Improve VPN ciphers
- Update VPN ciphers for compatibility with macOS 14 (Sonoma). Ref: #1486, libreswan/libreswan#1450
This commit is contained in:
hwdsl2
parent
f2061391c6
commit
5a9402b75b
@ -157,7 +157,7 @@ confirm_or_abort() {
|
|||||||
show_header() {
|
show_header() {
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
IKEv2 Script Copyright (c) 2020-2023 Lin Song 11 Aug 2023
|
IKEv2 Script Copyright (c) 2020-2023 Lin Song 9 Dec 2023
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
@ -872,6 +872,20 @@ install_uuidgen() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
update_ikev2_conf() {
|
||||||
|
if grep -qs 'ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1$' "$IKEV2_CONF"; then
|
||||||
|
bigecho2 "Updating IKEv2 configuration..."
|
||||||
|
sed -i \
|
||||||
|
"/ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1$/s/ike=/ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,/" \
|
||||||
|
"$IKEV2_CONF"
|
||||||
|
if [ "$os_type" = "alpine" ]; then
|
||||||
|
ipsec auto --add ikev2-cp >/dev/null
|
||||||
|
else
|
||||||
|
restart_ipsec_service >/dev/null
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
create_mobileconfig() {
|
create_mobileconfig() {
|
||||||
[ -z "$server_addr" ] && get_server_address
|
[ -z "$server_addr" ] && get_server_address
|
||||||
p12_file_enc="$export_dir$client_name.enc.p12"
|
p12_file_enc="$export_dir$client_name.enc.p12"
|
||||||
@ -898,9 +912,9 @@ cat > "$mc_file" <<EOF
|
|||||||
<key>ChildSecurityAssociationParameters</key>
|
<key>ChildSecurityAssociationParameters</key>
|
||||||
<dict>
|
<dict>
|
||||||
<key>DiffieHellmanGroup</key>
|
<key>DiffieHellmanGroup</key>
|
||||||
<integer>14</integer>
|
<integer>19</integer>
|
||||||
<key>EncryptionAlgorithm</key>
|
<key>EncryptionAlgorithm</key>
|
||||||
<string>AES-128-GCM</string>
|
<string>AES-256-GCM</string>
|
||||||
<key>LifeTimeInMinutes</key>
|
<key>LifeTimeInMinutes</key>
|
||||||
<integer>1410</integer>
|
<integer>1410</integer>
|
||||||
</dict>
|
</dict>
|
||||||
@ -915,9 +929,9 @@ cat > "$mc_file" <<EOF
|
|||||||
<key>IKESecurityAssociationParameters</key>
|
<key>IKESecurityAssociationParameters</key>
|
||||||
<dict>
|
<dict>
|
||||||
<key>DiffieHellmanGroup</key>
|
<key>DiffieHellmanGroup</key>
|
||||||
<integer>14</integer>
|
<integer>19</integer>
|
||||||
<key>EncryptionAlgorithm</key>
|
<key>EncryptionAlgorithm</key>
|
||||||
<string>AES-256</string>
|
<string>AES-256-GCM</string>
|
||||||
<key>IntegrityAlgorithm</key>
|
<key>IntegrityAlgorithm</key>
|
||||||
<string>SHA2-256</string>
|
<string>SHA2-256</string>
|
||||||
<key>LifeTimeInMinutes</key>
|
<key>LifeTimeInMinutes</key>
|
||||||
@ -1093,6 +1107,7 @@ export_client_config() {
|
|||||||
else
|
else
|
||||||
install_uuidgen
|
install_uuidgen
|
||||||
fi
|
fi
|
||||||
|
update_ikev2_conf
|
||||||
export_p12_file
|
export_p12_file
|
||||||
create_mobileconfig
|
create_mobileconfig
|
||||||
create_android_profile
|
create_android_profile
|
||||||
@ -1174,7 +1189,7 @@ conn ikev2-cp
|
|||||||
ikev2=insist
|
ikev2=insist
|
||||||
rekey=no
|
rekey=no
|
||||||
pfs=no
|
pfs=no
|
||||||
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
|
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
|
||||||
ikelifetime=24h
|
ikelifetime=24h
|
||||||
salifetime=24h
|
salifetime=24h
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user