projects / project / luci.git / blob
? search:


c18814aac3cd96803b6acd7a896a245d02999e71
[project/luci.git] /
1 'use strict';
2 'require view';
3 'require form';
4 'require uci';
5 'require tools.widgets as widgets';
6 'require strongswan_algorithms';
7
8 function validateTimeFormat(section_id, value) {
9 if (value && !value.match(/^\d+[smhd]$/)) {
10 return _('Number must have suffix s, m, h or d');
11 }
12
13 return true;
14 }
15
16 function addAlgorithms(o, algorithms) {
17 algorithms.forEach(function (algorithm) {
18 if (strongswan_algorithms.isInsecure(algorithm)) {
19 o.value(algorithm, '%s*'.format(algorithm));
20 } else {
21 o.value(algorithm);
22 }
23 });
24 }
25
26 return view.extend({
27 load: function () {
28 return uci.load('network');
29 },
30
31 render: function () {
32 var m, s, o;
33
34 m = new form.Map('ipsec', _('strongSwan Configuration'),
35 _('Configure strongSwan for secure VPN connections.'));
36 m.tabbed = true;
37
38 // strongSwan General Settings
39 s = m.section(form.TypedSection, 'ipsec', _('General Settings'));
40 s.anonymous = true;
41
42 o = s.option(widgets.ZoneSelect, 'zone', _('Zone'),
43 _('Firewall zone that has to match the defined firewall zone'));
44 o.default = 'lan';
45 o.multiple = true;
46
47 o = s.option(widgets.NetworkSelect, 'listen', _('Listening Interfaces'),
48 _('Interfaces that accept VPN traffic'));
49 o.datatype = 'interface';
50 o.placeholder = _('Select an interface or leave empty for all interfaces');
51 o.default = 'wan';
52 o.multiple = true;
53 o.rmempty = false;
54
55 o = s.option(form.Value, 'debug', _('Debug Level'),
56 _('Trace level: 0 is least verbose, 4 is most'));
57 o.default = '0';
58 o.datatype = 'range(0,4)';
59
60 // Remote Configuration
61 s = m.section(form.GridSection, 'remote', _('Remote Configuration'),
62 _('Define Remote IKE Configurations.'));
63 s.addremove = true;
64 s.nodescriptions = true;
65
66 o = s.tab('general', _('General'));
67 o = s.tab('authentication', _('Authentication'));
68 o = s.tab('advanced', _('Advanced'));
69
70 o = s.taboption('general', form.Flag, 'enabled', _('Enabled'),
71 _('Configuration is enabled or not'));
72 o.rmempty = false;
73
74 o = s.taboption('general', form.Value, 'gateway', _('Gateway (Remote Endpoint)'),
75 _('IP address or FQDN name of the tunnel remote endpoint'));
76 o.datatype = 'or(hostname,ipaddr)';
77 o.rmempty = false;
78
79 o = s.taboption('general', form.Value, 'local_gateway', _('Local Gateway'),
80 _('IP address or FQDN of the tunnel local endpoint'));
81 o.datatype = 'or(hostname,ipaddr)';
82 o.modalonly = true;
83
84 o = s.taboption('general', form.Value, 'local_sourceip', _('Local Source IP'),
85 _('Virtual IP(s) to request in IKEv2 configuration payloads requests'));
86 o.datatype = 'ipaddr';
87 o.modalonly = true;
88
89 o = s.taboption('general', form.Value, 'local_ip', _('Local IP'),
90 _('Local address(es) to use in IKE negotiation'));
91 o.datatype = 'ipaddr';
92 o.modalonly = true;
93
94 o = s.taboption('general', form.MultiValue, 'crypto_proposal', _('Crypto Proposal'),
95 _('List of IKE (phase 1) proposals to use for authentication'));
96 o.load = function (section_id) {
97 this.keylist = [];
98 this.vallist = [];
99
100 var sections = uci.sections('ipsec', 'crypto_proposal');
101 if (sections.length == 0) {
102 this.value('', _('Please create a Proposal first'));
103 } else {
104 sections.forEach(L.bind(function (section) {
105 if (section.is_esp != '1') {
106 this.value(section['.name']);
107 }
108 }, this));
109 }
110
