Improve VPN ciphers

- Improve security by removing support for modp1536 (DH group 5),
  which is less secure and rarely used by VPN clients. To do this,
  we specify modp2048 on the "ike=" line in ipsec.conf.

extras/vpnupgrade_alpine.sh

@@ -209,7 +209,7 @@ update_ikev2_script() {
 
 update_config() {
   bigecho "Updating VPN configuration..."
-  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
+  IKE_NEW="  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048"
   PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
   if uname -m | grep -qi '^arm'; then
     if ! modprobe -q sha512; then

extras/vpnupgrade_amzn.sh

@@ -203,7 +203,7 @@ update_ikev2_script() {
 
 update_config() {
   bigecho "Updating VPN configuration..."
-  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
+  IKE_NEW="  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048"
   PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
   dns_state=0
   DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)

extras/vpnupgrade_centos.sh

@@ -255,7 +255,7 @@ update_ikev2_script() {
 
 update_config() {
   bigecho "Updating VPN configuration..."
-  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
+  IKE_NEW="  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048"
   PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
   dns_state=0
   DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)

extras/vpnupgrade_ubuntu.sh

@@ -239,7 +239,7 @@ update_ikev2_script() {
 
 update_config() {
   bigecho "Updating VPN configuration..."
-  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
+  IKE_NEW="  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048"
   PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
   if uname -m | grep -qi '^arm'; then
     if ! modprobe -q sha512; then

vpnsetup_alpine.sh

@@ -337,7 +337,7 @@ conn shared
   dpdtimeout=300
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h

vpnsetup_amzn.sh

@@ -353,7 +353,7 @@ conn shared
   dpdtimeout=300
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h

vpnsetup_centos.sh

@@ -453,7 +453,7 @@ conn shared
   dpdtimeout=300
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h

vpnsetup_ubuntu.sh

@@ -398,7 +398,7 @@ conn shared
   dpdtimeout=300
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h