1
0
mirror of synced 2024-11-25 22:36:04 +03:00

Improve VPN ciphers

- Revert 'sha2-truncbug' from 'no' to 'yes' to fix compatibility with
  Android versions 6.x and 7.x.
- Remove aes128-sha2_512 algorithm
- Ref: 732ad1e
This commit is contained in:
hwdsl2 2018-10-28 00:33:42 -05:00
parent e8723245f0
commit 5f75a7306a
6 changed files with 13 additions and 17 deletions

View File

@ -234,7 +234,7 @@ OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是
如果你无法使用 Android 6 或以上版本连接: 如果你无法使用 Android 6 或以上版本连接:
1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。 1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并将它的值在 `yes``no` 之间切换。保存修改并运行 `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>) 1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
![Android VPN workaround](images/vpn-profile-Android.png) ![Android VPN workaround](images/vpn-profile-Android.png)

View File

@ -234,7 +234,7 @@ OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but y
If you are unable to connect using Android 6 or above: If you are unable to connect using Android 6 or above:
1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step. 1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step.
1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value (between `yes` and `no`). Save the file and run `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>). 1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>).
![Android VPN workaround](images/vpn-profile-Android.png) ![Android VPN workaround](images/vpn-profile-Android.png)

View File

@ -130,18 +130,17 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes.
1. Replace "auth=esp" with "phase2=esp" 1. Replace "auth=esp" with "phase2=esp"
2. Replace "forceencaps=yes" with "encapsulation=yes" 2. Replace "forceencaps=yes" with "encapsulation=yes"
3. Optimize VPN ciphers for "ike=" and "phase2alg=" 3. Optimize VPN ciphers for "ike=" and "phase2alg="
4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no"
EOF EOF
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
cat <<'EOF' cat <<'EOF'
5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" 4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
EOF EOF
fi fi
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
cat <<'EOF' cat <<'EOF'
5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" 4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
EOF EOF
fi fi
@ -215,7 +214,7 @@ fi
# Update ipsec.conf # Update ipsec.conf
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
if uname -m | grep -qi '^arm'; then if uname -m | grep -qi '^arm'; then
PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
@ -224,7 +223,6 @@ fi
sed -i".old-$(date +%F-%T)" \ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
-e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf

View File

@ -121,18 +121,17 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes.
1. Replace "auth=esp" with "phase2=esp" 1. Replace "auth=esp" with "phase2=esp"
2. Replace "forceencaps=yes" with "encapsulation=yes" 2. Replace "forceencaps=yes" with "encapsulation=yes"
3. Optimize VPN ciphers for "ike=" and "phase2alg=" 3. Optimize VPN ciphers for "ike=" and "phase2alg="
4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no"
EOF EOF
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
cat <<'EOF' cat <<'EOF'
5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" 4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
EOF EOF
fi fi
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
cat <<'EOF' cat <<'EOF'
5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" 4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
EOF EOF
fi fi
@ -217,12 +216,11 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf # Update ipsec.conf
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1" PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
sed -i".old-$(date +%F-%T)" \ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
-e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf

View File

@ -259,8 +259,8 @@ conn shared
dpdtimeout=120 dpdtimeout=120
dpdaction=clear dpdaction=clear
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
sha2-truncbug=no sha2-truncbug=yes
conn l2tp-psk conn l2tp-psk
auto=add auto=add
@ -288,7 +288,7 @@ conn xauth-psk
EOF EOF
if uname -m | grep -qi '^arm'; then if uname -m | grep -qi '^arm'; then
sed -i '/phase2alg/s/,aes256-sha2_512,aes128-sha2_512//' /etc/ipsec.conf sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
fi fi
# Specify IPsec PSK # Specify IPsec PSK

View File

@ -246,8 +246,8 @@ conn shared
dpdtimeout=120 dpdtimeout=120
dpdaction=clear dpdaction=clear
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
sha2-truncbug=no sha2-truncbug=yes
conn l2tp-psk conn l2tp-psk
auto=add auto=add