VPN: IPsec: Mobile Clients - explicit split-include

Enabling more than one split network to be used with both vpnc and macos cisco vpn. Phase2 networks are set to 0.0.0.0/0 but the split-include is expclit. Manual SPDs couldn't be added with mobile clients.
opnsense · Sep 23, 2024 · 43926e8 · 43926e8
1 parent 2a1ccae
commit 43926e8
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 5 deletions.
diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -964,7 +964,11 @@ function ipsec_write_strongswan_conf()
         if (!empty($net_list)) {
             $net_list_str = implode(",", $net_list);
             $strongswanTree['charon']['plugins']['attr']['subnet'] = $net_list_str;
-            $strongswanTree['charon']['plugins']['attr']['split-include'] = $net_list_str;
+            if(!empty($a_client['net_list_explicit'])) {
+                $strongswanTree['charon']['plugins']['attr']['split-include'] = $a_client['net_list_explicit'];
+            } else {
+                $strongswanTree['charon']['plugins']['attr']['split-include'] = $net_list_str;
+            }
         }
         $cfgservers = [];
         foreach (array('dns_server1', 'dns_server2', 'dns_server3', 'dns_server4') as $dns_server) {

diff --git a/src/www/vpn_ipsec_mobile.php b/src/www/vpn_ipsec_mobile.php
@@ -37,7 +37,7 @@
 
 // define formfields
 $form_fields = "user_source,local_group,radius_source,pool_address,pool_netbits,pool_address_v6,pool_netbits_v6,net_list
-,save_passwd,dns_domain,dns_split,dns_server1,dns_server2,dns_server3
+,net_list_explicit,save_passwd,dns_domain,dns_split,dns_server1,dns_server2,dns_server3
 ,dns_server4,wins_server1,wins_server2,pfs_group,login_banner";
 
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
@@ -66,6 +66,9 @@
     if (isset($config['ipsec']['client']['net_list'])) {
         $pconfig['net_list'] = true;
     }
+    if (isset($config['ipsec']['client']['net_list_explicit'])) {
+        $pconfig['net_list_explicit'] = $config['ipsec']['client']['net_list_explicit'];
+    }
 
     if (isset($config['ipsec']['client']['save_passwd'])) {
         $pconfig['save_passwd'] = true;
@@ -142,11 +145,21 @@
             $input_errors[] = gettext("A valid IP address for 'WINS Server #2' must be specified.");
         }
 
+        if (!empty($pconfig['net_list_explicit'])) {
+            $net_list_array=preg_split("/[ ,]+/", $pconfig['net_list_explicit']);
+            foreach ($net_list_array as $curr_cidr) {
+                if (!is_subnet($curr_cidr)) {
+                    $input_errors[] = gettext("A valid network list of accessible networks must be specified.");
+                    break;
+                }
+            }
+        }
+
         if (count($input_errors) == 0) {
             $client = array();
             $copy_fields = "user_source,local_group,radius_source,pool_address,pool_netbits,pool_address_v6,
             pool_netbits_v6,dns_domain,dns_server1,dns_server2,dns_server3,dns_server4,wins_server1,wins_server2
-            ,dns_split,pfs_group,login_banner";
+            ,dns_split,pfs_group,login_banner,net_list_explicit";
             foreach (explode(",", $copy_fields) as $fieldname) {
                 $fieldname = trim($fieldname);
                 if (!empty($pconfig[$fieldname])) {
@@ -199,6 +212,7 @@
   pool_change();
   pool_v6_change();
   dns_domain_change();
+  net_list_change();
   dns_split_change();
   dns_server_change();
   wins_server_change();
@@ -250,6 +264,19 @@ function dns_domain_change() {
   }
 }
 
+function net_list_change() {
+  if (document.iform.net_list_enable.checked){
+    document.iform.net_list_explicit.disabled = 0;
+    $("#net_list_explicit").addClass('show');
+    $("#net_list_explicit").removeClass('hidden');
+  } else {
+    document.iform.net_list_explicit.disabled = 1;
+    $("#net_list_explicit").addClass('hidden');
+    $("#net_list_explicit").removeClass('show');
+  }
+
+}
+
 function dns_split_change() {
 
   if (document.iform.dns_split_enable.checked){
@@ -493,10 +520,14 @@ function print_legacy_box($msg, $name, $value)
                       </td>
                   </tr>
                   <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext('Network List') ?></td>
+                    <td><a id="help_for_net_list_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i><?=gettext('Network List') ?></td>
                     <td>
-                      <input name="net_list" type="checkbox" id="net_list_enable" value="yes" <?= !empty($pconfig['net_list']) ? "checked=\"checked\"" : "";?> />
+                      <input name="net_list" type="checkbox" id="net_list_enable" value="yes" <?= !empty($pconfig['net_list']) ? "checked=\"checked\"" : "";?> onclick="net_list_change()" />
                       <?= gettext('Provide a list of accessible networks to clients') ?>
+                      <input name="net_list_explicit" type="text" class="form-control" id="net_list_explicit" size="30" value="<?=$pconfig['net_list_explicit'];?>" />
+                      <div class="hidden" data-for="help_for_net_list_enable">
+                      <?= gettext('Enter a comma-separated list of networks. If left blank, the defined networks in IPsec Phase2 will be used.') ?>
+                      </div>
                     </td>
                   </tr>
                   <tr>