111 return this.super('load', [section_id]);
112 };
113 o.rmempty = false;
114
115 o = s.taboption('general', form.MultiValue, 'tunnel', _('Tunnel'),
116 _('Name of ESP (phase 2) section'));
117 o.load = function (section_id) {
118 this.keylist = [];
119 this.vallist = [];
120
121 var sections = uci.sections('ipsec', 'tunnel');
122 if (sections.length == 0) {
123 this.value('', _('Please create a Tunnel first'));
124 } else {
125 sections.forEach(L.bind(function (section) {
126 this.value(section['.name']);
127 }, this));
128 }
129
130 return this.super('load', [section_id]);
131 };
132 o.rmempty = false;
133
134 o = s.taboption('authentication', form.ListValue, 'authentication_method',
135 _('Authentication Method'), _('IKE authentication (phase 1)'));
136 o.modalonly = true;
137 o.value('psk', 'Pre-shared Key');
138 o.value('pubkey', 'Public Key');
139
140 o = s.taboption('authentication', form.Value, 'local_identifier', _('Local Identifier'),
141 _('Local identifier for IKE (phase 1)'));
142 o.datatype = 'string';
143 o.placeholder = 'C=US, O=Acme Corporation, CN=headquarters';
144 o.modalonly = true;
145
146 o = s.taboption('authentication', form.Value, 'remote_identifier', _('Remote Identifier'),
147 _('Remote identifier for IKE (phase 1)'));
148 o.datatype = 'string';
149 o.placeholder = 'C=US, O=Acme Corporation, CN=soho';
150 o.modalonly = true;
151
152 o = s.taboption('authentication', form.Value, 'pre_shared_key', _('Pre-Shared Key'),
153 _('The pre-shared key for the tunnel'));
154 o.datatype = 'string';
155 o.password = true;
156 o.modalonly = true;
157 o.rmempty = false;
158 o.depends('authentication_method', 'psk');
159
160 o = s.taboption('authentication', form.Value, 'local_cert', _('Local Certificate'),
161 _('Certificate pathname to use for authentication'));
162 o.datatype = 'file';
163 o.depends('authentication_method', 'pubkey');
164 o.modalonly = true;
165
166 o = s.taboption('authentication', form.Value, 'local_key', _('Local Key'),
167 _('Private key pathname to use with above certificate'));
168 o.datatype = 'file';
169 o.modalonly = true;
170
171 o = s.taboption('authentication', form.Value, 'ca_cert', _('CA Certificate'),
172 _("CA certificate that need to lie in remote peer's certificate's path of trust"));
173 o.datatype = 'file';
174 o.depends('authentication_method', 'pubkey');
175 o.modalonly = true;
176
177
178 o = s.taboption('advanced', form.Flag, 'mobike', _('MOBIKE'),
179 _('MOBIKE (IKEv2 Mobility and Multihoming Protocol)'));
180 o.default = '1';
181 o.modalonly = true;
182
183 o = s.taboption('advanced', form.ListValue, 'fragmentation', _('IKE Fragmentation'),
184 _('Use IKE fragmentation'));
185 o.value('yes');
186 o.value('no');
187 o.value('force');
188 o.value('accept');
189 o.default = 'yes';
190 o.modalonly = true;
191
192 o = s.taboption('advanced', form.Value, 'keyingretries', _('Keying Retries'),
193 _('Number of retransmissions attempts during initial negotiation'));
194 o.datatype = 'uinteger';
195 o.default = '3';
196 o.modalonly = true;
197
198 o = s.taboption('advanced', form.Value, 'dpddelay', _('DPD Delay'),
199 _('Interval to check liveness of a peer'));
200 o.validate = validateTimeFormat;
201 o.default = '30s';
202 o.modalonly = true;
203
204 o = s.taboption('advanced', form.Value, 'inactivity', _('Inactivity'),
205 _('Interval before closing an inactive CHILD_SA'));
206 o.validate = validateTimeFormat;
207 o.modalonly = true;
208
209 o = s.taboption('advanced', form.Value, 'rekeytime', _('Rekey Time'),
