Improve VPN ciphers
- Improve security by removing support for modp1024 (DH group 2), which is less secure and no longer enabled in Libreswan by default. - The native VPN client on Android devices uses modp1024 for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. After this change, Android users should instead connect using IKEv2 mode (recommended).
This commit is contained in:
parent
8ae26b832f
commit
025387df91
@ -209,7 +209,7 @@ update_ikev2_script() {
|
|||||||
|
|
||||||
update_config() {
|
update_config() {
|
||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
if uname -m | grep -qi '^arm'; then
|
if uname -m | grep -qi '^arm'; then
|
||||||
if ! modprobe -q sha512; then
|
if ! modprobe -q sha512; then
|
||||||
|
@ -203,7 +203,7 @@ update_ikev2_script() {
|
|||||||
|
|
||||||
update_config() {
|
update_config() {
|
||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
dns_state=0
|
dns_state=0
|
||||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
|
@ -255,7 +255,7 @@ update_ikev2_script() {
|
|||||||
|
|
||||||
update_config() {
|
update_config() {
|
||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
dns_state=0
|
dns_state=0
|
||||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
|
@ -239,7 +239,7 @@ update_ikev2_script() {
|
|||||||
|
|
||||||
update_config() {
|
update_config() {
|
||||||
bigecho "Updating VPN configuration..."
|
bigecho "Updating VPN configuration..."
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
|
||||||
if uname -m | grep -qi '^arm'; then
|
if uname -m | grep -qi '^arm'; then
|
||||||
if ! modprobe -q sha512; then
|
if ! modprobe -q sha512; then
|
||||||
|
@ -337,7 +337,7 @@ conn shared
|
|||||||
dpdtimeout=300
|
dpdtimeout=300
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ikev2=never
|
ikev2=never
|
||||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
||||||
ikelifetime=24h
|
ikelifetime=24h
|
||||||
salifetime=24h
|
salifetime=24h
|
||||||
|
@ -353,7 +353,7 @@ conn shared
|
|||||||
dpdtimeout=300
|
dpdtimeout=300
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ikev2=never
|
ikev2=never
|
||||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
||||||
ikelifetime=24h
|
ikelifetime=24h
|
||||||
salifetime=24h
|
salifetime=24h
|
||||||
|
@ -453,7 +453,7 @@ conn shared
|
|||||||
dpdtimeout=300
|
dpdtimeout=300
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ikev2=never
|
ikev2=never
|
||||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
||||||
ikelifetime=24h
|
ikelifetime=24h
|
||||||
salifetime=24h
|
salifetime=24h
|
||||||
|
@ -398,7 +398,7 @@ conn shared
|
|||||||
dpdtimeout=300
|
dpdtimeout=300
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ikev2=never
|
ikev2=never
|
||||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
|
||||||
ikelifetime=24h
|
ikelifetime=24h
|
||||||
salifetime=24h
|
salifetime=24h
|
||||||
|
Loading…
Reference in New Issue
Block a user