Merge pull request #6700 from lvoegl/pr/20231021-luci-app-strongswan
authorPaul Donald <newtwen@gmail.com>
Sun, 17 Dec 2023 23:42:13 +0000 (00:42 +0100)
committerPaul Donald <newtwen@gmail.com>
Sun, 17 Dec 2023 23:42:13 +0000 (00:42 +0100)
Signed-off-by: Lukas Voegl <lvoegl@tdt.de>
luci-app-strongswan-swanctl: initial commit
(cherry picked from commit 828716ad73be81079ffdaa1592f637efa1747f31)

applications/luci-app-strongswan-swanctl/Makefile [new file with mode: 0644]
applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js [new file with mode: 0644]
applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/status.js [new file with mode: 0644]
applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js [new file with mode: 0644]
applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json [new file with mode: 0644]
applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json [new file with mode: 0644]

diff --git a/applications/luci-app-strongswan-swanctl/Makefile b/applications/luci-app-strongswan-swanctl/Makefile
new file mode 100644 (file)
index 0000000..cadd2da
--- /dev/null
@@ -0,0 +1,17 @@
+# Copyright 2021 Nicholas Smith (nicholas@nbembedded.com)
+# Copyright (C) 2023 TDT AG <development@tdt.de>
+#
+# This is free software, licensed under the GNU General Public License v2.
+
+include $(TOPDIR)/rules.mk
+
+PKG_LICENSE:=GPL-2.0-or-later
+PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>, Lukas Voegl <lvoegl@tdt.de>
+
+LUCI_TITLE:=LuCI support for strongSwan via swanctl
+LUCI_DESCRIPTION:=Status and configuration for strongSwan based on swanctl
+LUCI_DEPENDS:=+strongswan-swanctl +swanmon
+
+include ../../luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/strongswan_algorithms.js
new file mode 100644 (file)
index 0000000..1ebbe59
--- /dev/null
@@ -0,0 +1,143 @@
+'use strict';
+'require baseclass';
+
+return baseclass.extend({
+
+       _encryptionAlgorithms: new Map([
+               ['3des', true],
+               ['cast128', true],
+               ['blowfish128', true],
+               ['blowfish192', true],
+               ['blowfish256', true],
+               ['null', true],
+               ['aes128'],
+               ['aes192'],
+               ['aes256'],
+               ['aes128ctr'],
+               ['aes192ctr'],
+               ['aes256ctr'],
+               ['camellia128'],
+               ['camellia192'],
+               ['camellia256'],
+               ['camellia128ctr'],
+               ['camellia192ctr'],
+               ['camellia256ctr']
+       ]),
+
+       _authenticatedEncryptionAlgorithms: new Map([
+               ['aes128ccm64'],
+               ['aes192ccm64'],
+               ['aes256ccm64'],
+               ['aes128ccm96'],
+               ['aes192ccm96'],
+               ['aes256ccm96'],
+               ['aes128ccm128'],
+               ['aes192ccm128'],
+               ['aes256ccm128'],
+               ['aes128gcm64'],
+               ['aes192gcm64'],
+               ['aes256gcm64'],
+               ['aes128gcm96'],
+               ['aes192gcm96'],
+               ['aes256gcm96'],
+               ['aes128gcm128'],
+               ['aes192gcm128'],
+               ['aes256gcm128'],
+               ['aes128gmac'],
+               ['aes192gmac'],
+               ['aes256gmac'],
+               ['camellia128ccm64'],
+               ['camellia192ccm64'],
+               ['camellia256ccm64'],
+               ['camellia128ccm96'],
+               ['camellia192ccm96'],
+               ['camellia256ccm96'],
+               ['camellia128ccm128'],
+               ['camellia192ccm128'],
+               ['camellia256ccm128'],
+               ['chacha20poly1305']
+       ]),
+
+       _hashAlgorithms: new Map([
+               ['md5', true],
+               ['md5_128', true],
+               ['sha1', true],
+               ['sha1_160', true],
+               ['aesxcbc'],
+               ['aescmac'],
+               ['aes128gmac'],
+               ['aes192gmac'],
+               ['aes256gmac'],
+               ['sha256'],
+               ['sha384'],
+               ['sha512'],
+               ['sha256_96']
+       ]),
+
+       _dhAlgorithms: new Map([
+               ['modp768', true],
+               ['modp1024', true],
+               ['modp1536', true],
+               ['modp2048'],
+               ['modp3072'],
+               ['modp4096'],
+               ['modp6144'],
+               ['modp8192'],
+               ['modp1024s160', true],
