Improve VPN ciphers

- Consolidate VPN ciphers for "ike=" and "phase2alg=" in ipsec.conf.

docs/ikev2-howto-zh.md

@@ -58,8 +58,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
      ikev2=insist
      rekey=no
      fragmentation=yes
-     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
+     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-     phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
+     phase2alg=3des-sha1,aes-sha1,aes-sha2
    EOF
    ```
 

docs/ikev2-howto.md

@@ -58,8 +58,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
      ikev2=insist
      rekey=no
      fragmentation=yes
-     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
+     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-     phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
+     phase2alg=3des-sha1,aes-sha1,aes-sha2
    EOF
    ```
 

extras/vpnupgrade.sh

@@ -87,8 +87,9 @@ Replace this line:
 with the following:
   encapsulation=yes
 
-Re-add "MODP1024" to the list of allowed "ike=" ciphers.
+Consolidate VPN ciphers for "ike=" and "phase2alg=".
-(Removed from the default list in Libreswan 3.19)
+Re-add "MODP1024" to the list of allowed "ike=" ciphers,
+which was removed from defaults in Libreswan 3.19.
 
 Your other VPN configuration files will not be modified.
 
@@ -158,9 +159,10 @@ fi
 
 # Update ipsec.conf options
 sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
-    /etc/ipsec.conf
+    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" \
+    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" /etc/ipsec.conf
 
 # Restart IPsec service
 service ipsec restart

extras/vpnupgrade_centos.sh

@@ -83,8 +83,9 @@ Replace this line:
 with the following:
   encapsulation=yes
 
-Re-add "MODP1024" to the list of allowed "ike=" ciphers.
+Consolidate VPN ciphers for "ike=" and "phase2alg=".
-(Removed from the default list in Libreswan 3.19)
+Re-add "MODP1024" to the list of allowed "ike=" ciphers,
+which was removed from defaults in Libreswan 3.19.
 
 Your other VPN configuration files will not be modified.
 
@@ -155,9 +156,10 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 # Update ipsec.conf options
 sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
-    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024/" \
-    /etc/ipsec.conf
+    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" \
+    -e "s/phase2alg=3des-sha1,aes-sha1,aes256-sha2_256/phase2alg=3des-sha1,aes-sha1,aes-sha2/" /etc/ipsec.conf
 
 # Restart IPsec service
 service ipsec restart

vpnsetup.sh

@@ -219,8 +219,8 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
+  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-  phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
+  phase2alg=3des-sha1,aes-sha1,aes-sha2
   sha2-truncbug=yes
 
 conn l2tp-psk

vpnsetup_centos.sh

@@ -206,8 +206,8 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
+  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-  phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
+  phase2alg=3des-sha1,aes-sha1,aes-sha2
   sha2-truncbug=yes
 
 conn l2tp-psk