array.from(algorithms.keys()); + }, + + isInsecure: function (algorithmName) { + return this._encryptionAlgorithms.get(algorithmName) == true + || this._authenticatedEncryptionAlgorithms.get(algorithmName) == true + || this._hashAlgorithms.get(algorithmName) == true + || this._dhAlgorithms.get(algorithmName) == true + || this._prfAlgorithms.get(algorithmName) == true; + }, + + getEncryptionAlgorithms: function () { + return this._getAlgorithmNames(this._encryptionAlgorithms); + }, + + getAuthenticatedEncryptionAlgorithms: function () { + return this._getAlgorithmNames(this._authenticatedEncryptionAlgorithms); + }, + + getHashAlgorithms: function () { + return this._getAlgorithmNames(this._hashAlgorithms); + }, + + getDiffieHellmanAlgorithms: function () { + return this._getAlgorithmNames(this._dhAlgorithms); + }, + + getPrfAlgorithms: function () { + return this._getAlgorithmNames(this._prfAlgorithms); + } +}); diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js index 59d0db3f4a..c2aeff2a7b 100644 --- a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js +++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js @@ -3,6 +3,17 @@ 'require form'; 'require uci'; 'require tools.widgets as widgets'; +'require strongswan_algorithms'; + +function addAlgorithms(o, algorithms) { + algorithms.forEach(function (algorithm) { + if (strongswan_algorithms.isInsecure(algorithm)) { + o.value(algorithm, '%s*'.format(algorithm)); + } else { + o.value(algorithm); + } + }); +} return view.extend({ render: function () { @@ -103,12 +114,26 @@ return view.extend({ o.default = 'yes'; o.modalonly = true; - o = s.option(form.ListValue, 'crypto_proposal', _('Crypto Proposal'), + o = s.option(form.MultiValue, 'crypto_proposal', _('Crypto Proposal'), _('List of IKE (phase 1) proposals to use for authentication')); - o.value('encryption_algorithm'); - o.value('hash_algorithm'); - o.value('dh_group'); - o.value('prf_algorithm'); + o.load = function (section_id) { + this.keylist = []; + this.vallist = []; + + var sections = uci.sections('ipsec', 'crypto_proposal'); + if (sections.length == 0) { + this.value('', _('Please create a Proposal first')); + } else { + sections.forEach(L.bind(function (section) { + if (section.is_esp != '1') { + this.value(section['.name']); + } + }, this)); + } + + return this.super('load', [section_id]); + }; + o.rmempty = false; o = s.option(form.MultiValue, 'tunnel', _('Tunnel'), _('Name of ESP (phase 2) section')); @@ -129,61 +154,6 @@ return view.extend({ }; o.rmempty = false; - o = s.option(form.Value, 'authentication_method', - _('Authentication Method'), _('IKE authentication (phase 1)')); - o.datatype = 'string'; - - s = m.section(form.TypedSection, 'ipsec', - _('strongSwan General Settings')); - s.anonymous = true; - - o = s.option(form.ListValue, 'encryption_algorithm', - _('Encryption Algorithm'), - '%s (aes128, aes192, aes256, 3des)'.format(_('Encryption method'))); - o.value('aes128'); - o.value('aes192'); - o.value('aes256'); - o.value('3des'); - o.rmempty = false; - - o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'), - '%s (md5, sha1, sha2, ...)'.format(_('Hash algorithm'))); - o.value('md5'); - o.value('sha1'); - o.value('sha2'); - o.value('sha256'); - o.value('sha384'); - o.value('sha512'); - o.value('sha3_256'); - o.value('sha3_384'); - o.value('sha3_512'); - o.value('blake2s256'); - o.value('blake2b512'); - o.value('blake2s256'); - o.value('blake2b512'); - o.value('whirlpool'); - o.value('tiger'); - o.rmempty = false; - - o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'), - '%s (modp768, modp1024, ...)'