+               ['modp2048s224', true],
+               ['modp2048s256', true],
+               ['ecp192', true],
+               ['ecp224'],
+               ['ecp256'],
+               ['ecp384'],
+               ['ecp521'],
+               ['ecp224bp'],
+               ['ecp256bp'],
+               ['ecp384bp'],
+               ['ecp512bp'],
+               ['curve25519'],
+               ['curve448']
+       ]),
+
+       _prfAlgorithms: new Map([
+               ['prfmd5', true],
+               ['prfsha1', true],
+               ['prfaesxcbc'],
+               ['prfaescmac'],
+               ['prfsha256'],
+               ['prfsha384'],
+               ['prfsha512']
+       ]),
+
+       _getAlgorithmNames: function (algorithms) {
+               return Array.from(algorithms.keys());
+       },
+
+       isInsecure: function (algorithmName) {
+               return this._encryptionAlgorithms.get(algorithmName) == true
+                       || this._authenticatedEncryptionAlgorithms.get(algorithmName) == true
+                       || this._hashAlgorithms.get(algorithmName) == true
+                       || this._dhAlgorithms.get(algorithmName) == true
+                       || this._prfAlgorithms.get(algorithmName) == true;
+       },
+
+       getEncryptionAlgorithms: function () {
+               return this._getAlgorithmNames(this._encryptionAlgorithms);
+       },
+
+       getAuthenticatedEncryptionAlgorithms: function () {
+               return this._getAlgorithmNames(this._authenticatedEncryptionAlgorithms);
+       },
+
+       getHashAlgorithms: function () {
+               return this._getAlgorithmNames(this._hashAlgorithms);
+       },
+
+       getDiffieHellmanAlgorithms: function () {
+               return this._getAlgorithmNames(this._dhAlgorithms);
+       },
+
+       getPrfAlgorithms: function () {
+               return this._getAlgorithmNames(this._prfAlgorithms);
+       }
+});
diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/status.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/status.js
new file mode 100644 (file)
index 0000000..d0a936c
--- /dev/null
@@ -0,0 +1,189 @@
+'use strict';
+'require view';
+'require dom';
+'require poll';
+'require fs';
+'require ui';
+
+function formatTime(seconds, selectCount) {
+       var days = Math.floor(seconds / (60 * 60 * 24));
+       var hours = Math.floor(seconds / (60 * 60)) % 24;
+       var minutes = Math.floor(seconds / 60) % 60;
+       var seconds = Math.floor(seconds % 60);
+
+       var times = [
+               [days, _('Day'), _('Days')],
+               [hours, _('Hour'), _('Hours')],
+               [minutes, _('Minute'), _('Minutes')],
+               [seconds, _('Second'), _('Seconds')]
+       ].filter(function ([time, singular, plural]) {
+               return time > 0;
+       });
+
+       var selectedTimes = times.slice(0, selectCount);
+       return selectedTimes.map(function ([time, singular, plural]) {
+               var unit = time > 1 ? plural : singular;
+               return '%d %s'.format(time, unit);
+       }).join(', ');
+}
+
+function buildSection(name, table) {
+       return E('div', { 'class': 'cbi-section' }, [
+               E('h2', [name]),
+               table
+       ]);
+}
+
+function buildTable(rows) {
+       return E('table', { 'class': 'table', }, rows);
+}
+
+function buildKeyValueTable(kvPairs) {
+       var rows = kvPairs.map(function (row) {
+               return E('tr', { 'class': 'tr' }, [
+                       E('td', { 'class': 'td', 'width': '33%' }, E('strong', [row[0]])),
+                       E('td', { 'class': 'td' }, [row[1]])
+               ]);
+       });
+       return buildTable(rows);
+}
+
+function collectErrorMessages(results) {
+       var errorMessages = results.reduce(function (messages, result) {
+               return messages.concat(result.errors.map(function (error) {
+                       return error.message;
+               }));
+       }, []);
+       var uniqueErrorMessages = new Set(errorMessages);
+
+       return [...uniqueErrorMessages];
+}
+
+return view.extend({
+       load: function () {
+               return Promise.all([
+                       fs.exec_direct('/usr/sbin/swanmon', ['version'], 'json'),
+                       fs.exec_direct('/usr/sbin/swanmon', ['stats'], 'json'),
+                       fs.exec_direct('/usr/sbin/swanmon', ['list-sas'], 'json')
+               ]);
+       },
+
+       pollData: function (container) {
