1
0
mirror of synced 2025-01-31 04:21:43 +03:00
- Libreswan 3.19 removed MODP1024 from the ike= default list,
  which breaks compatibility with Android 5.x and others
- This commit explicitly adds MODP1024 back to the ike= list
- Fixes #101. Thanks @keijodputt!
This commit is contained in:
hwdsl2 2017-01-18 20:10:43 -06:00
parent 5cbadb643b
commit e40dd6219b
6 changed files with 20 additions and 8 deletions

View File

@ -58,8 +58,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
ikev2=insist
rekey=no
fragmentation=yes
ike=3des-sha1,aes-sha1,aes256-sha2_256;modp1024,aes256-sha2_256;modp2048
phase2alg=3des-sha1,aes-sha1,aes256-sha2_256
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
EOF
```

View File

@ -58,8 +58,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
ikev2=insist
rekey=no
fragmentation=yes
ike=3des-sha1,aes-sha1,aes256-sha2_256;modp1024,aes256-sha2_256;modp2048
phase2alg=3des-sha1,aes-sha1,aes256-sha2_256
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
EOF
```

View File

@ -87,6 +87,9 @@ Replace this line:
with the following:
encapsulation=yes
Re-add "MODP1024" to the list of allowed "ike=" ciphers.
(Removed from the default list in Libreswan 3.19)
Your other VPN configuration files will not be modified.
EOF
@ -154,7 +157,10 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then
fi
# Update ipsec.conf options
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
-e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
-e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
/etc/ipsec.conf
# Restart IPsec service
service ipsec restart

View File

@ -83,6 +83,9 @@ Replace this line:
with the following:
encapsulation=yes
Re-add "MODP1024" to the list of allowed "ike=" ciphers.
(Removed from the default list in Libreswan 3.19)
Your other VPN configuration files will not be modified.
EOF
@ -151,7 +154,10 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf options
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
-e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
-e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
/etc/ipsec.conf
# Restart IPsec service
service ipsec restart

View File

@ -219,7 +219,7 @@ conn shared
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
sha2-truncbug=yes

View File

@ -206,7 +206,7 @@ conn shared
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
sha2-truncbug=yes