Improve VPN ciphers
- Add 3des-sha2 to allowed VPN ciphers, and clean up
This commit is contained in:
parent
2c58e65f88
commit
47a9015135
@ -55,8 +55,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
ikev2=insist
|
ikev2=insist
|
||||||
rekey=no
|
rekey=no
|
||||||
fragmentation=yes
|
fragmentation=yes
|
||||||
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
|
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
|
||||||
phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512
|
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -55,8 +55,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
ikev2=insist
|
ikev2=insist
|
||||||
rekey=no
|
rekey=no
|
||||||
fragmentation=yes
|
fragmentation=yes
|
||||||
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
|
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
|
||||||
phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512
|
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -159,8 +159,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Update ipsec.conf for Libreswan 3.19 and newer
|
# Update ipsec.conf for Libreswan 3.19 and newer
|
||||||
IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
|
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
|
||||||
PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512"
|
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
|
||||||
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
|
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
|
||||||
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
|
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
|
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
|
||||||
|
@ -155,8 +155,8 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
|
|||||||
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||||
|
|
||||||
# Update ipsec.conf for Libreswan 3.19 and newer
|
# Update ipsec.conf for Libreswan 3.19 and newer
|
||||||
IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
|
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
|
||||||
PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512"
|
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
|
||||||
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
|
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
|
||||||
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
|
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
|
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \
|
||||||
|
@ -244,8 +244,8 @@ conn shared
|
|||||||
dpddelay=30
|
dpddelay=30
|
||||||
dpdtimeout=120
|
dpdtimeout=120
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512,3des-sha2
|
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
|
||||||
phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512,3des-sha2
|
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
|
||||||
sha2-truncbug=yes
|
sha2-truncbug=yes
|
||||||
|
|
||||||
conn l2tp-psk
|
conn l2tp-psk
|
||||||
|
@ -230,8 +230,8 @@ conn shared
|
|||||||
dpddelay=30
|
dpddelay=30
|
||||||
dpdtimeout=120
|
dpdtimeout=120
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512,3des-sha2
|
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
|
||||||
phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512,3des-sha2
|
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
|
||||||
sha2-truncbug=yes
|
sha2-truncbug=yes
|
||||||
|
|
||||||
conn l2tp-psk
|
conn l2tp-psk
|
||||||
|
Loading…
Reference in New Issue
Block a user