+               poll.add(L.bind(function () {
+                       return this.load().then(L.bind(function (results) {
+                               dom.content(container, this.renderContent(results));
+                       }, this));
+               }, this));
+       },
+
+       renderContent: function (results) {
+               var node = E('div', [E('div')]);
+               var firstNode = node.firstElementChild;
+
+               var errorMessages = collectErrorMessages(results);
+               if (errorMessages.length > 0) {
+                       var messageEls = errorMessages.map(function (message) {
+                               return E('li', message);
+                       });
+
+                       firstNode.appendChild(E('h4', _('Querying strongSwan failed')));
+                       firstNode.appendChild(E('ul', messageEls));
+
+                       return node;
+               }
+
+               var [version, stats, sas] = results.map(function (r) {
+                       return r.data;
+               });
+
+               var uptimeSeconds = (new Date() - new Date(stats.uptime.since)) / 1000;
+               var statsSection = buildSection(_('Stats'), buildKeyValueTable([
+                       [_('Version'), version.version],
+                       [_('Uptime'), formatTime(uptimeSeconds, 2)],
+                       [_('Daemon'), version.daemon],
+                       [_('Active IKE_SAs'), stats.ikesas.total],
+                       [_('Half-Open IKE_SAs'), stats.ikesas['half-open']]
+               ]));
+               firstNode.appendChild(statsSection);
+
+               var tableRows = sas.map(function (conn) {
+                       var name = Object.keys(conn)[0];
+                       var data = conn[name];
+                       var childSas = [];
+
+                       Object.entries(data['child-sas']).forEach(function ([name, data]) {
+                               var table = buildKeyValueTable([
+                                       [_('State'), data.state],
+                                       [_('Mode'), data.mode],
+                                       [_('Protocol'), data.protocol],
+                                       [_('Local Traffic Selectors'), data['local-ts'].join(', ')],
+                                       [_('Remote Traffic Selectors'), data['remote-ts'].join(', ')],
+                                       [_('Encryption Algorithm'), data['encr-alg']],
+                                       [_('Encryption Keysize'), data['encr-keysize']],
+                                       [_('Bytes in'), data['bytes-in']],
+                                       [_('Bytes out'), data['bytes-out']],
+                                       [_('Life Time'), formatTime(data['life-time'], 2)],
+                                       [_('Install Time'), formatTime(data['install-time'], 2)],
+                                       [_('Rekey in'), formatTime(data['rekey-time'], 2)],
+                                       [_('SPI in'), data['spi-in']],
+                                       [_('SPI out'), data['spi-out']]
+                               ]);
+                               childSas.push(E('div', { 'class': 'cbi-section' }, [
+                                       E('h4', { 'style': 'margin-top: 0; padding-top: 0;' }, [name]),
+                                       table
+                               ]));
+                       });
+                       childSas.push(E('button', {
+                               'class': 'btn cbi-button cbi-button-apply',
+                               'click': ui.hideModal
+                       }, _('Close')));
+
+                       return E('tr', { 'class': 'tr' }, [
+                               E('td', { 'class': 'td' }, [name]),
+                               E('td', { 'class': 'td' }, [data.state]),
+                               E('td', { 'class': 'td' }, [data['remote-host']]),
+                               E('td', { 'class': 'td' }, [data.version]),
+                               E('td', { 'class': 'td' }, [formatTime(data.established, 2)]),
+                               E('td', { 'class': 'td' }, [formatTime(data['reauth-time'], 2)]),
+                               E('td', { 'class': 'td' }, [E('button', {
+                                       'class': 'btn cbi-button cbi-button-apply',