210 _('IKEv2 interval to refresh keying material; also used to compute lifetime'));
211 o.validate = validateTimeFormat;
212 o.modalonly = true;
213
214 o = s.taboption('advanced', form.Value, 'overtime', _('Overtime'),
215 _('Limit on time to complete rekeying/reauthentication'));
216 o.validate = validateTimeFormat;
217 o.modalonly = true;
218
219 o = s.taboption('advanced', form.ListValue, 'keyexchange', _('Keyexchange'),
220 _('Version of IKE for negotiation'));
221 o.value('ikev1', 'IKEv1 (%s)', _('deprecated'));
222 o.value('ikev2', 'IKEv2');
223 o.value('ike', 'IKE (%s, %s)'.format(_('both'), _('deprecated')));
224 o.default = 'ikev2';
225 o.modalonly = true;
226
227 // Tunnel Configuration
228 s = m.section(form.GridSection, 'tunnel', _('Tunnel Configuration'),
229 _('Define Connection Children to be used as Tunnels in Remote Configurations.'));
230 s.addremove = true;
231 s.nodescriptions = true;
232
233 o = s.tab('general', _('General'));
234 o = s.tab('advanced', _('Advanced'));
235
236 o = s.taboption('general', form.DynamicList, 'local_subnet', _('Local Subnet'),
237 _('Local network(s)'));
238 o.datatype = 'subnet';
239 o.placeholder = '192.168.1.1/24';
240 o.rmempty = false;
241
242 o = s.taboption('general', form.DynamicList, 'remote_subnet', _('Remote Subnet'),
243 _('Remote network(s)'));
244 o.datatype = 'subnet';
245 o.placeholder = '192.168.2.1/24';
246 o.rmempty = false;
247
248 o = s.taboption('general', form.Value, 'local_nat', _('Local NAT'),
249 _('NAT range for tunnels with overlapping IP addresses'));
250 o.datatype = 'subnet';
251 o.modalonly = true;
252
253 o = s.taboption('general', form.ListValue, 'if_id', ('XFRM Interface ID'),
254 _('XFRM interface ID set on input and output interfaces'));
255 o.load = function (section_id) {
256 this.keylist = [];
257 this.vallist = [];
258
259 var xfrmSections = uci.sections('network').filter(function (section) {
260 return section.proto == 'xfrm';
261 });
262
263 xfrmSections.forEach(L.bind(function (section) {
264 this.value(section.ifid,
265 '%s (%s)'.format(section.ifid, section['.name']));
266 }, this));
267
268 return this.super('load', [section_id]);
269 }
270 o.optional = true;
271 o.modalonly = true;
272
273 o = s.taboption('general', form.ListValue, 'startaction', _('Start Action'),
274 _('Action on initial configuration load'));
275 o.value('none');
276 o.value('trap');
277 o.value('start');
278 o.default = 'trap';
279 o.modalonly = true;
280
281 o = s.taboption('general', form.ListValue, 'closeaction', _('Close Action'),
282 _('Action when CHILD_SA is closed'));
283 o.value('none');
284 o.value('trap');
285 o.value('start');
286 o.optional = true;
287 o.modalonly = true;
288
289 o = s.taboption('general', form.MultiValue, 'crypto_proposal',
290 _('Crypto Proposal (Phase 2)'),
291 _('List of ESP (phase two) proposals. Only Proposals with checked ESP flag are selectable'));
292 o.load = function (section_id) {
293 this.keylist = [];
294 this.vallist = [];
295
296 var sections = uci.sections('ipsec', 'crypto_proposal');
297 if (sections.length == 0) {
298 this.value('', _('Please create an ESP Proposal first'));
299 } else {
300 sections.forEach(L.bind(function (section) {
301 if (section.is_esp == '1') {
302 this.value(section['.name']);
303 }
304 }, this));
305 }
306
307 return this.super('load', [section_id]);
308 };
309 o.rmempty = false;
310
311 o = s.taboption('advanced', form.Value, 'updown', _('Up/Down Script Path'),
312 _('Path to script to run on CHILD_SA up/down events'));
