mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-16 20:13:19 +03:00
Code Issues Projects Releases Wiki Activity

Update upgrade scripts

Browse Source 
- Set sha2-truncbug to "no" when upgrading. This is required for
  iOS 13/14 and macOS 10.15/11 VPN clients to connect.
- References: 3353888 #882
This commit is contained in:
hwdsl2 2020-11-27 11:16:12 -06:00
parent cf1865a66e
commit 427e50a9ed
2 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
extras/vpnupgrade.sh
View File

@ -103,7 +103,7 @@ cat <<'EOF'
NOTE: This script will make the following changes to your IPsec config:
- Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers for "ike=" and "phase2alg="
- Optimize VPN ciphers
Your other VPN configuration files will not be modified.
@ -113,7 +113,7 @@ case "$SWAN_VER" in
3.2[679]|3.3[12])
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See: https://libreswan.org/security/
See https://libreswan.org/security/ for more information.
Are you sure you want to install an older version?
EOF
@ -211,8 +211,9 @@ fi
sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/" \
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf

7
extras/vpnupgrade_centos.sh
View File

@ -98,7 +98,7 @@ cat <<'EOF'
NOTE: This script will make the following changes to your IPsec config:
- Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers for "ike=" and "phase2alg="
- Optimize VPN ciphers
Your other VPN configuration files will not be modified.
@ -108,7 +108,7 @@ case "$SWAN_VER" in
3.2[679]|3.3[12])
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See: https://libreswan.org/security/
See https://libreswan.org/security/ for more information.
Are you sure you want to install an older version?
EOF
@ -218,8 +218,9 @@ PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes
sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/" \
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/" \
-e "s/^[[:space:]]\+sha2-truncbug=yes/ sha2-truncbug=no/" \
-e "s/^[[:space:]]\+ike=.\+/$IKE_NEW/" \
-e "s/^[[:space:]]\+phase2alg=.\+/$PHASE2_NEW/" /etc/ipsec.conf