+                                       'click': function (ev) {
+                                               ui.showModal(_('CHILD_SAs'), childSas)
+                                       }
+                               }, _('Show Details'))])
+                       ]);
+               });
+               var connSection = buildSection(_('Security Associations (SAs)'), buildTable([
+                       E('tr', { 'class': 'tr' }, [
+                               E('th', { 'class': 'th' }, [_('Name')]),
+                               E('th', { 'class': 'th' }, [_('State')]),
+                               E('th', { 'class': 'th' }, [_('Remote')]),
+                               E('th', { 'class': 'th' }, [_('IKE Version')]),
+                               E('th', { 'class': 'th' }, [_('Established for')]),
+                               E('th', { 'class': 'th' }, [_('Reauthentication in')]),
+                               E('th', { 'class': 'th' }, [_('Details')])
+                       ]),
+                       ...tableRows
+               ]));
+               firstNode.appendChild(connSection);
+
+               return node;
+       },
+
+       render: function (results) {
+               var content = E([], [
+                       E('h2', [_('strongSwan Status')]),
+                       E('div')
+               ]);
+               var container = content.lastElementChild;
+
+               dom.content(container, this.renderContent(results));
+               this.pollData(container);
+
+               return content;
+       },
+
+       handleSaveApply: null,
+       handleSave: null,
+       handleReset: null
+});
diff --git a/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js b/applications/luci-app-strongswan-swanctl/htdocs/luci-static/resources/view/strongswan-swanctl/swanctl.js
new file mode 100644 (file)
index 0000000..c18814a
--- /dev/null
@@ -0,0 +1,409 @@
+'use strict';
+'require view';
+'require form';
+'require uci';
+'require tools.widgets as widgets';
+'require strongswan_algorithms';
+
+function validateTimeFormat(section_id, value) {
+       if (value && !value.match(/^\d+[smhd]$/)) {
+               return _('Number must have suffix s, m, h or d');
+       }
+
+       return true;
+}
+
+function addAlgorithms(o, algorithms) {
+       algorithms.forEach(function (algorithm) {
+               if (strongswan_algorithms.isInsecure(algorithm)) {
+                       o.value(algorithm, '%s*'.format(algorithm));
+               } else {
+                       o.value(algorithm);
+               }
+       });
+}
+
+return view.extend({
+       load: function () {
+               return uci.load('network');
+       },
+
+       render: function () {
+               var m, s, o;
+
+               m = new form.Map('ipsec', _('strongSwan Configuration'),
+                       _('Configure strongSwan for secure VPN connections.'));
+               m.tabbed = true;
+
+               // strongSwan General Settings
+               s = m.section(form.TypedSection, 'ipsec', _('General Settings'));
+               s.anonymous = true;
+
+               o = s.option(widgets.ZoneSelect, 'zone', _('Zone'),
+                       _('Firewall zone that has to match the defined firewall zone'));
+               o.default = 'lan';
+               o.multiple = true;
+
+               o = s.option(widgets.NetworkSelect, 'listen', _('Listening Interfaces'),
+                       _('Interfaces that accept VPN traffic'));
+               o.datatype = 'interface';
+               o.placeholder = _('Select an interface or leave empty for all interfaces');
+               o.default = 'wan';
+               o.multiple = true;
+               o.rmempty = false;
+
+               o = s.option(form.Value, 'debug', _('Debug Level'),
+                       _('Trace level: 0 is least verbose, 4 is most'));
+               o.default = '0';
+               o.datatype = 'range(0,4)';
+
+               // Remote Configuration
+               s = m.section(form.GridSection, 'remote', _('Remote Configuration'),
+                       _('Define Remote IKE Configurations.'));
+               s.addremove = true;
+               s.nodescriptions = true;
+
+               o = s.tab('general', _('General'));
+               o = s.tab('authentication', _('Authentication'));
+               o = s.tab('advanced', _('Advanced'));
+
+               o = s.taboption('general', form.Flag, 'enabled', _('Enabled'),
