1
0
mirror of synced 2024-11-25 14:26:09 +03:00

Improve VPN ciphers

- Add 3des-sha2 to allowed VPN ciphers, and clean up
This commit is contained in:
hwdsl2 2017-06-02 14:24:55 -05:00
parent 2c58e65f88
commit 47a9015135
6 changed files with 12 additions and 12 deletions

View File

@ -55,8 +55,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
ikev2=insist ikev2=insist
rekey=no rekey=no
fragmentation=yes fragmentation=yes
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
EOF EOF
``` ```

View File

@ -55,8 +55,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
ikev2=insist ikev2=insist
rekey=no rekey=no
fragmentation=yes fragmentation=yes
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512 ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
EOF EOF
``` ```

View File

@ -159,8 +159,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$swan_ver"; then
fi fi
# Update ipsec.conf for Libreswan 3.19 and newer # Update ipsec.conf for Libreswan 3.19 and newer
IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \

View File

@ -155,8 +155,8 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf for Libreswan 3.19 and newer # Update ipsec.conf for Libreswan 3.19 and newer
IKE_NEW=" ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
PHASE2_NEW=" phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \ sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \

View File

@ -244,8 +244,8 @@ conn shared
dpddelay=30 dpddelay=30
dpdtimeout=120 dpdtimeout=120
dpdaction=clear dpdaction=clear
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512,3des-sha2 ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512,3des-sha2 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
sha2-truncbug=yes sha2-truncbug=yes
conn l2tp-psk conn l2tp-psk

View File

@ -230,8 +230,8 @@ conn shared
dpddelay=30 dpddelay=30
dpdtimeout=120 dpdtimeout=120
dpdaction=clear dpdaction=clear
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512,3des-sha2 ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512,3des-sha2 phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
sha2-truncbug=yes sha2-truncbug=yes
conn l2tp-psk conn l2tp-psk