From 5f75a7306a38a2e07f817f4dc473643ca0dcbf38 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sun, 28 Oct 2018 00:33:42 -0500
Subject: [PATCH] Improve VPN ciphers

- Revert 'sha2-truncbug' from 'no' to 'yes' to fix compatibility with
  Android versions 6.x and 7.x.
- Remove aes128-sha2_512 algorithm
- Ref: 732ad1e
---
 docs/clients-zh.md          | 2 +-
 docs/clients.md             | 2 +-
 extras/vpnupgrade.sh        | 8 +++-----
 extras/vpnupgrade_centos.sh | 8 +++-----
 vpnsetup.sh                 | 6 +++---
 vpnsetup_centos.sh          | 4 ++--
 6 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/docs/clients-zh.md b/docs/clients-zh.md
index b851be4..7727937 100644
--- a/docs/clients-zh.md
+++ b/docs/clients-zh.md
@@ -234,7 +234,7 @@ OS X (macOS) 用户： 如果你成功地使用 IPsec/L2TP 模式连接，但是
 如果你无法使用 Android 6 或以上版本连接：
 
 1. 单击 VPN 连接旁边的设置按钮，选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在（看下图），请启用它并重试连接。如果不存在，请尝试下一步。
-1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并将它的值在 `yes` 和 `no` 之间切换。保存修改并运行 `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
+1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
 
 ![Android VPN workaround](images/vpn-profile-Android.png)
 
diff --git a/docs/clients.md b/docs/clients.md
index 64484d2..845fd8e 100644
--- a/docs/clients.md
+++ b/docs/clients.md
@@ -234,7 +234,7 @@ OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but y
 If you are unable to connect using Android 6 or above:
 
 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step.
-1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value (between `yes` and `no`). Save the file and run `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>).
+1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>).
 
 ![Android VPN workaround](images/vpn-profile-Android.png)
 
diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index 8fd6e16..683fa8d 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -130,18 +130,17 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes.
     1. Replace "auth=esp" with "phase2=esp"
     2. Replace "forceencaps=yes" with "encapsulation=yes"
     3. Optimize VPN ciphers for "ike=" and "phase2alg="
-    4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no"
 EOF
 
 if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
 cat <<'EOF'
-    5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
+    4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
 EOF
 fi
 
 if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
 cat <<'EOF'
-    5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
+    4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
 EOF
 fi
 
@@ -215,7 +214,7 @@ fi
 
 # Update ipsec.conf
 IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
-PHASE2_NEW="  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
+PHASE2_NEW="  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
 
 if uname -m | grep -qi '^arm'; then
   PHASE2_NEW="  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
@@ -224,7 +223,6 @@ fi
 sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/g" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/g" \
-    -e "s/^[[:space:]]\+sha2-truncbug=yes\$/  sha2-truncbug=no/g" \
     -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
     -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
 
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index ea85036..b0cffdb 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -121,18 +121,17 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes.
     1. Replace "auth=esp" with "phase2=esp"
     2. Replace "forceencaps=yes" with "encapsulation=yes"
     3. Optimize VPN ciphers for "ike=" and "phase2alg="
-    4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no"
 EOF
 
 if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
 cat <<'EOF'
-    5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
+    4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
 EOF
 fi
 
 if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
 cat <<'EOF'
-    5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
+    4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
 EOF
 fi
 
@@ -217,12 +216,11 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 # Update ipsec.conf
 IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
-PHASE2_NEW="  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
+PHASE2_NEW="  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
 
 sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/g" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/g" \
-    -e "s/^[[:space:]]\+sha2-truncbug=yes\$/  sha2-truncbug=no/g" \
     -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
     -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
 
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 20a2753..586e115 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -259,8 +259,8 @@ conn shared
   dpdtimeout=120
   dpdaction=clear
   ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
-  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
-  sha2-truncbug=no
+  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  sha2-truncbug=yes
 
 conn l2tp-psk
   auto=add
@@ -288,7 +288,7 @@ conn xauth-psk
 EOF
 
 if uname -m | grep -qi '^arm'; then
-  sed -i '/phase2alg/s/,aes256-sha2_512,aes128-sha2_512//' /etc/ipsec.conf
+  sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
 fi
 
 # Specify IPsec PSK
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 2ad6fa0..c9bd855 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -246,8 +246,8 @@ conn shared
   dpdtimeout=120
   dpdaction=clear
   ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
-  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
-  sha2-truncbug=no
+  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  sha2-truncbug=yes
 
 conn l2tp-psk
   auto=add