+                       _('Configuration is enabled or not'));
+               o.rmempty = false;
+
+               o = s.taboption('general', form.Value, 'gateway', _('Gateway (Remote Endpoint)'),
+                       _('IP address or FQDN name of the tunnel remote endpoint'));
+               o.datatype = 'or(hostname,ipaddr)';
+               o.rmempty = false;
+
+               o = s.taboption('general', form.Value, 'local_gateway', _('Local Gateway'),
+                       _('IP address or FQDN of the tunnel local endpoint'));
+               o.datatype = 'or(hostname,ipaddr)';
+               o.modalonly = true;
+
+               o = s.taboption('general', form.Value, 'local_sourceip', _('Local Source IP'),
+                       _('Virtual IP(s) to request in IKEv2 configuration payloads requests'));
+               o.datatype = 'ipaddr';
+               o.modalonly = true;
+
+               o = s.taboption('general', form.Value, 'local_ip', _('Local IP'),
+                       _('Local address(es) to use in IKE negotiation'));
+               o.datatype = 'ipaddr';
+               o.modalonly = true;
+
+               o = s.taboption('general', form.MultiValue, 'crypto_proposal', _('Crypto Proposal'),
+                       _('List of IKE (phase 1) proposals to use for authentication'));
+               o.load = function (section_id) {
+                       this.keylist = [];
+                       this.vallist = [];
+
+                       var sections = uci.sections('ipsec', 'crypto_proposal');
+                       if (sections.length == 0) {
+                               this.value('', _('Please create a Proposal first'));
+                       } else {
+                               sections.forEach(L.bind(function (section) {
+                                       if (section.is_esp != '1') {
+                                               this.value(section['.name']);
+                                       }
+                               }, this));
+                       }
+
+                       return this.super('load', [section_id]);
+               };
+               o.rmempty = false;
+
+               o = s.taboption('general', form.MultiValue, 'tunnel', _('Tunnel'),
+                       _('Name of ESP (phase 2) section'));
+               o.load = function (section_id) {
+                       this.keylist = [];
+                       this.vallist = [];
+
+                       var sections = uci.sections('ipsec', 'tunnel');
+                       if (sections.length == 0) {
+                               this.value('', _('Please create a Tunnel first'));
+                       } else {
+                               sections.forEach(L.bind(function (section) {
+                                       this.value(section['.name']);
+                               }, this));
+                       }
+
+                       return this.super('load', [section_id]);
+               };
+               o.rmempty = false;
+
+               o = s.taboption('authentication', form.ListValue, 'authentication_method',
+                       _('Authentication Method'), _('IKE authentication (phase 1)'));
+               o.modalonly = true;
+               o.value('psk', 'Pre-shared Key');
+               o.value('pubkey', 'Public Key');
+
+               o = s.taboption('authentication', form.Value, 'local_identifier', _('Local Identifier'),
+                       _('Local identifier for IKE (phase 1)'));
+               o.datatype = 'string';
+               o.placeholder = 'C=US, O=Acme Corporation, CN=headquarters';
+               o.modalonly = true;
+
+               o = s.taboption('authentication', form.Value, 'remote_identifier', _('Remote Identifier'),
+                       _('Remote identifier for IKE (phase 1)'));
+               o.datatype = 'string';
+               o.placeholder = 'C=US, O=Acme Corporation, CN=soho';
+               o.modalonly = true;
+
+               o = s.taboption('authentication', form.Value, 'pre_shared_key', _('Pre-Shared Key'),
+                       _('The pre-shared key for the tunnel'));
+               o.datatype = 'string';
+               o.password = true;
+               o.modalonly = true;
+               o.rmempty = false;
+               o.depends('authentication_method', 'psk');
+
+               o = s.taboption('authentication', form.Value, 'local_cert', _('Local Certificate'),
