diff options
Diffstat (limited to 'applications/luci-app-strongswan-swanctl')
6 files changed, 802 insertions, 0 deletions
diff --git a/applications/luci-app-strongswan-swanctl/Makefile b/applications/luci-app-strongswan-swanctl/Makefile new file mode 100644 index 0000000000..cadd2dacc5 --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/Makefile @@ -0,0 +1,17 @@ +# Copyright 2021 Nicholas Smith (nicholas@nbembedded.com) +# Copyright (C) 2023 TDT AG <development@tdt.de> +# +# This is free software, licensed under the GNU General Public License v2. + +include $(TOPDIR)/rules.mk + +PKG_LICENSE:=GPL-2.0-or-later +PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>, Lukas Voegl <lvoegl@tdt.de> + +LUCI_TITLE:=LuCI support for strongSwan via swanctl +LUCI_DESCRIPTION:=Status and configuration for strongSwan based on swanctl +LUCI_DEPENDS:=+strongswan-swanctl +swanmon + +include ../../luci.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js new file mode 100644 index 0000000000..1ebbe59084 --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js @@ -0,0 +1,143 @@ +'use strict'; +'require baseclass'; + +return baseclass.extend({ + + _encryptionAlgorithms: new Map([ + ['3des', true], + ['cast128', true], + ['blowfish128', true], + ['blowfish192', true], + ['blowfish256', true], + ['null', true], + ['aes128'], + ['aes192'], + ['aes256'], + ['aes128ctr'], + ['aes192ctr'], + ['aes256ctr'], + ['camellia128'], + ['camellia192'], + ['camellia256'], + ['camellia128ctr'], + ['camellia192ctr'], + ['camellia256ctr'] + ]), + + _authenticatedEncryptionAlgorithms: new Map([ + ['aes128ccm64'], + ['aes192ccm64'], + ['aes256ccm64'], + ['aes128ccm96'], + ['aes192ccm96'], + ['aes256ccm96'], + ['aes128ccm128'], + ['aes192ccm128'], + ['aes256ccm128'], + ['aes128gcm64'], + ['aes192gcm64'], + ['aes256gcm64'], + ['aes128gcm96'], + ['aes192gcm96'], + ['aes256gcm96'], + ['aes128gcm128'], + ['aes192gcm128'], + ['aes256gcm128'], + ['aes128gmac'], + ['aes192gmac'], + ['aes256gmac'], + ['camellia128ccm64'], + ['camellia192ccm64'], + ['camellia256ccm64'], + ['camellia128ccm96'], + ['camellia192ccm96'], + ['camellia256ccm96'], + ['camellia128ccm128'], + ['camellia192ccm128'], + ['camellia256ccm128'], + ['chacha20poly1305'] + ]), + + _hashAlgorithms: new Map([ + ['md5', true], + ['md5_128', true], + ['sha1', true], + ['sha1_160', true], + ['aesxcbc'], + ['aescmac'], + ['aes128gmac'], + ['aes192gmac'], + ['aes256gmac'], + ['sha256'], + ['sha384'], + ['sha512'], + ['sha256_96'] + ]), + + _dhAlgorithms: new Map([ + ['modp768', true], + ['modp1024', true], + ['modp1536', true], + ['modp2048'], + ['modp3072'], + ['modp4096'], + ['modp6144'], + ['modp8192'], + ['modp1024s160', true], + ['modp2048s224', true], + ['modp2048s256', true], + ['ecp192', true], + ['ecp224'], + ['ecp256'], + ['ecp384'], + ['ecp521'], + ['ecp224bp'], + ['ecp256bp'], + ['ecp384bp'], + ['ecp512bp'], + ['curve25519'], + ['curve448'] + ]), + + _prfAlgorithms: new Map([ + ['prfmd5', true], + ['prfsha1', true], + ['prfaesxcbc'], + ['prfaescmac'], + ['prfsha256'], + ['prfsha384'], + ['prfsha512'] + ]), + + _getAlgorithmNames: function (algorithms) { + return Array.from(algorithms.keys()); + }, + + isInsecure: function (algorithmName) { + return this._encryptionAlgorithms.get(algorithmName) == true + || this._authenticatedEncryptionAlgorithms.get(algorithmName) == true + || this._hashAlgorithms.get(algorithmName) == true + || this._dhAlgorithms.get(algorithmName) == true + || this._prfAlgorithms.get(algorithmName) == true; + }, + + getEncryptionAlgorithms: function () { + return this._getAlgorithmNames(this._encryptionAlgorithms); + }, + + getAuthenticatedEncryptionAlgorithms: function () { + return this._getAlgorithmNames(this._authenticatedEncryptionAlgorithms); + }, + + getHashAlgorithms: function () { + return this._getAlgorithmNames(this._hashAlgorithms); + }, + + getDiffieHellmanAlgorithms: function () { + return this._getAlgorithmNames(this._dhAlgorithms); + }, + + getPrfAlgorithms: function () { + return this._getAlgorithmNames(this._prfAlgorithms); + } +}); diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/status.