Update VPN ciphers

- Add aes256-sha2_512 to the list of allowed ciphers - Required for Android 7.1.x and (possibly) Chromebook
hwdsl2 · Apr 12, 2017 · f58afbc · f58afbc
1 parent 67474fd
commit f58afbc
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 12 deletions.
diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
@@ -55,8 +55,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
      ikev2=insist
      rekey=no
      fragmentation=yes
-     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-     phase2alg=3des-sha1,aes-sha1,aes-sha2
+     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
+     phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512
    EOF
    ```
 

diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
@@ -55,8 +55,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
      ikev2=insist
      rekey=no
      fragmentation=yes
-     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-     phase2alg=3des-sha1,aes-sha1,aes-sha2
+     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
+     phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512
    EOF
    ```
 

diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
@@ -161,8 +161,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then
 fi
 
 # Update ipsec.conf for Libreswan 3.19 and newer
-IKE_NEW="  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
-PHASE2_NEW="  phase2alg=3des-sha1,aes-sha1,aes-sha2"
+IKE_NEW="  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
+PHASE2_NEW="  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512"
 sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \

diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
@@ -155,8 +155,8 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
 restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 # Update ipsec.conf for Libreswan 3.19 and newer
-IKE_NEW="  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
-PHASE2_NEW="  phase2alg=3des-sha1,aes-sha1,aes-sha2"
+IKE_NEW="  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
+PHASE2_NEW="  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512"
 sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -228,8 +228,8 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-  phase2alg=3des-sha1,aes-sha1,aes-sha2
+  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
+  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512
   sha2-truncbug=yes
 
 conn l2tp-psk

diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
@@ -212,8 +212,8 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-  phase2alg=3des-sha1,aes-sha1,aes-sha2
+  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
+  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512
   sha2-truncbug=yes
 
 conn l2tp-psk