Improve VPN ciphers

- Replace "aes_gcm256-null,aes_gcm128-null" with "aes_gcm-null" to improve compatibility with some Linux kernels - Ref: https://libreswan.org/wiki/FAQ#Using_aes_gcm_or_aes_ctr_results_in_ERROR:_netlink_response_for_Add_SA_esp.XXXXXXXX.40IPADDRESS_included_errno_22:_Invalid_argument
2024-11-25 14:26:09 +03:00 · 2018-11-02 01:54:49 -05:00 · 2018-11-02 01:54:49 -05:00 · f1c8c06af1
commit f1c8c06af1
parent ce895e7116
6 changed files with 7 additions and 7 deletions
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@ -57,7 +57,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
     rekey=no
     fragmentation=yes
     ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
-     phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+     phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
   EOF
   ```

--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@ -57,7 +57,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
     rekey=no
     fragmentation=yes
     ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
-     phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+     phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
   EOF
   ```

--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@ -214,10 +214,10 @@ fi

 # Update ipsec.conf
 IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
-PHASE2_NEW="  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
+PHASE2_NEW="  phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"

 if uname -m | grep -qi '^arm'; then
-  PHASE2_NEW="  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
+  PHASE2_NEW="  phase2alg=aes_gcm-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
 fi

 sed -i".old-$(date +%F-%T)" \
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@ -216,7 +216,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null

 # Update ipsec.conf
 IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
-PHASE2_NEW="  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
+PHASE2_NEW="  phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"

 sed -i".old-$(date +%F-%T)" \
    -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/g" \
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@ -259,7 +259,7 @@ conn shared
  dpdtimeout=120
  dpdaction=clear
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
-  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
  sha2-truncbug=yes

 conn l2tp-psk
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@ -246,7 +246,7 @@ conn shared
  dpdtimeout=120
  dpdaction=clear
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
-  phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  phase2alg=aes_gcm-null,aes256-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
  sha2-truncbug=yes

 conn l2tp-psk