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/status.js new file mode 100644 index 0000000000..d0a936cc6e --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/status.js @@ -0,0 +1,189 @@ +'use strict'; +'require view'; +'require dom'; +'require poll'; +'require fs'; +'require ui'; + +function formatTime(seconds, selectCount) { + var days = Math.floor(seconds / (60 * 60 * 24)); + var hours = Math.floor(seconds / (60 * 60)) % 24; + var minutes = Math.floor(seconds / 60) % 60; + var seconds = Math.floor(seconds % 60); + + var times = [ + [days, _('Day'), _('Days')], + [hours, _('Hour'), _('Hours')], + [minutes, _('Minute'), _('Minutes')], + [seconds, _('Second'), _('Seconds')] + ].filter(function ([time, singular, plural]) { + return time > 0; + }); + + var selectedTimes = times.slice(0, selectCount); + return selectedTimes.map(function ([time, singular, plural]) { + var unit = time > 1 ? plural : singular; + return '%d %s'.format(time, unit); + }).join(', '); +} + +function buildSection(name, table) { + return E('div', { 'class': 'cbi-section' }, [ + E('h2', [name]), + table + ]); +} + +function buildTable(rows) { + return E('table', { 'class': 'table', }, rows); +} + +function buildKeyValueTable(kvPairs) { + var rows = kvPairs.map(function (row) { + return E('tr', { 'class': 'tr' }, [ + E('td', { 'class': 'td', 'width': '33%' }, E('strong', [row[0]])), + E('td', { 'class': 'td' }, [row[1]]) + ]); + }); + return buildTable(rows); +} + +function collectErrorMessages(results) { + var errorMessages = results.reduce(function (messages, result) { + return messages.concat(result.errors.map(function (error) { + return error.message; + })); + }, []); + var uniqueErrorMessages = new Set(errorMessages); + + return [...uniqueErrorMessages]; +} + +return view.extend({ + load: function () { + return Promise.all([ + fs.exec_direct('/usr/sbin/swanmon', ['version'], 'json'), + fs.exec_direct('/usr/sbin/swanmon', ['stats'], 'json'), + fs.exec_direct('/usr/sbin/swanmon', ['list-sas'], 'json') + ]); + }, + + pollData: function (container) { + poll.add(L.bind(function () { + return this.load().then(L.bind(function (results) { + dom.content(container, this.renderContent(results)); + }, this)); + }, this)); + }, + + renderContent: function (results) { + var node = E('div', [E('div')]); + var firstNode = node.firstElementChild; + + var errorMessages = collectErrorMessages(results); + if (errorMessages.length > 0) { + var messageEls = errorMessages.map(function (message) { + return E('li', message); + }); + + firstNode.appendChild(E('h4', _('Querying strongSwan failed'))); + firstNode.appendChild(E('ul', messageEls)); + + return node; + } + + var [version, stats, sas] = results.map(function (r) { + return r.data; + }); + + var uptimeSeconds = (new Date() - new Date(stats.uptime.since)) / 1000; + var statsSection = buildSection(_('Stats'), buildKeyValueTable([ + [_('Version'), version.version], + [_('Uptime'), formatTime(uptimeSeconds, 2)], + [_('Daemon'), version.daemon], + [_('Active IKE_SAs'), stats.ikesas.total], + [_('Half-Open IKE_SAs'), stats.ikesas['half-open']] + ])); + firstNode.appendChild(statsSection); + + var tableRows = sas.map(function (conn) { + var name = Object.keys(conn)[0]; + var data = conn[name]; + var childSas = []; + + Object.entries(data['child-sas']).forEach(function ([name, data]) { + var table = buildKeyValueTable([ + [_('State'), data.state], + [_('Mode'), data.mode], + [_('Protocol'), data.protocol], + [_('Local Traffic Selectors'), data['local-ts'].join(', ')], + [_('Remote Traffic Selectors'), data['remote-ts'].join(', ')], + [_('Encryption Algorithm'), data['encr-alg']], + [_('Encryption Keysize'), data['encr-keysize']], + [_('Bytes in'), data['bytes-in']], + [_('Bytes out'), data['bytes-out']], + [_('Life Time'), formatTime(data['life-time'], 2)], + [_('Install Time'), formatTime(data['install-time'], 2)], + [_('Rekey in'), formatTime(data['rekey-time'], 2)], + [_('SPI in'), data['spi-in']], + [_('SPI out'), data['spi-out']] + ]); + childSas.push(E('div', { 