.format(_('Diffie-Hellman exponentiation'))); - o.value('modp768'); - o.value('modp1024'); - o.value('modp1536'); - o.value('modp2048'); - o.value('modp3072'); - o.value('modp4096'); - o.rmempty = false; - - o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'), - _('Pseudo-Random Functions to use with IKE')); - o.value('prf_hmac_md5'); - o.value('prfmd5'); - o.value('prfsha1'); - o.value('prfsha256'); - o.value('pfsha384'); - o.value('prfsha512'); - // Tunnel Configuration s = m.section(form.GridSection, 'tunnel', _('Tunnel Configuration'), _('Define Connection Children to be used as Tunnels in Remote Configurations.')); @@ -207,13 +177,27 @@ return view.extend({ o.datatype = 'subnet'; o.modalonly = true; - o = s.option(form.ListValue, 'crypto_proposal', - _('Crypto Proposal (Phase 2)'), _('List of ESP (phase two) proposals')); - o.value('encryption_algorithm'); - o.value('hash_algorithm'); - o.value('dh_group'); - o.value('prf_algorithm'); - o.required = true; + o = s.option(form.MultiValue, 'crypto_proposal', + _('Crypto Proposal (Phase 2)'), + _('List of ESP (phase two) proposals. Only Proposals with checked ESP flag are selectable')); + o.load = function (section_id) { + this.keylist = []; + this.vallist = []; + + var sections = uci.sections('ipsec', 'crypto_proposal'); + if (sections.length == 0) { + this.value('', _('Please create an ESP Proposal first')); + } else { + sections.forEach(L.bind(function (section) { + if (section.is_esp == '1') { + this.value(section['.name']); + } + }, this)); + } + + return this.super('load', [section_id]); + }; + o.rmempty = false; o = s.option(form.ListValue, 'startaction', _('Start Action'), _('Action on initial configuration load')); @@ -228,6 +212,54 @@ return view.extend({ o.datatype = 'file'; o.modalonly = true; + // Crypto Proposals + s = m.section(form.GridSection, 'crypto_proposal', + _('Encryption Proposals'), + _('Configure Cipher Suites to define IKE (Phase 1) or ESP (Phase 2) Proposals.')); + s.addremove = true; + s.nodescriptions = true; + + o = s.option(form.Flag, 'is_esp', _('ESP Proposal'), + _('Whether this is an ESP (phase 2) proposal or not')); + + o = s.option(form.ListValue, 'encryption_algorithm', + _('Encryption Algorithm'), + _('Algorithms marked with * are considered insecure')); + o.default = 'aes256gcm128'; + addAlgorithms(o, strongswan_algorithms.getEncryptionAlgorithms()); + addAlgorithms(o, strongswan_algorithms.getAuthenticatedEncryptionAlgorithms()); + + + o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'), + _('Algorithms marked with * are considered insecure')); + strongswan_algorithms.getEncryptionAlgorithms().forEach(function (algorithm) { + o.depends('encryption_algorithm', algorithm); + }); + o.default = 'sha512'; + o.rmempty = false; + addAlgorithms(o, strongswan_algorithms.getHashAlgorithms()); + + o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'), + _('Algorithms marked with * are considered insecure')); + o.default = 'modp3072'; + addAlgorithms(o, strongswan_algorithms.getDiffieHellmanAlgorithms()); + + o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'), + _('Algorithms marked with * are considered insecure')); + o.validate = function (section_id, value) { + var encryptionAlgorithm = this.section.formvalue(section_id, 'encryption_algorithm'); + + if (strongswan_algorithms.getAuthenticatedEncryptionAlgorithms().includes( + encryptionAlgorithm) && !value) { + return _('PRF Algorithm must be configured when using an Authenticated Encryption Algorithm'); + } + + return true; + }; + o.optional = true; + o.depends('is_esp', '0'); + addAlgorithms(o, strongswan_algorithms.getPrfAlgorithms()); + return m.render(); } }); From 1aac8df6f880b94847c6518c074cad1dc3ffb408 Mon Sep 17 00:00:00 2001 From: Lukas Voegl Date: Wed, 8 Nov 2023 12:56:42 +0100 Subject: [PATCH 7/8] luci-app-strongswan-swanctl: add missing uci options Signed-off-by: Lukas Voegl --- .../view/strongswan-swanctl/swanctl.js | 262 ++++++++++++++---- 1 file changed, 203 insertions(+), 59 deletions(-) diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js index c2aeff2a7b..c18814aac3 100644 --- a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js +++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js @@ -5,6 +5,14 @@ 'require tools.widgets as widgets'; 'require strongswan_algorithms'; +function validateTimeFormat(section_id, value) { + if (value && !value.match(/^\d+[smhd]$/)) { + return _('Number must have suffix s, m, h or d'); + } + + return true; +} + function addAlgorithms(o, algorithms) { algorithms.forEach(function (algorithm) { if (strongswan_algorithms.isInsecure(algorithm)) { @@ -16,6 +24,10 @@ function addAlgorithms(o, algorithms) { } return view.extend({ + load: function () { + return uci.load('network'); + }, + render: function () { var m, s, o; @@ -51,70 +63,35 @@ return view.extend({ s.addremove = true; s.nodescriptions = true; - o = s.option(form.Flag, 'enabled', _('Enabled'), + o = s.tab('general', _('General')); + o = s.tab('authentication', _('Authentication')); + o = s.tab('advanced', _('Advanced')); + + o = s.taboption('general', form.Flag, 'enabled', _('Enabled'), _('Configuration is enabled or not')); o.rmempty = false; - o = s.option(form.Value, 'gateway', _('Gateway (Remote Endpoint)'), + o = s.taboption('general', form.Value, 'gateway', _('Gateway (Remote Endpoint)'), _('IP address or FQDN name of the tunnel remote endpoint')); o.datatype = 'or(hostname,ipaddr)'; o.rmempty = false; - o = s.option(form.Value, 'local_gateway', _('Local Gateway'), + o = s.taboption('general', form.Value, 'local_gateway', _('Local Gateway'), _('IP address or FQDN of the tunnel local endpoint')); o.datatype = 'or(hostname,ipaddr)'; o.modalonly = true; - o = s.option(form.Value, 'local_sourceip', _('Local Source IP'), + o = s.taboption('general', form.Value, 'local_sourceip', _('Local Source IP'), _('Virtual IP(s) to request in IKEv2 configuration payloads requests')); o.datatype = 'ipaddr'; o.modalonly = true; - o = s.option(form.Value, 'local_ip', _('Local IP'), + o = s.taboption('general', form.Value, 'local_ip', _('Local IP'), _('Local address(es) to use in IKE negotiation')); o.datatype = 'ipaddr'; o.modalonly = true; - o = s.option(form.Value, 'local_identifier', _('Local Identifier'), - _('Local identifier for IKE (phase 1)')); - o.datatype = 'string'; - o.placeholder = 'C=US, O=Acme Corporation, CN=headquarters'; - o.modalonly = true; - - o = s.option(form.Value, 'remote_identifier', _('Remote Identifier'), - _('Remote identifier for IKE (phase 1)')); - o.datatype = 'string'; - o.placeholder = 'C=US, O=Acme Corporation, CN=soho'; - o.modalonly = true; - - o = s.option(form.ListValue, 'authentication_method', - _('Authentication Method'), _('IKE authentication (phase 1)')); - o.modalonly = true; - o.value('psk', 'Pre-shared Key'); - o.value('pubkey', 'Public Key'); - - o = s.option(form.Value, 'pre_shared_key', _('Pre-Shared Key'), - _('The pre-shared key for the tunnel')); - o.datatype = 'string'; - o.password = true; - o.modalonly = true; - o.depends('authentication_method', 'psk'); - - o = s.option(form.Flag, 'mobike', _('MOBIKE'), - _('MOBIKE (IKEv2 Mobility and Multihoming Protocol)')); - o.default = '1'; - o.modalonly = true; - - o = s.option(form.ListValue, 'fragmentation', _('IKE Fragmentation'), - _('Use IKE fragmentation')); - o.value('yes'); - o.value('no'); - o.value('force'); - o.value('accept'); - o.default = 'yes'; - o.modalonly = true; - - o = s.option(form.MultiValue, 'crypto_proposal', _('Crypto Proposal'), + o = s.taboption('general', form.MultiValue, 'crypto_proposal', _('Crypto Proposal'), _('List of IKE (phase 1) proposals to use for authentication')); o.load = function (section_id) { this.keylist = []; @@ -135,7 +112,7 @@ return view.extend({ }; o.rmempty = false; - o = s.option(form.MultiValue, 'tunnel', _('Tunnel'), + o = s.taboption('general', form.MultiValue, 'tunnel', _('Tunnel'), _('Name of ESP (phase 2) section')); o.load = function (section_id) { this.keylist = []; @@ -154,30 +131,162 @@ return view.extend({ }; o.rmempty = false; + o = s.taboption('authentication', form.ListValue, 'authentication_method', + _('Authentication