+                       _('Certificate pathname to use for authentication'));
+               o.datatype = 'file';
+               o.depends('authentication_method', 'pubkey');
+               o.modalonly = true;
+
+               o = s.taboption('authentication', form.Value, 'local_key', _('Local Key'),
+                       _('Private key pathname to use with above certificate'));
+               o.datatype = 'file';
+               o.modalonly = true;
+
+               o = s.taboption('authentication', form.Value, 'ca_cert', _('CA Certificate'),
+                       _("CA certificate that need to lie in remote peer's certificate's path of trust"));
+               o.datatype = 'file';
+               o.depends('authentication_method', 'pubkey');
+               o.modalonly = true;
+
+
+               o = s.taboption('advanced', form.Flag, 'mobike', _('MOBIKE'),
+                       _('MOBIKE (IKEv2 Mobility and Multihoming Protocol)'));
+               o.default = '1';
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.ListValue, 'fragmentation', _('IKE Fragmentation'),
+                       _('Use IKE fragmentation'));
+               o.value('yes');
+               o.value('no');
+               o.value('force');
+               o.value('accept');
+               o.default = 'yes';
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.Value, 'keyingretries', _('Keying Retries'),
+                       _('Number of retransmissions attempts during initial negotiation'));
+               o.datatype = 'uinteger';
+               o.default = '3';
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.Value, 'dpddelay', _('DPD Delay'),
+                       _('Interval to check liveness of a peer'));
+               o.validate = validateTimeFormat;
+               o.default = '30s';
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.Value, 'inactivity', _('Inactivity'),
+                       _('Interval before closing an inactive CHILD_SA'));
+               o.validate = validateTimeFormat;
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.Value, 'rekeytime', _('Rekey Time'),
+                       _('IKEv2 interval to refresh keying material; also used to compute lifetime'));
+               o.validate = validateTimeFormat;
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.Value, 'overtime', _('Overtime'),
+                       _('Limit on time to complete rekeying/reauthentication'));
+               o.validate = validateTimeFormat;
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.ListValue, 'keyexchange', _('Keyexchange'),
+                       _('Version of IKE for negotiation'));
+               o.value('ikev1', 'IKEv1 (%s)', _('deprecated'));
+               o.value('ikev2', 'IKEv2');
+               o.value('ike', 'IKE (%s, %s)'.format(_('both'), _('deprecated')));
+               o.default = 'ikev2';
+               o.modalonly = true;
+
+               // Tunnel Configuration
+               s = m.section(form.GridSection, 'tunnel', _('Tunnel Configuration'),
+                       _('Define Connection Children to be used as Tunnels in Remote Configurations.'));
+               s.addremove = true;
+               s.nodescriptions = true;
+
+               o = s.tab('general', _('General'));
+               o = s.tab('advanced', _('Advanced'));
+
+               o = s.taboption('general', form.DynamicList, 'local_subnet', _('Local Subnet'),
+                       _('Local network(s)'));
+               o.datatype = 'subnet';
+               o.placeholder = '192.168.1.1/24';
+               o.rmempty = false;
+
+               o = s.taboption('general', form.DynamicList, 'remote_subnet', _('Remote Subnet'),
+                       _('Remote network(s)'));
+               o.datatype = 'subnet';
+               o.placeholder = '192.168.2.1/24';
+               o.rmempty = false;
+
+               o = s.taboption('general', form.Value, 'local_nat', _('Local NAT'),
+                       _('NAT range for tunnels with overlapping IP addresses'));
+               o.datatype = 'subnet';
+               o.modalonly = true;
+
+               o = s.taboption('general', form.ListValue, 'if_id', ('XFRM Interface ID'),
+                       _('XFRM interface ID set on input and output interfaces'));
+               o.load = function (section_id) {
+                       this.keylist = [];
+                       this.vallist = [];
+