'class': 'cbi-section' }, [ + E('h4', { 'style': 'margin-top: 0; padding-top: 0;' }, [name]), + table + ])); + }); + childSas.push(E('button', { + 'class': 'btn cbi-button cbi-button-apply', + 'click': ui.hideModal + }, _('Close'))); + + return E('tr', { 'class': 'tr' }, [ + E('td', { 'class': 'td' }, [name]), + E('td', { 'class': 'td' }, [data.state]), + E('td', { 'class': 'td' }, [data['remote-host']]), + E('td', { 'class': 'td' }, [data.version]), + E('td', { 'class': 'td' }, [formatTime(data.established, 2)]), + E('td', { 'class': 'td' }, [formatTime(data['reauth-time'], 2)]), + E('td', { 'class': 'td' }, [E('button', { + 'class': 'btn cbi-button cbi-button-apply', + 'click': function (ev) { + ui.showModal(_('CHILD_SAs'), childSas) + } + }, _('Show Details'))]) + ]); + }); + var connSection = buildSection(_('Security Associations (SAs)'), buildTable([ + E('tr', { 'class': 'tr' }, [ + E('th', { 'class': 'th' }, [_('Name')]), + E('th', { 'class': 'th' }, [_('State')]), + E('th', { 'class': 'th' }, [_('Remote')]), + E('th', { 'class': 'th' }, [_('IKE Version')]), + E('th', { 'class': 'th' }, [_('Established for')]), + E('th', { 'class': 'th' }, [_('Reauthentication in')]), + E('th', { 'class': 'th' }, [_('Details')]) + ]), + ...tableRows + ])); + firstNode.appendChild(connSection); + + return node; + }, + + render: function (results) { + var content = E([], [ + E('h2', [_('strongSwan Status')]), + E('div') + ]); + var container = content.lastElementChild; + + dom.content(container, this.renderContent(results)); + this.pollData(container); + + return content; + }, + + handleSaveApply: null, + handleSave: null, + handleReset: null +}); diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js new file mode 100644 index 0000000000..c18814aac3 --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js @@ -0,0 +1,409 @@ +'use strict'; +'require view'; +'require form'; +'require uci'; +'require tools.widgets as widgets'; +'require strongswan_algorithms'; + +function validateTimeFormat(section_id, value) { + if (value && !value.match(/^\d+[smhd]$/)) { + return _('Number must have suffix s, m, h or d'); + } + + return true; +} + +function addAlgorithms(o, algorithms) { + algorithms.forEach(function (algorithm) { + if (strongswan_algorithms.isInsecure(algorithm)) { + o.value(algorithm, '%s*'.format(algorithm)); + } else { + o.value(algorithm); + } + }); +} + +return view.extend({ + load: function () { + return uci.load('network'); + }, + + render: function () { + var m, s, o; + + m = new form.Map('ipsec', _('strongSwan Configuration'), + _('Configure strongSwan for secure VPN connections.')); + m.tabbed = true; + + // strongSwan General Settings + s = m.section(form.TypedSection, 'ipsec', _('General Settings')); + s.anonymous = true; + + o = s.option(widgets.ZoneSelect, 'zone', _('Zone'), + _('Firewall zone that has to match the defined firewall zone')); + o.default = 'lan'; + o.multiple = true; + + o = s.option(widgets.NetworkSelect, 'listen', _('Listening Interfaces'), + _('Interfaces that accept VPN traffic')); + o.datatype = 'interface'; + o.placeholder = _('Select an interface or leave empty for all interfaces'); + o.default = 'wan'; + o.multiple = true; + o.rmempty = false; + + o = s.option(form.Value, 'debug', _('Debug Level'), + _('Trace level: 0 is least verbose, 4 is most')); + o.default = '0'; + o.datatype = 'range(0,4)'; + + // Remote Configuration + s = m.section(form.GridSection, 'remote', _('Remote Configuration'), + _('Define Remote IKE Configurations.')); + s.addremove = true; + s.nodescriptions = true; + + o = s.tab('general', _('General')); + o = s.tab('authentication', _('Authentication')); + o = s.tab('advanced', _('Advanced')); + + o = s.taboption('general', form.Flag, 'enabled', _('Enabled'), + _('Configuration is enabled or not')); + o.rmempty = false; + + o = s.taboption('general', form.Value, 'gateway', _('Gateway (Remote Endpoint)'), + _('IP address or FQDN name of the tunnel remote endpoint')); + o.datatype = 'or(hostname,ipaddr)'; + o.rmempty = false; + + o = s.taboption('general', form.Value, 'local_gateway', _('Local Gateway'), + _('IP address or FQDN of the tunnel local endpoint')); + o.datatype = 'or(hostname,ipaddr)'; + o.modalonly = true; + + o = s.taboption('general', form.Value, 'local_sourceip', _('Local Source IP'), + _('Virtual IP(s) to request in IKEv2 configuration payloads requests')); + o.datatype = 'ipaddr'; + o.modalonly = true; + + o = s.taboption('general', form.Value, 'local_ip', _('Local IP'), + _('Local address(es) to use in IKE negotiation')); + o.datatype = 'ipaddr'; + o.modalonly = true; + + o = s.taboption('general', form.MultiValue, 'crypto_proposal', _('Crypto Proposal'), + _('List of IKE (phase 1) proposals to use for authentication')); + o.load = function (section_id) { + this.keylist = []; + this.vallist = []; + + var sections = uci.sections('ipsec', 'crypto_proposal'); + if (sections.length == 0) { + this.value('', _('Please create a Proposal first')); + } else { + sections.forEach(L.bind(function (section) { + if (section.is_esp != '1') { + this.value(section['.name']); + } + }, this)); + } + + return this.super('load', [section_id]); + }; + o.rmempty = false; + + o = s.taboption('general', form.MultiValue, 'tunnel', _('Tunnel'), + _('Name of ESP (phase 2) section')); + o.load = function (section_id) { + this.keylist = []; + this.vallist = []; + + var sections = uci.sections('ipsec', 'tunnel'); + if (sections.length == 0) { + this.value('', _('Please create a Tunnel first')); + } else { + sections.forEach(L.bind(function (section) { + this.value(section['.name']); + }, this)); + } + + return this.super('load', [section_id]); + }; + o.rmempty = false; + + o = s.taboption('authentication', form.ListValue, 'authentication_method', + _('Authentication Method'), _('IKE authentication (phase 1)')); + o.modalonly = true; + o.value('psk', 'Pre-shared Key'); + o.value('pubkey', 'Public Key'); + + o = s.taboption('authentication', form.Value, 'local_identifier', _('Local Identifier'), + _('Local identifier for IKE (phase 1)')); + o.datatype = 'string'; + o.placeholder = 'C=US, O=Acme Corporation, CN=headquarters'; + o.modalonly = true; + + o = s.taboption('authentication', form.Value, 'remote_identifier', _('Remote Identifier'), + _('Remote identifier for IKE (phase 1)')); + o.datatype = 'string'; + o.placeholder = 'C=US, O=Acme Corporation, CN=soho'; + o.modalonly = true; + + o = s.taboption('authentication', form.Value, 'pre_shared_key', _('Pre-Shared Key'), + _('The pre-shared key for the tunnel')); + o.datatype = 'string'; + o.password = true; + o.modalonly = true; + o.rmempty = false; + o.depends('authentication_method', 'psk'); + + o = s.taboption('authentication', form.Value, 'local_cert', _('Local Certificate'), + _('Certificate pathname to use for authentication')); + o.datatype = 'file'; + o.depends('authentication_method', 'pubkey'); + o.modalonly = true; + + o = s.taboption('authentication', form.Value, 'local_key', _('Local Key'), + _('Private key pathname to use with above certificate')); + o.datatype = 'file'; + o.modalonly = true; + + o = s.taboption('authentication', form.Value, 'ca_cert', _('CA Certificate'), + _("CA certificate that need to lie in remote peer's certificate's path of trust")); + o.datatype = 'file'; + o.depends('authentication_method', 'pubkey'); + o.modalonly = true; + + + o = s.taboption('advanced', form.Flag, 'mobike', _('MOBIKE'), + _('MOBIKE (IKEv2 Mobility and Multihoming Protocol)')); + o.default = '1'; + o.modalonly = true; + + o = s.taboption('advanced', form.ListValue, 'fragmentation', _('IKE Fragmentation'), + _('Use IKE fragmentation')); + o.value('yes'); + o.value('no'); + o.value('force'); + o.value('accept'); + o.default = 'yes'; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'keyingretries', _('Keying Retries'), + _('Number of retransmissions attempts during initial negotiation')); + o.datatype = 'uinteger'; + o.default = '3'; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'dpddelay', _('DPD Delay'), + _('Interval to check liveness of a peer')); + o.validate = validateTimeFormat; + o.default = '30s'; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'inactivity', _('Inactivity'), + _('Interval before closing an inactive CHILD_SA')); + o.validate = validateTimeFormat; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'rekeytime', _('Rekey Time'), + _('IKEv2 interval to refresh keying material; also used to compute lifetime')); + o.validate = validateTimeFormat; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'overtime', _('Overtime'), + _('Limit on time to complete rekeying/reauthentication')); + o.validate = validateTimeFormat; + o.modalonly = true; + + o = s.taboption('advanced', form.ListValue, 'keyexchange', _('Keyexchange'), + _('Version of IKE for negotiation')); + o.value('ikev1', 'IKEv1 (%s)', _('deprecated')); + o.value('ikev2', 'IKEv2'); + o.value('ike', 'IKE (%s, %s)'.format(_('both'), _('deprecated'))); + o.default = 'ikev2'; + o.modalonly = true; + + // Tunnel Configuration + s = m.section(form.GridSection, 'tunnel', _('Tunnel Configuration'), + _('Define Connection Children to be used as Tunnels in Remote Configurations.')); + s.addremove = true; + s.nodescriptions = true; + + o = s.tab('general', _('General')); + o = s.tab('advanced', _('Advanced')); + + o = s.taboption('general', form.DynamicList, 'local_subnet', _('Local Subnet'), + _('Local network(s)')); + o.datatype = 'subnet'; + o.placeholder = '192.168.1.1/24'; + o.rmempty = false; + + o = s.taboption('general', form.DynamicList, 'remote_subnet', _('Remote Subnet'), + _('Remote network(s)')); + o.datatype = 'subnet'; + o.placeholder = '192.168.2.1/24'; + o.rmempty = false; + + o = s.taboption('general', form.Value, 'local_nat', _('Local NAT'), + _('NAT range for tunnels with overlapping IP addresses')); + o.datatype = 'subnet'; + o.modalonly = true; + + o = s.taboption('general', form.ListValue, 'if_id', ('XFRM Interface ID'), + _('XFRM interface ID set on input and output interfaces')); + o.load = function (section_id) { + this.keylist = []; + this.vallist = []; + + var xfrmSections = uci.sections('network').filter(function (section) { + return section.proto == 'xfrm'; + }); + + xfrmSections.forEach(L.bind(function (section) { + this.value(section.ifid, + '%s (%s)'.format(section.ifid, section['.name'])); + }, this)); + + return this.super('load', [section_id]); + } + o.optional = true; + o.modalonly = true; + + o = s.taboption('general', form.ListValue, 'startaction', _('Start Action'), + _('Action on initial configuration load')); + o.value('none'); + o.value('trap'); + o.value('start'); + o.default = 'trap'; + o.modalonly = true; + + o = s.taboption('general', form.ListValue, 'closeaction', _('Close Action'), + _('Action when CHILD_SA is closed')); + o.value('none'); + o.value('trap'); + o.value('start'); + o.optional = true; + o.modalonly = true; + + o = s.taboption('general', form.MultiValue, 'crypto_proposal', + _('Crypto Proposal (Phase 2)'), + _('List of ESP (phase two) proposals. Only Proposals with checked ESP flag are selectable')); + o.load = function (section_id) { + this.keylist = []; + this.vallist = []; + + var sections = uci.sections('ipsec', 'crypto_proposal'); + if (sections.length == 0) { + this.value('', _('Please create an ESP Proposal first')); + } else { + sections.forEach(L.bind(function (section) { + if (section.is_esp == '1') { + this.value(section['.name']); + } + }, this)); + } + + return this.super('load', [section_id]); + }; + o.rmempty = false; + + o = s.taboption('advanced', form.Value, 'updown', _('Up/Down Script Path'), + _('Path to script to run on CHILD_SA up/down events')); + o.datatype = 'file'; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'lifetime', _('Lifetime'), + _('Maximum duration of the CHILD_SA before closing')); + o.validate = validateTimeFormat; + o.modalonly = true; + + o = s.taboption('advanced', form.ListValue, 'dpdaction', _('DPD Action'), + _('Action when DPD timeout occurs')); + o.value('none'); + o.value('clear'); + o.value('trap'); + o.value('start'); + o.optional = true; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'rekeytime', _('Rekey