Method'), _('IKE authentication (phase 1)')); + o.modalonly = true; + o.value('psk', 'Pre-shared Key'); + o.value('pubkey', 'Public Key'); + + o = s.taboption('authentication', form.Value, 'local_identifier', _('Local Identifier'), + _('Local identifier for IKE (phase 1)')); + o.datatype = 'string'; + o.placeholder = 'C=US, O=Acme Corporation, CN=headquarters'; + o.modalonly = true; + + o = s.taboption('authentication', form.Value, 'remote_identifier', _('Remote Identifier'), + _('Remote identifier for IKE (phase 1)')); + o.datatype = 'string'; + o.placeholder = 'C=US, O=Acme Corporation, CN=soho'; + o.modalonly = true; + + o = s.taboption('authentication', form.Value, 'pre_shared_key', _('Pre-Shared Key'), + _('The pre-shared key for the tunnel')); + o.datatype = 'string'; + o.password = true; + o.modalonly = true; + o.rmempty = false; + o.depends('authentication_method', 'psk'); + + o = s.taboption('authentication', form.Value, 'local_cert', _('Local Certificate'), + _('Certificate pathname to use for authentication')); + o.datatype = 'file'; + o.depends('authentication_method', 'pubkey'); + o.modalonly = true; + + o = s.taboption('authentication', form.Value, 'local_key', _('Local Key'), + _('Private key pathname to use with above certificate')); + o.datatype = 'file'; + o.modalonly = true; + + o = s.taboption('authentication', form.Value, 'ca_cert', _('CA Certificate'), + _("CA certificate that need to lie in remote peer's certificate's path of trust")); + o.datatype = 'file'; + o.depends('authentication_method', 'pubkey'); + o.modalonly = true; + + + o = s.taboption('advanced', form.Flag, 'mobike', _('MOBIKE'), + _('MOBIKE (IKEv2 Mobility and Multihoming Protocol)')); + o.default = '1'; + o.modalonly = true; + + o = s.taboption('advanced', form.ListValue, 'fragmentation', _('IKE Fragmentation'), + _('Use IKE fragmentation')); + o.value('yes'); + o.value('no'); + o.value('force'); + o.value('accept'); + o.default = 'yes'; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'keyingretries', _('Keying Retries'), + _('Number of retransmissions attempts during initial negotiation')); + o.datatype = 'uinteger'; + o.default = '3'; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'dpddelay', _('DPD Delay'), + _('Interval to check liveness of a peer')); + o.validate = validateTimeFormat; + o.default = '30s'; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'inactivity', _('Inactivity'), + _('Interval before closing an inactive CHILD_SA')); + o.validate = validateTimeFormat; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'rekeytime', _('Rekey Time'), + _('IKEv2 interval to refresh keying material; also used to compute lifetime')); + o.validate = validateTimeFormat; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'overtime', _('Overtime'), + _('Limit on time to complete rekeying/reauthentication')); + o.validate = validateTimeFormat; + o.modalonly = true; + + o = s.taboption('advanced', form.ListValue, 'keyexchange', _('Keyexchange'), + _('Version of IKE for negotiation')); + o.value('ikev1', 'IKEv1 (%s)', _('deprecated')); + o.value('ikev2', 'IKEv2'); + o.value('ike', 'IKE (%s, %s)'.format(_('both'), _('deprecated'))); + o.default = 'ikev2'; + o.modalonly = true; + // Tunnel Configuration s = m.section(form.GridSection, 'tunnel', _('Tunnel Configuration'), _('Define Connection Children to be used as Tunnels in Remote Configurations.')); s.addremove = true; s.nodescriptions = true; - o = s.option(form.DynamicList, 'local_subnet', _('Local Subnet'), + o = s.tab('general', _('General')); + o = s.tab('advanced', _('Advanced')); + + o = s.taboption('general', form.DynamicList, 'local_subnet', _('Local Subnet'), _('Local network(s)')); o.datatype = 'subnet'; o.placeholder = '192.168.1.1/24'; o.rmempty = false; - o = s.option(form.DynamicList, 'remote_subnet', _('Remote Subnet'), + o = s.taboption('general', form.DynamicList, 