89 lines
4.0 KiB
PHP
89 lines
4.0 KiB
PHP
<?php
|
|
if ($_SERVER["REQUEST_METHOD"] == "POST") {
|
|
// Function to validate IP address
|
|
function isValidIpAddress($ip) {
|
|
return filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false;
|
|
}
|
|
|
|
// Function to validate CIDR notation
|
|
function isValidCidr($cidr) {
|
|
$parts = explode('/', $cidr);
|
|
if (count($parts) !== 2) {
|
|
return false; // Invalid format
|
|
}
|
|
|
|
$ip = $parts[0];
|
|
$netmask = $parts[1];
|
|
|
|
return isValidIpAddress($ip) && ($netmask >= 0 && $netmask <= 32);
|
|
}
|
|
|
|
// Phase 1 data (with validation)
|
|
$errors = [];
|
|
$phase1ProfileName = $_POST["phase1_profile_name"];
|
|
if (empty($phase1ProfileName)) { $errors[] = "Phase 1 profile name is required."; }
|
|
|
|
$remoteGateway = $_POST["phase1_remote_gateway"];
|
|
if (!isValidIpAddress($remoteGateway)) { $errors[] = "Invalid remote gateway IP address."; }
|
|
|
|
$localAddress = $_POST["phase1_local_address"];
|
|
if (!empty($localAddress) && !isValidIpAddress($localAddress)) { // Check only if not empty
|
|
$errors[] = "Invalid local address (must be a single IP).";
|
|
}
|
|
|
|
$ikeVersion = $_POST["phase1_ike_version"];
|
|
$authMethod = $_POST["phase1_auth_method"];
|
|
$preSharedKey = $authMethod === 'psk' ? $_POST["phase1_pre_shared_key"] : null;
|
|
if ($authMethod === 'psk' && empty($preSharedKey)) { $errors[] = "Pre-shared key is required for PSK authentication."; }
|
|
$encryptionAlgorithms = implode(",", $_POST["phase1_encryption_algorithm"]);
|
|
$hashAlgorithms = implode(",", $_POST["phase1_hash_algorithm"]);
|
|
$dhGroup = $_POST["phase1_dh_group"]; // Single DH group for Phase 1
|
|
$dhGroupText = implode(",", $_POST["phase1_dh_group"]);
|
|
$phase1Lifetime = $_POST["phase1_lifetime"];
|
|
$remoteId = $_POST["phase1_remote_id"];
|
|
|
|
// Phase 2 data (with validation)
|
|
$phase2ProfileName = $_POST["phase2_profile_name"];
|
|
if (empty($phase2ProfileName)) { $errors[] = "Phase 2 profile name is required."; }
|
|
|
|
$phase2EncryptionAlgorithms = implode(",", $_POST["phase2_encryption_algorithm"]);
|
|
$phase2HashAlgorithms = implode(",", $_POST["phase2_hash_algorithm"]);
|
|
$pfsGroup = $_POST["phase2_pfs_group"]; // Single PFS group for Phase 2
|
|
$phase2Lifetime = $_POST["phase2_lifetime"];
|
|
$phase2LocalAddress = $_POST["phase2_local_address"];
|
|
# if (!isValidCidr($phase2LocalAddress)) { $errors[] = "Invalid phase 2 local address or subnet."; }
|
|
$remoteAddress = $_POST["phase2_remote_address"];
|
|
# if (!isValidCidr($remoteAddress)) { $errors[] = "Invalid phase 2 remote address or subnet."; }
|
|
|
|
// Handle errors
|
|
if (!empty($errors)) {
|
|
header('Content-Type: text/plain');
|
|
echo "Errors:\n" . implode("\n", $errors); // Output errors as plain text
|
|
exit;
|
|
}
|
|
|
|
// Generate MikroTik CLI configuration commands
|
|
$config = "";
|
|
|
|
// Phase 1
|
|
$config .= "/ip ipsec profile\nadd name=\"$phase1ProfileName\" dh-group=\"$dhGroupText\" enc-algorithm=\"$encryptionAlgorithms\" hash-algorithm=\"$hashAlgorithms\" nat-traversal=no\n\n";
|
|
$config .= "/ip ipsec peer\nadd address=$remoteGateway";
|
|
if (!empty($localAddress) && isValidIpAddress($localAddress)) {
|
|
$config .= " local-address=$localAddress";
|
|
}
|
|
$config .= " disabled=yes name=$phase1ProfileName passive=yes profile=$phase1ProfileName\n\n";
|
|
|
|
// Move pre-shared key to /ip ipsec identity
|
|
$config .= "/ip ipsec identity\nadd peer=$phase1ProfileName secret=\"$preSharedKey\"\n\n";
|
|
|
|
// Phase 2
|
|
$config .= "/ip ipsec proposal\nadd name=\"$phase2ProfileName\" auth-algorithms=\"$phase2HashAlgorithms\" enc-algorithms=\"$phase2EncryptionAlgorithms\" pfs-group=$pfsGroup\n\n";
|
|
|
|
$config .= "/ip ipsec policy\nadd disabled=yes dst-address=$remoteAddress peer=$phase1ProfileName proposal=$phase2ProfileName src-address=$phase2LocalAddress tunnel=yes\n\n";
|
|
|
|
// Output configuration as plain text without download
|
|
header('Content-Type: text/plain');
|
|
echo $config;
|
|
}
|
|
?>
|