Time'), + _('Duration of the CHILD_SA before rekeying')); + o.validate = validateTimeFormat; + o.modalonly = true; + + o = s.taboption('advanced', form.Flag, 'ipcomp', _('IPComp'), + _('Enable ipcomp compression')); + o.default = '0'; + o.modalonly = true; + + o = s.taboption('advanced', form.ListValue, 'hw_offload', _('H/W Offload'), + _('Enable Hardware offload')); + o.value('yes'); + o.value('no'); + o.value('auto'); + o.optional = true; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'priority', _('Priority'), + _('Priority of the CHILD_SA')); + o.datatype = 'uinteger'; + o.modalonly = true; + + o = s.taboption('advanced', form.Value, 'replay_window', _('Replay Window'), + '%s; %s'.format(_('Replay Window of the CHILD_SA'), + _('Values larger than 32 are supported by the Netlink backend only'))); + o.datatype = 'uinteger'; + o.modalonly = true; + + // Crypto Proposals + s = m.section(form.GridSection, 'crypto_proposal', + _('Encryption Proposals'), + _('Configure Cipher Suites to define IKE (Phase 1) or ESP (Phase 2) Proposals.')); + s.addremove = true; + s.nodescriptions = true; + + o = s.option(form.Flag, 'is_esp', _('ESP Proposal'), + _('Whether this is an ESP (phase 2) proposal or not')); + + o = s.option(form.ListValue, 'encryption_algorithm', + _('Encryption Algorithm'), + _('Algorithms marked with * are considered insecure')); + o.default = 'aes256gcm128'; + addAlgorithms(o, strongswan_algorithms.getEncryptionAlgorithms()); + addAlgorithms(o, strongswan_algorithms.getAuthenticatedEncryptionAlgorithms()); + + + o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'), + _('Algorithms marked with * are considered insecure')); + strongswan_algorithms.getEncryptionAlgorithms().forEach(function (algorithm) { + o.depends('encryption_algorithm', algorithm); + }); + o.default = 'sha512'; + o.rmempty = false; + addAlgorithms(o, strongswan_algorithms.getHashAlgorithms()); + + o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'), + _('Algorithms marked with * are considered insecure')); + o.default = 'modp3072'; + addAlgorithms(o, strongswan_algorithms.getDiffieHellmanAlgorithms()); + + o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'), + _('Algorithms marked with * are considered insecure')); + o.validate = function (section_id, value) { + var encryptionAlgorithm = this.section.formvalue(section_id, 'encryption_algorithm'); + + if (strongswan_algorithms.getAuthenticatedEncryptionAlgorithms().includes( + encryptionAlgorithm) && !value) { + return _('PRF Algorithm must be configured when using an Authenticated Encryption Algorithm'); + } + + return true; + }; + o.optional = true; + o.depends('is_esp', '0'); + addAlgorithms(o, strongswan_algorithms.getPrfAlgorithms()); + + return m.render(); + } +}); diff --git a/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json b/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json new file mode 100644 index 0000000000..d229869d64 --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json @@ -0,0 +1,28 @@ +{ + "admin/vpn/strongswan-swanctl": { + "title": "strongSwan IPsec", + "order": 90, + "action": { + "type": "view", + "path": "strongswan-swanctl/swanctl" + }, + "depends": { + "acl": [ + "luci-app-strongswan-swanctl" + ] + } + }, + "admin/status/strongswan": { + "title": "strongSwan IPsec", + "order": 90, + "action": { + "type": "view", + "path": "strongswan-swanctl/status" + }, + "depends": { + "acl": [ + "luci-app-strongswan-swanctl" + ] + } + } +} diff --git a/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json b/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json new file mode 100644 index 0000000000..d3b44a27a2 --- /dev/null +++ b/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json @@ -0,0 +1,16 @@ +{ + "luci-app-strongswan-swanctl": { + "description": "Grant access to luci-app-strongswan-swanctl", + "read": { + "file": { + "/usr/sbin/swanmon version": [ "exec" ], + "/usr/sbin/swanmon stats": [ "exec" ], + "/usr/sbin/swanmon list-sas": [ "exec" ] + }, + "uci": [ "ipsec" ] + }, + "write": { + "uci": [ "ipsec" ] + } + } +} |