+                       var xfrmSections = uci.sections('network').filter(function (section) {
+                               return section.proto == 'xfrm';
+                       });
+
+                       xfrmSections.forEach(L.bind(function (section) {
+                               this.value(section.ifid,
+                                       '%s (%s)'.format(section.ifid, section['.name']));
+                       }, this));
+
+                       return this.super('load', [section_id]);
+               }
+               o.optional = true;
+               o.modalonly = true;
+
+               o = s.taboption('general', form.ListValue, 'startaction', _('Start Action'),
+                       _('Action on initial configuration load'));
+               o.value('none');
+               o.value('trap');
+               o.value('start');
+               o.default = 'trap';
+               o.modalonly = true;
+
+               o = s.taboption('general', form.ListValue, 'closeaction', _('Close Action'),
+                       _('Action when CHILD_SA is closed'));
+               o.value('none');
+               o.value('trap');
+               o.value('start');
+               o.optional = true;
+               o.modalonly = true;
+
+               o = s.taboption('general', form.MultiValue, 'crypto_proposal',
+                       _('Crypto Proposal (Phase 2)'),
+                       _('List of ESP (phase two) proposals. Only Proposals with checked ESP flag are selectable'));
+               o.load = function (section_id) {
+                       this.keylist = [];
+                       this.vallist = [];
+
+                       var sections = uci.sections('ipsec', 'crypto_proposal');
+                       if (sections.length == 0) {
+                               this.value('', _('Please create an ESP Proposal first'));
+                       } else {
+                               sections.forEach(L.bind(function (section) {
+                                       if (section.is_esp == '1') {
+                                               this.value(section['.name']);
+                                       }
+                               }, this));
+                       }
+
+                       return this.super('load', [section_id]);
+               };
+               o.rmempty = false;
+
+               o = s.taboption('advanced', form.Value, 'updown', _('Up/Down Script Path'),
+                       _('Path to script to run on CHILD_SA up/down events'));
+               o.datatype = 'file';
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.Value, 'lifetime', _('Lifetime'),
+                       _('Maximum duration of the CHILD_SA before closing'));
+               o.validate = validateTimeFormat;
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.ListValue, 'dpdaction', _('DPD Action'),
+                       _('Action when DPD timeout occurs'));
+               o.value('none');
+               o.value('clear');
+               o.value('trap');
+               o.value('start');
+               o.optional = true;
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.Value, 'rekeytime', _('Rekey Time'),
+                       _('Duration of the CHILD_SA before rekeying'));
+               o.validate = validateTimeFormat;
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.Flag, 'ipcomp', _('IPComp'),
+                       _('Enable ipcomp compression'));
+               o.default = '0';
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.ListValue, 'hw_offload', _('H/W Offload'),
+                       _('Enable Hardware offload'));
+               o.value('yes');
+               o.value('no');
+               o.value('auto');
+               o.optional = true;
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.Value, 'priority', _('Priority'),
+                       _('Priority of the CHILD_SA'));
+               o.datatype = 'uinteger';
+               o.modalonly = true;
+
+               o = s.taboption('advanced', form.Value, 'replay_window', _('Replay Window'),
+                       '%s; %s'.format(_('Replay Window of the CHILD_SA'),
+                               _('Values larger than 32 are supported by the Netlink backend only')));
+               o.datatype = 'uinteger';
+               o.modalonly = true;
+
+               // Crypto Proposals
+               s = m.section(form.GridSection, 'crypto_proposal',
+                       _('Encryption Proposals'),