'remote_subnet', _('Remote Subnet'), _('Remote network(s)')); o.datatype = 'subnet'; o.placeholder = '192.168.2.1/24'; o.rmempty = false; - o = s.option(form.Value, 'local_nat', _('Local NAT'), + o = s.taboption('general', form.Value, 'local_nat', _('Local NAT'), _('NAT range for tunnels with overlapping IP addresses')); o.datatype = 'subnet'; o.modalonly = true; - o = s.option(form.MultiValue, 'crypto_proposal', + o = s.taboption('general', form.ListValue, 'if_id', ('XFRM Interface ID'), + _('XFRM interface ID set on input and output interfaces')); + o.load = function (section_id) { + this.keylist = []; + this.vallist = []; + + var xfrmSections = uci.sections('network').filter(function (section) { + return section.proto == 'xfrm'; + }); + + xfrmSections.forEach(L.bind(function (section) { + this.value(section.ifid, + '%s (%s)'.format(section.ifid, section['.name'])); + }, this)); + + return this.super('load', [section_id]); + } + o.optional = true; + o.modalonly = true; + + o = s.taboption('general', form.ListValue, 'startaction', _('Start Action'), + _('Action on initial configuration load')); + o.value('none'); + o.value('trap'); + o.value('start'); + o.default = 'trap'; + o.modalonly = true; + + o = s.taboption('general', form.ListValue, 'closeaction', _('Close Action'), + _('Action when CHILD_SA is closed')); + o.value('none'); + o.value('trap'); + o.value('start'); + o.optional = true; + o.modalonly = true; + + o = s.taboption('general', form.MultiValue, 'crypto_proposal', _('Crypto Proposal (Phase 2)'), _('List of ESP (phase two) proposals. Only Proposals with checked ESP flag are selectable')); o.load = function (section_id) { @@ -199,19 +308,54 @@ return view.extend({ }; o.rmempty = false; - o = s.option(form.ListValue, 'startaction', _('Start Action'), - _('Action on initial configuration load')); - o.value('none'); - o.value('trap'); - o.value('start'); - o.default = 'trap'; - o.modalonly = true; - - o = s.option(form.Value, 'updown', _('Up/Down Script Path'), + o = s.taboption('advanced', form.Value, 'updown', _('Up/Down Script Path'), _('Path to script to run on CHILD_SA up/down events')); o.datatype = 'file'; o.modalonly = true; + o = s.taboption('advanced', form.Value, 'lifetime', _('Lifetime'), + _('Maximum duration of the CHILD_SA before closing')); + o.validate = validateTimeFormat; + o.modalonly = true; + + o = s.taboption('advanced', form.ListValue, 'dpdaction', _('DPD Action'), + _('Action when DPD timeout occurs')); + o.value('none'); + o.value('clear'); + o.value('trap'); + o.value('start'); + o.optional = true; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'rekeytime', _('Rekey Time'), + _('Duration of the CHILD_SA before rekeying')); + o.validate = validateTimeFormat; + o.modalonly = true; + + o = s.taboption('advanced', form.Flag, 'ipcomp', _('IPComp'), + _('Enable ipcomp compression')); + o.default = '0'; + o.modalonly = true; + + o = s.taboption('advanced', form.ListValue, 'hw_offload', _('H/W Offload'), + _('Enable Hardware offload')); + o.value('yes'); + o.value('no'); + o.value('auto'); + o.optional = true; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'priority', _('Priority'), + _('Priority of the CHILD_SA')); + o.datatype = 'uinteger'; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'replay_window', _('Replay Window'), + '%s; %s'.format(_('Replay Window of the CHILD_SA'), + _('Values larger than 32 are supported by the Netlink backend only'))); + o.datatype = 'uinteger'; + o.modalonly = true; + // Crypto Proposals s = m.section(form.GridSection, 'crypto_proposal', _('Encryption Proposals'), From 2ac043173181968bb3b4edff95c5cdb08c9d6d7b Mon Sep 17 00:00:00 2001 From: Lukas Voegl Date: Fri, 3 Nov 2023 14:54:59 +0100 Subject: [PATCH 8/8] luci-app-strongswan-swanctl: add status page Signed-off-by: Lukas Voegl --- .../luci-app-strongswan-swanctl/Makefile | 4 +- .../view/strongswan-swanctl/status.js | 189 ++++++++++++++++++ .../menu.d/luci-app-strongswan-swanctl.json | 13 ++ .../acl.d/luci-app-strongswan-swanctl.json | 5 + 4 files changed, 209 insertions(+), 2 deletions(-) create mode 100644 applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/status.js diff --git a/applications/luci-app-strongswan-swanctl/Makefile b/applications/luci-app-strongswan-swanctl/Makefile index 0e847c7bf5..cadd2dacc5 100644 --- a/applications/luci-app-strongswan-swanctl/Makefile +++ b/applications/luci-app-strongswan-swanctl/Makefile @@ -9,8 +9,8 @@ PKG_LICENSE:=GPL-2.0-or-later PKG_MAINTAINER:=Nicholas Smith , Lukas Voegl LUCI_TITLE:=LuCI support for strongSwan via swanctl -LUCI_DESCRIPTION:=Configuration for strongSwan based on swanctl -LUCI_DEPENDS:=+strongswan-swanctl +LUCI_DESCRIPTION:=Status and configuration for strongSwan based on swanctl +LUCI_DEPENDS:=+strongswan-swanctl +swanmon include ../../luci.mk diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/status.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/status.js new file mode 100644 index 0000000000..d0a936cc6e --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/status.js @@ -0,0 +1,189 @@ +'use strict'; +'require view'; +'require dom'; +'require poll'; +'require fs'; +'require ui'; + +function formatTime(seconds, selectCount) { + var days = Math.floor(seconds / (60 * 60 * 24)); + var hours = Math.floor(seconds / (60 * 60)) % 24; + var minutes = Math.floor(seconds / 60) % 60; + var seconds = Math.floor(seconds % 60); + + var times = [ + [days, _('Day'), _('Days')], + [hours, _('Hour'), _('Hours')], + [minutes, _('Minute'), _('Minutes')], + [seconds, _('Second'), _('Seconds')] + ].filter(function ([time, singular, plural]) { + return time > 0; + }); + + var selectedTimes = times.slice(0, selectCount); + return selectedTimes.map(function ([time, singular, plural]) { + var unit = time > 1 ? plural : singular; + return '%d %s'.format(time, unit); + }).join(', '); +} + +function buildSection(name, table) { + return E('div', { 'class': 'cbi-section' }, [ + E('h2', [name]), + table + ]); +} + +function buildTable(rows) { + return E('table', { 'class': 'table', }, rows); +} + +function buildKeyValueTable(kvPairs) { + var rows = kvPairs.map(function (row) { + return E('tr', { 'class': 'tr' }, [ + E('td', { 'class': 'td', 'width': '33%' }, E('strong', [row[0]])), + E('td', { 'class': 'td' }, [row[1]]) + ]); + }); + return buildTable(rows); +} + +function collectErrorMessages(results) { + var errorMessages = results.reduce(function (messages, result) { + return messages.concat(result.errors.map(function (error) { + return error.message; + })); + }, []); + var uniqueErrorMessages = new Set(errorMessages); + + return [...uniqueErrorMessages]; +} + +return view.extend({ + load: function () { + return Promise.all([ + fs.exec_direct('/usr/sbin/swanmon', ['version'], 'json'), + fs.exec_direct('/usr/sbin/swanmon', ['stats'], 'json'), + fs.exec_direct('/usr/sbin/swanmon', ['list-sas'], 'json') + ]); + }, + + pollData: function (container) { + poll.add(L.bind(function () { + return this.load().then(L.bind(function (results) { + dom.content(container, this.renderContent(results)); + }, this)); + }, this)); + }, + + renderContent: function (results) { + var node = E('div', [E('div')]); + var firstNode = node.firstElementChild; + + var errorMessages = collectErrorMessages(results); + if (errorMessages.length > 0) { + var messageEls = errorMessages.map(function (message) { + return E('li', message); + }); + + firstNode.appendChild(E('h4', _('Querying strongSwan failed'))); + firstNode.appendChild(E('ul', messageEls)); + + return node; + } + + var [version, stats, sas] = results.map(function (r) { + return r.data; + }); + + var uptimeSeconds = (new Date() - new Date(stats.uptime.since)) / 1000; + var statsSection = buildSection(_('Stats'), buildKeyValueTable([ + [_('Version'), version.version], + [_('Uptime'), formatTime(uptimeSeconds, 