Bugfix
- Libreswan 3.19 removed MODP1024 from the ike= default list, which breaks compatibility with Android 5.x and others - This commit explicitly adds MODP1024 back to the ike= list - Fixes #101. Thanks @keijodputt!
This commit is contained in:
parent
5cbadb643b
commit
e40dd6219b
@ -58,8 +58,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
|
||||
ikev2=insist
|
||||
rekey=no
|
||||
fragmentation=yes
|
||||
ike=3des-sha1,aes-sha1,aes256-sha2_256;modp1024,aes256-sha2_256;modp2048
|
||||
phase2alg=3des-sha1,aes-sha1,aes256-sha2_256
|
||||
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
|
||||
phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
|
||||
EOF
|
||||
```
|
||||
|
||||
|
@ -58,8 +58,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
|
||||
ikev2=insist
|
||||
rekey=no
|
||||
fragmentation=yes
|
||||
ike=3des-sha1,aes-sha1,aes256-sha2_256;modp1024,aes256-sha2_256;modp2048
|
||||
phase2alg=3des-sha1,aes-sha1,aes256-sha2_256
|
||||
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
|
||||
phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
|
||||
EOF
|
||||
```
|
||||
|
||||
|
@ -87,6 +87,9 @@ Replace this line:
|
||||
with the following:
|
||||
encapsulation=yes
|
||||
|
||||
Re-add "MODP1024" to the list of allowed "ike=" ciphers.
|
||||
(Removed from the default list in Libreswan 3.19)
|
||||
|
||||
Your other VPN configuration files will not be modified.
|
||||
|
||||
EOF
|
||||
@ -154,7 +157,10 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then
|
||||
fi
|
||||
|
||||
# Update ipsec.conf options
|
||||
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
|
||||
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
|
||||
-e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
|
||||
-e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
|
||||
/etc/ipsec.conf
|
||||
|
||||
# Restart IPsec service
|
||||
service ipsec restart
|
||||
|
@ -83,6 +83,9 @@ Replace this line:
|
||||
with the following:
|
||||
encapsulation=yes
|
||||
|
||||
Re-add "MODP1024" to the list of allowed "ike=" ciphers.
|
||||
(Removed from the default list in Libreswan 3.19)
|
||||
|
||||
Your other VPN configuration files will not be modified.
|
||||
|
||||
EOF
|
||||
@ -151,7 +154,10 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
|
||||
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||
|
||||
# Update ipsec.conf options
|
||||
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
|
||||
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
|
||||
-e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
|
||||
-e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
|
||||
/etc/ipsec.conf
|
||||
|
||||
# Restart IPsec service
|
||||
service ipsec restart
|
||||
|
@ -219,7 +219,7 @@ conn shared
|
||||
dpddelay=30
|
||||
dpdtimeout=120
|
||||
dpdaction=clear
|
||||
ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
|
||||
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
|
||||
phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
|
||||
sha2-truncbug=yes
|
||||
|
||||
|
@ -206,7 +206,7 @@ conn shared
|
||||
dpddelay=30
|
||||
dpdtimeout=120
|
||||
dpdaction=clear
|
||||
ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
|
||||
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
|
||||
phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
|
||||
sha2-truncbug=yes
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user