Improve VPN ciphers
- Optimize VPN ciphers and their order for improved security and compatibility with different OS. Remove 3DES algorithm - Change 'sha2-truncbug' from 'yes' to 'no' - Update docs
This commit is contained in:
parent
2f9f5c39de
commit
732ad1e941
@ -221,7 +221,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 <a href="http://forums
|
|||||||
|
|
||||||
### Windows 10 版本 1803
|
### Windows 10 版本 1803
|
||||||
|
|
||||||
如果你无法使用 Windows 10 版本 1803 或以上连接,尝试以下步骤:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 一行并在末尾加上 `,aes256-sha2_256` 字样。然后找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。
|
如果你无法使用 Windows 10 版本 1803 或以上连接:编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 一行并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart`。
|
||||||
|
|
||||||
另外,在升级 Windows 10 版本之后 (比如从 1709 到 1803),你可能需要重新按照 [Windows 错误 809](#windows-错误-809) 中的步骤修改注册表并重启。
|
另外,在升级 Windows 10 版本之后 (比如从 1709 到 1803),你可能需要重新按照 [Windows 错误 809](#windows-错误-809) 中的步骤修改注册表并重启。
|
||||||
|
|
||||||
@ -231,11 +231,10 @@ OS X (macOS) 用户: 如果你成功地使用 IPsec/L2TP 模式连接,但是
|
|||||||
|
|
||||||
### Android 6 及以上版本
|
### Android 6 及以上版本
|
||||||
|
|
||||||
如果你无法使用 Android 6 或以上版本连接,按顺序尝试以下步骤:
|
如果你无法使用 Android 6 或以上版本连接:
|
||||||
|
|
||||||
1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。
|
1. 单击 VPN 连接旁边的设置按钮,选择 "Show advanced options" 并且滚动到底部。如果选项 "Backward compatible mode" 存在(看下图),请启用它并重试连接。如果不存在,请尝试下一步。
|
||||||
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug=yes` 并将它替换为 `sha2-truncbug=no`。保存修改并运行 `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)。如果仍然无法连接,请尝试下一步。
|
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并将它的值在 `yes` 和 `no` 之间切换。保存修改并运行 `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">参见</a>)
|
||||||
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 一行并在末尾加上 `,aes256-sha2_256` 字样。保存修改并运行 `service ipsec restart`。
|
|
||||||
|
|
||||||
![Android VPN workaround](images/vpn-profile-Android.png)
|
![Android VPN workaround](images/vpn-profile-Android.png)
|
||||||
|
|
||||||
|
@ -221,7 +221,7 @@ To fix this error, please follow these steps:
|
|||||||
|
|
||||||
### Windows 10 version 1803
|
### Windows 10 version 1803
|
||||||
|
|
||||||
If you are unable to connect using Windows 10 version 1803 or above, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Then find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`.
|
If you are unable to connect using Windows 10 version 1803 or above: Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`.
|
||||||
|
|
||||||
Also, after upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot.
|
Also, after upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot.
|
||||||
|
|
||||||
@ -231,11 +231,10 @@ OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but y
|
|||||||
|
|
||||||
### Android 6 and above
|
### Android 6 and above
|
||||||
|
|
||||||
If you are unable to connect using Android 6 or above, try these steps in order:
|
If you are unable to connect using Android 6 or above:
|
||||||
|
|
||||||
1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step.
|
1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step.
|
||||||
1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>). If still unable to connect, try the next step.
|
1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value (between `yes` and `no`). Save the file and run `service ipsec restart` (<a href="https://libreswan.org/wiki/FAQ#Configuration_Matters" target="_blank">Ref</a>).
|
||||||
1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Save the file and run `service ipsec restart`.
|
|
||||||
|
|
||||||
![Android VPN workaround](images/vpn-profile-Android.png)
|
![Android VPN workaround](images/vpn-profile-Android.png)
|
||||||
|
|
||||||
|
@ -56,8 +56,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
|||||||
ikev2=insist
|
ikev2=insist
|
||||||
rekey=no
|
rekey=no
|
||||||
fragmentation=yes
|
fragmentation=yes
|
||||||
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
||||||
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null
|
phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -56,8 +56,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
|||||||
ikev2=insist
|
ikev2=insist
|
||||||
rekey=no
|
rekey=no
|
||||||
fragmentation=yes
|
fragmentation=yes
|
||||||
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
||||||
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null
|
phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -129,20 +129,19 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes.
