From 11f8502e3a225a352b9f74311792b2cd6d1caa55 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Fri, 5 Mar 2021 21:25:47 -0600 Subject: [PATCH] Improve IKEv2 setup - Use default key size (2048 bits) when generating key pairs using certutil. This significantly reduces IKEv2 setup time on servers with less powerful CPUs, such as Raspberry Pis, while still providing sufficient security. - Update docs --- docs/ikev2-howto-zh.md | 6 +++--- docs/ikev2-howto.md | 6 +++--- extras/ikev2setup.sh | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md index 68c1d63..06732f7 100644 --- a/docs/ikev2-howto-zh.md +++ b/docs/ikev2-howto-zh.md @@ -493,7 +493,7 @@ To customize IKEv2 or client options, run this script without arguments. certutil -z <(head -c 1024 /dev/urandom) \ -S -x -n "IKEv2 VPN CA" \ -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \ - -k rsa -g 4096 -v 120 \ + -k rsa -v 120 \ -d sql:/etc/ipsec.d -t "CT,," -2 ``` @@ -515,7 +515,7 @@ To customize IKEv2 or client options, run this script without arguments. certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \ -s "O=IKEv2 VPN,CN=$PUBLIC_IP" \ - -k rsa -g 4096 -v 120 \ + -k rsa -v 120 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth \ @@ -536,7 +536,7 @@ To customize IKEv2 or client options, run this script without arguments. certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "vpnclient" \ -s "O=IKEv2 VPN,CN=vpnclient" \ - -k rsa -g 4096 -v 120 \ + -k rsa -v 120 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth,clientAuth -8 "vpnclient" diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 1594236..6fa936d 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -493,7 +493,7 @@ As an alternative to using the [helper script](#using-helper-scripts), advanced certutil -z <(head -c 1024 /dev/urandom) \ -S -x -n "IKEv2 VPN CA" \ -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \ - -k rsa -g 4096 -v 120 \ + -k rsa -v 120 \ -d sql:/etc/ipsec.d -t "CT,," -2 ``` @@ -515,7 +515,7 @@ As an alternative to using the [helper script](#using-helper-scripts), advanced certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "$PUBLIC_IP" \ -s "O=IKEv2 VPN,CN=$PUBLIC_IP" \ - -k rsa -g 4096 -v 120 \ + -k rsa -v 120 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth \ @@ -536,7 +536,7 @@ As an alternative to using the [helper script](#using-helper-scripts), advanced certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "vpnclient" \ -s "O=IKEv2 VPN,CN=vpnclient" \ - -k rsa -g 4096 -v 120 \ + -k rsa -v 120 \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth,clientAuth -8 "vpnclient" diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 5e92899..bdb092c 100755 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -653,7 +653,7 @@ create_client_cert() { certutil -z <(head -c 1024 /dev/urandom) \ -S -c "IKEv2 VPN CA" -n "$client_name" \ -s "O=IKEv2 VPN,CN=$client_name" \ - -k rsa -g 4096 -v "$client_validity" \ + -k rsa -v "$client_validity" \ -d sql:/etc/ipsec.d -t ",," \ --keyUsage digitalSignature,keyEncipherment \ --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null 2>&1 || exiterr "Failed to create client certificate." @@ -931,7 +931,7 @@ create_ca_server_certs() { certutil -z <(head -c 1024 /dev/urandom) \ -S -x -n "IKEv2 VPN CA" \ -s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \ - -k rsa -g 4096 -v 120 \ + -k rsa -v 120 \ -d sql:/etc/ipsec.d -t "CT,," -2 >/dev/null 2>&1 <