+                       _('Configure Cipher Suites to define IKE (Phase 1) or ESP (Phase 2) Proposals.'));
+               s.addremove = true;
+               s.nodescriptions = true;
+
+               o = s.option(form.Flag, 'is_esp', _('ESP Proposal'),
+                       _('Whether this is an ESP (phase 2) proposal or not'));
+
+               o = s.option(form.ListValue, 'encryption_algorithm',
+                       _('Encryption Algorithm'),
+                       _('Algorithms marked with * are considered insecure'));
+               o.default = 'aes256gcm128';
+               addAlgorithms(o, strongswan_algorithms.getEncryptionAlgorithms());
+               addAlgorithms(o, strongswan_algorithms.getAuthenticatedEncryptionAlgorithms());
+
+
+               o = s.option(form.ListValue, 'hash_algorithm', _('Hash Algorithm'),
+                       _('Algorithms marked with * are considered insecure'));
+               strongswan_algorithms.getEncryptionAlgorithms().forEach(function (algorithm) {
+                       o.depends('encryption_algorithm', algorithm);
+               });
+               o.default = 'sha512';
+               o.rmempty = false;
+               addAlgorithms(o, strongswan_algorithms.getHashAlgorithms());
+
+               o = s.option(form.ListValue, 'dh_group', _('Diffie-Hellman Group'),
+                       _('Algorithms marked with * are considered insecure'));
+               o.default = 'modp3072';
+               addAlgorithms(o, strongswan_algorithms.getDiffieHellmanAlgorithms());
+
+               o = s.option(form.ListValue, 'prf_algorithm', _('PRF Algorithm'),
+                       _('Algorithms marked with * are considered insecure'));
+               o.validate = function (section_id, value) {
+                       var encryptionAlgorithm = this.section.formvalue(section_id, 'encryption_algorithm');
+
+                       if (strongswan_algorithms.getAuthenticatedEncryptionAlgorithms().includes(
+                                       encryptionAlgorithm) && !value) {
+                               return _('PRF Algorithm must be configured when using an Authenticated Encryption Algorithm');
+                       }
+
+                       return true;
+               };
+               o.optional = true;
+               o.depends('is_esp', '0');
+               addAlgorithms(o, strongswan_algorithms.getPrfAlgorithms());
+
+               return m.render();
+       }
+});
diff --git a/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json b/applications/luci-app-strongswan-swanctl/root/usr/share/luci/menu.d/luci-app-strongswan-swanctl.json
new file mode 100644 (file)
index 0000000..d229869
--- /dev/null
@@ -0,0 +1,28 @@
+{
+       "admin/vpn/strongswan-swanctl": {
+               "title": "strongSwan IPsec",
+               "order": 90,
+               "action": {
+                       "type": "view",
+                       "path": "strongswan-swanctl/swanctl"
+               },
+               "depends": {
+                       "acl": [
+                               "luci-app-strongswan-swanctl"
+                       ]
+               }
+       },
+       "admin/status/strongswan": {
+               "title": "strongSwan IPsec",
+               "order": 90,
+               "action": {
+                       "type": "view",
+                       "path": "strongswan-swanctl/status"
+               },
+               "depends": {
+                       "acl": [
+                               "luci-app-strongswan-swanctl"
+                       ]
+               }
+       }
+}
diff --git a/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json b/applications/luci-app-strongswan-swanctl/root/usr/share/rpcd/acl.d/luci-app-strongswan-swanctl.json
new file mode 100644 (file)
index 0000000..d3b44a2
--- /dev/null
@@ -0,0 +1,16 @@
+{
+       "luci-app-strongswan-swanctl": {
+               "description": "Grant access to luci-app-strongswan-swanctl",
+               "read": {
+                       "file": {
+                               "/usr/sbin/swanmon version": [ "exec" ],
+                               "/usr/sbin/swanmon stats": [ "exec" ],
+                               "/usr/sbin/swanmon list-sas": [ "exec" ]
+                       },
+                       "uci": [ "ipsec" ]
+               },
+               "write": {
+                       "uci": [ "ipsec" ]
+               }
+       }
+}