|
|||||||
|
|
||||||
1. Replace "auth=esp" with "phase2=esp"
|
1. Replace "auth=esp" with "phase2=esp"
|
||||||
2. Replace "forceencaps=yes" with "encapsulation=yes"
|
2. Replace "forceencaps=yes" with "encapsulation=yes"
|
||||||
3. Consolidate VPN ciphers for "ike=" and "phase2alg=",
|
3. Optimize VPN ciphers for "ike=" and "phase2alg="
|
||||||
re-add "MODP1024" to the list of allowed "ike=" ciphers,
|
4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no"
|
||||||
which was removed from the defaults in Libreswan 3.19
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
|
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
|
5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
|
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
|
5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -215,16 +214,17 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Update ipsec.conf
|
# Update ipsec.conf
|
||||||
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
||||||
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512"
|
PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
|
|
||||||
if uname -m | grep -qi '^arm'; then
|
if uname -m | grep -qi '^arm'; then
|
||||||
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null"
|
PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sed -i".old-$(date +%F-%T)" \
|
sed -i".old-$(date +%F-%T)" \
|
||||||
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
|
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
|
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
|
||||||
|
-e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
|
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
|
||||||
|
|
||||||
|
@ -120,20 +120,19 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes.
|
|||||||
|
|
||||||
1. Replace "auth=esp" with "phase2=esp"
|
1. Replace "auth=esp" with "phase2=esp"
|
||||||
2. Replace "forceencaps=yes" with "encapsulation=yes"
|
2. Replace "forceencaps=yes" with "encapsulation=yes"
|
||||||
3. Consolidate VPN ciphers for "ike=" and "phase2alg=",
|
3. Optimize VPN ciphers for "ike=" and "phase2alg="
|
||||||
re-add "MODP1024" to the list of allowed "ike=" ciphers,
|
4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no"
|
||||||
which was removed from the defaults in Libreswan 3.19
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
|
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
|
5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
|
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
|
5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -217,12 +216,13 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
|
|||||||
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||||
|
|
||||||
# Update ipsec.conf
|
# Update ipsec.conf
|
||||||
IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
||||||
PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512"
|
PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
|
||||||
|
|
||||||
sed -i".old-$(date +%F-%T)" \
|
sed -i".old-$(date +%F-%T)" \
|
||||||
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
|
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
|
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
|
||||||
|
-e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
|
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
|
||||||
|
|
||||||
|
@ -258,9 +258,9 @@ conn shared
|
|||||||
dpddelay=30
|
dpddelay=30
|
||||||
dpdtimeout=120
|
dpdtimeout=120
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
||||||
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512
|
phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
sha2-truncbug=yes
|
sha2-truncbug=no
|
||||||
|
|
||||||
conn l2tp-psk
|
conn l2tp-psk
|
||||||
auto=add
|
auto=add
|
||||||
@ -288,7 +288,7 @@ conn xauth-psk
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
if uname -m | grep -qi '^arm'; then
|
if uname -m | grep -qi '^arm'; then
|
||||||
sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
|
sed -i '/phase2alg/s/,aes256-sha2_512,aes128-sha2_512//' /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Specify IPsec PSK
|
# Specify IPsec PSK
|
||||||
|
@ -245,9 +245,9 @@ conn shared
|
|||||||
dpddelay=30
|
dpddelay=30
|
||||||
dpdtimeout=120
|
dpdtimeout=120
|
||||||
dpdaction=clear
|
dpdaction=clear
|
||||||
ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
|
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
|
||||||
phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512
|
phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
|
||||||
sha2-truncbug=yes
|
sha2-truncbug=no
|
||||||
|
|
||||||
conn l2tp-psk
|
conn l2tp-psk
|
||||||
auto=add
|
auto=add
|
||||||
|
Loading…
Reference in New Issue
Block a user