313 o.datatype = 'file';
314 o.modalonly = true;
315
316 o = s.taboption('advanced', form.Value, 'lifetime', _('Lifetime'),
317 _('Maximum duration of the CHILD_SA before closing'));
318 o.validate = validateTimeFormat;
319 o.modalonly = true;
320
321 o = s.taboption('advanced', form.ListValue, 'dpdaction', _('DPD Action'),
322 _('Action when DPD timeout occurs'));
323 o.value('none');
324 o.value('clear');
325 o.value('trap');
326 o.value('start');
327 o.optional = true;
328 o.modalonly = true;
329
330 o = s.taboption('advanced', form.Value, 'rekeytime', _('Rekey Time'),
331 _('Duration of the CHILD_SA before rekeying'));
332 o.validate = validateTimeFormat;
333 o.modalonly = true;
334
335 o = s.taboption('advanced', form.Flag, 'ipcomp', _('IPComp'),
336 _('Enable ipcomp compression'));
337 o.default = '0';
338 o.modalonly = true;
339
340 o = s.taboption('advanced', form.ListValue, 'hw_offload', _('H/W Offload'),
341 _('Enable Hardware offload'));
342 o.value('yes');
343 o.value('no');
344 o.value('auto');
345 o.optional = true;
346 o.modalonly = true;
347
348 o = s.taboption('advanced', form.Value, 'priority', _('Priority'),
349 _('Priority of the CHILD_SA'));
350 o.datatype = 'uinteger';
351 o.modalonly = true;
352
353 o = s.taboption('advanced', form.Value, 'replay_window', _('Replay Window'),
354 '%s; %s'.format(_('Replay Window of the CHILD_SA'),
355 _('Values larger than 32 are supported by the Netlink backend only')));
356 o.datatype = 'uinteger';
357 o.modalonly = true;
358
359 // Crypto Proposals
360 s = m.section(form.GridSection, 'crypto_proposal',
361 _('Encryption Proposals'),
362 _('Configure Cipher Suites to define IKE (Phase 1) or ESP (Phase 2) Proposals.'));
363 s.addremove = true;
364 s.nodescriptions = true;
365
366 o = s.option(form.Flag, 'is_esp', _('ESP Proposal'),
367 _('Whether this is an ESP (phase 2) proposal or not'));
368
369 o = s.option(form.ListValue, 'encryption_algorithm',
370 _('Encryption Algorithm'),
371 _('Algorithms marked with * are considered insecure'));
372 o.default = 'aes256gcm128';
373 addAlgorithms(o, strongswan_algorithms.getEncryptionAlgorithms());
374 addAlgorithms(o, strongswan_algorithms.getAuthenticatedEncryptionAlgorithms());
375
376
377 o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'),
378 _('Algorithms marked with * are considered insecure'));
379 strongswan_algorithms.getEncryptionAlgorithms().forEach(function (algorithm) {
380 o.depends('encryption_algorithm', algorithm);
381 });
382 o.default = 'sha512';
383 o.rmempty = false;
384 addAlgorithms(o, strongswan_algorithms.getHashAlgorithms());
385
386 o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'),
387 _('Algorithms marked with * are considered insecure'));
388 o.default = 'modp3072';
389 addAlgorithms(o, strongswan_algorithms.getDiffieHellmanAlgorithms());
390
391 o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'),
392 _('Algorithms marked with * are considered insecure'));
393 o.validate = function (section_id, value) {
394 var encryptionAlgorithm = this.section.formvalue(section_id, 'encryption_algorithm');
395
396 if (strongswan_algorithms.getAuthenticatedEncryptionAlgorithms().includes(
397 encryptionAlgorithm) && !value) {
398 return _('PRF Algorithm must be configured when using an Authenticated Encryption Algorithm');
399 }
400
401 return true;
402 };
403 o.optional = true;
404 o.depends('is_esp', '0');
405 addAlgorithms(o, strongswan_algorithms.getPrfAlgorithms());
406
407 return m.render();
408 }
409 });
Lua Configuration Interface (mirror)