From 63697214b432b9ad27fa5df1dd830ccb14a4e91f Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Wed, 18 Jan 2017 21:13:00 -0600
Subject: [PATCH] Improve VPN ciphers

- Consolidate VPN ciphers for "ike=" and "phase2alg=" in ipsec.conf.
---
 docs/ikev2-howto-zh.md      |  4 ++--
 docs/ikev2-howto.md         |  4 ++--
 extras/vpnupgrade.sh        | 12 +++++++-----
 extras/vpnupgrade_centos.sh | 12 +++++++-----
 vpnsetup.sh                 |  4 ++--
 vpnsetup_centos.sh          |  4 ++--
 6 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index 2848062..c898221 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -58,8 +58,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
      ikev2=insist
      rekey=no
      fragmentation=yes
-     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
-     phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
+     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
+     phase2alg=3des-sha1,aes-sha1,aes-sha2
    EOF
    ```
 
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 0b99e68..eba32ac 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -58,8 +58,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
      ikev2=insist
      rekey=no
      fragmentation=yes
-     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
-     phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
+     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
+     phase2alg=3des-sha1,aes-sha1,aes-sha2
    EOF
    ```
 
diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index 57f9880..e298a09 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -87,8 +87,9 @@ Replace this line:
 with the following:
   encapsulation=yes
 
-Re-add "MODP1024" to the list of allowed "ike=" ciphers.
-(Removed from the default list in Libreswan 3.19)
+Consolidate VPN ciphers for "ike=" and "phase2alg=".
+Re-add "MODP1024" to the list of allowed "ike=" ciphers,
+which was removed from defaults in Libreswan 3.19.
 
 Your other VPN configuration files will not be modified.
 
@@ -158,9 +159,10 @@ fi
 
 # Update ipsec.conf options
 sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
-    /etc/ipsec.conf
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
+    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" \
+    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" /etc/ipsec.conf
 
 # Restart IPsec service
 service ipsec restart
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index c2c1378..45e95fc 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -83,8 +83,9 @@ Replace this line:
 with the following:
   encapsulation=yes
 
-Re-add "MODP1024" to the list of allowed "ike=" ciphers.
-(Removed from the default list in Libreswan 3.19)
+Consolidate VPN ciphers for "ike=" and "phase2alg=".
+Re-add "MODP1024" to the list of allowed "ike=" ciphers,
+which was removed from defaults in Libreswan 3.19.
 
 Your other VPN configuration files will not be modified.
 
@@ -155,9 +156,10 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 # Update ipsec.conf options
 sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
-    /etc/ipsec.conf
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
+    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" \
+    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" /etc/ipsec.conf
 
 # Restart IPsec service
 service ipsec restart
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 2933482..8d10555 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -219,8 +219,8 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
-  phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
+  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
+  phase2alg=3des-sha1,aes-sha1,aes-sha2
   sha2-truncbug=yes
 
 conn l2tp-psk
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 8656c57..020bbc6 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -206,8 +206,8 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
-  phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
+  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
+  phase2alg=3des-sha1,aes-sha1,aes-sha2
   sha2-truncbug=yes
 
 conn l2tp-psk