From 8b40709d4da7d1565486960e17fb264c3e3769e8 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 13 Nov 2017 00:12:16 -0600 Subject: [PATCH] Improve VPN ciphers - Remove unsupported ESP algorithm on Raspbian --- extras/vpnupgrade.sh | 3 +++ vpnsetup.sh | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 88f0d0e..83569e2 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -183,6 +183,9 @@ fi # Update ipsec.conf for Libreswan 3.19 and newer IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512" PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512" +if grep -qs raspbian /etc/os-release; then + PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2" +fi sed -i".old-$(date +%F-%T)" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/" \ diff --git a/vpnsetup.sh b/vpnsetup.sh index 30cd001..22b22c9 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -279,6 +279,11 @@ if grep -qs 'Raspbian GNU/Linux 9' /etc/os-release; then check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf fi +# Remove unsupported ESP algorithm on Raspbian +if grep -qs raspbian /etc/os-release; then + sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf +fi + # Specify IPsec PSK conf_bk "/etc/ipsec.secrets" cat > /etc/ipsec.secrets <