2)], + [_('Daemon'), version.daemon], + [_('Active IKE_SAs'), stats.ikesas.total], + [_('Half-Open IKE_SAs'), stats.ikesas['half-open']] + ])); + firstNode.appendChild(statsSection); + + var tableRows = sas.map(function (conn) { + var name = Object.keys(conn)[0]; + var data = conn[name]; + var childSas = []; + + Object.entries(data['child-sas']).forEach(function ([name, data]) { + var table = buildKeyValueTable([ + [_('State'), data.state], + [_('Mode'), data.mode], + [_('Protocol'), data.protocol], + [_('Local Traffic Selectors'), data['local-ts'].join(', ')], + [_('Remote Traffic Selectors'), data['remote-ts'].join(', ')], + [_('Encryption Algorithm'), data['encr-alg']], + [_('Encryption Keysize'), data['encr-keysize']], + [_('Bytes in'), data['bytes-in']], + [_('Bytes out'), data['bytes-out']], + [_('Life Time'), formatTime(data['life-time'], 2)], + [_('Install Time'), formatTime(data['install-time'], 2)], + [_('Rekey in'), formatTime(data['rekey-time'], 2)], + [_('SPI in'), data['spi-in']], + [_('SPI out'), data['spi-out']] + ]); + childSas.push(E('div', { 'class': 'cbi-section' }, [ + E('h4', { 'style': 'margin-top: 0; padding-top: 0;' }, [name]), + table + ])); + }); + childSas.push(E('button', { + 'class': 'btn cbi-button cbi-button-apply', + 'click': ui.hideModal + }, _('Close'))); + + return E('tr', { 'class': 'tr' }, [ + E('td', { 'class': 'td' }, [name]), + E('td', { 'class': 'td' }, [data.state]), + E('td', { 'class': 'td' }, [data['remote-host']]), + E('td', { 'class': 'td' }, [data.version]), + E('td', { 'class': 'td' }, [formatTime(data.established, 2)]), + E('td', { 'class': 'td' }, [formatTime(data['reauth-time'], 2)]), + E('td', { 'class': 'td' }, [E('button', { + 'class': 'btn cbi-button cbi-button-apply', + 'click': function (ev) { + ui.showModal(_('CHILD_SAs'), childSas) + } + }, _('Show Details'))]) + ]); + }); + var connSection = buildSection(_('Security Associations (SAs)'), buildTable([ + E('tr', { 'class': 'tr' }, [ + E('th', { 'class': 'th' }, [_('Name')]), + E('th', { 'class': 'th' }, [_('State')]), + E('th', { 'class': 'th' }, [_('Remote')]), + E('th', { 'class': 'th' }, [_('IKE Version')]), + E('th', { 'class': 'th' }, [_('Established for')]), + E('th', { 'class': 'th' }, [_('Reauthentication in')]), + E('th', { 'class': 'th' }, [_('Details')]) + ]), + ...tableRows + ])); + firstNode.appendChild(connSection); + + return node; + }, + + render: function (results) { + var content = E([], [ + E('h2', [_('strongSwan Status')]), + E('div') + ]); + var container = content.lastElementChild; + + dom.content(container, this.renderContent(results)); + this.pollData(container); + + return content; + }, + + handleSaveApply: null, + handleSave: null, + handleReset: null +}); diff --git a/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json b/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json index 2f0c5c5d1f..d229869d64 100644 --- a/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json +++ b/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json @@ -11,5 +11,18 @@ "luci-app-strongswan-swanctl" ] } + }, + "admin/status/strongswan": { + "title": "strongSwan IPsec", + "order": 90, + "action": { + "type": "view", + "path": "strongswan-swanctl/status" + }, + "depends": { + "acl": [ + "luci-app-strongswan-swanctl" + ] + } } } diff --git a/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json b/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json index 4f022c9463..d3b44a27a2 100644 --- a/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json +++ b/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json @@ -2,6 +2,11 @@ "luci-app-strongswan-swanctl": { "description": "Grant access to luci-app-strongswan-swanctl", "read": { + "file": { + "/usr/sbin/swanmon version": [ "exec" ], + "/usr/sbin/swanmon stats": [ "exec" ], + "/usr/sbin/swanmon list-sas": [ "exec" ] + }, "uci": [ "ipsec" ] }, "write": {