mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-18 04:53:16 +03:00
Code Issues Projects Releases Wiki Activity

Clean up VPN ciphers

Browse Source 
- Remove aes256-sha2_512
- Change sha2-truncbug to no for newer Android versions
- Fixes #303
This commit is contained in:
hwdsl2 2018-05-05 18:51:24 -05:00
parent 0c6cb4b8a9
commit 102ccbc17d
4 changed files with 10 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
extras/vpnupgrade.sh
View File

@ -161,8 +161,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
fi fi
# Update ipsec.conf for Libreswan 3.19 and newer # Update ipsec.conf for Libreswan 3.19 and newer
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
if [ "$(uname -m | cut -c1-3)" = "arm" ]; then if [ "$(uname -m | cut -c1-3)" = "arm" ]; then
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
fi fi

4
extras/vpnupgrade_centos.sh
View File

@ -165,8 +165,8 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf for Libreswan 3.19 and newer # Update ipsec.conf for Libreswan 3.19 and newer
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
sed -i".old-$(date +%F-%T)" \ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \

8
vpnsetup.sh
View File

@ -245,9 +245,9 @@ conn shared
dpddelay=30 dpddelay=30
dpdtimeout=120 dpdtimeout=120
dpdaction=clear dpdaction=clear
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2
sha2-truncbug=yes sha2-truncbug=no
conn l2tp-psk conn l2tp-psk
auto=add auto=add
@ -276,11 +276,9 @@ EOF
# Workarounds for systems with ARM CPU (e.g. Raspberry Pi) # Workarounds for systems with ARM CPU (e.g. Raspberry Pi)
# - Set "left" to private IP instead of "%defaultroute" # - Set "left" to private IP instead of "%defaultroute"
# - Remove unsupported ESP algorithm
if [ "$(uname -m | cut -c1-3)" = "arm" ]; then if [ "$(uname -m | cut -c1-3)" = "arm" ]; then
PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}') PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
fi fi
# Specify IPsec PSK # Specify IPsec PSK

6
vpnsetup_centos.sh
View File

@ -233,9 +233,9 @@ conn shared
dpddelay=30 dpddelay=30
dpdtimeout=120 dpdtimeout=120
dpdaction=clear dpdaction=clear
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2
sha2-truncbug=yes sha2-truncbug=no
conn l2tp-psk conn l2tp-psk
auto=add auto=add