Windows RSA support #9

2025-06-06 15:13:56 +02:00 · 2016-11-27 01:37:17 +03:00 · 2016-11-27 01:37:17 +03:00 · 2cb98b4516
commit 2cb98b4516
parent d708750bd1
7 changed files with 34 additions and 4 deletions
--- a/6
+++ b/6
@ -55,6 +55,12 @@ Do you want to enable VPN always when connected to the cellular network?
 OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n}
 if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi

+read -p "
+Do you want to enable VPN for Windows 10 clients? (Will use insecure algorithms and ciphers)
+[y/N]: " -r Win10_Enabled
+Win10_Enabled=${Win10_Enabled:-n}
+if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi
+
 }

 deploy () {
--- a/config.cfg
+++ b/config.cfg
@ -59,8 +59,6 @@ ipsec_config:
  dpddelay: '35s'
  rekey: 'no'
  keyexchange: 'ikev2'
-  ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!'
-  esp: 'aes128gcm16-sha2_256-ecp256!'
  compress: 'yes'
  fragmentation: 'yes'

--- a/roles/vpn/templates/client_ipsec.conf.j2
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@ -3,6 +3,14 @@ conn ikev2-{{ IP_subject_alt_name }}
    {{ key }}={{ value }}
 {% endfor %}

+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
+    esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
+{% else %}
+    ike=aes128gcm16-sha2_256-prfsha256-ecp256
+    esp=aes128gcm16-sha2_256-ecp256
+{% endif %}
+
    right={{ IP_subject_alt_name }}
    rightid={{ IP_subject_alt_name }}
    rightsubnet=0.0.0.0/0
--- a/roles/vpn/templates/client_ipsec.secrets.j2
+++ b/roles/vpn/templates/client_ipsec.secrets.j2
@ -1,2 +1,5 @@
+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+{{ IP_subject_alt_name }} : RSA {{ IP_subject_alt_name }}_{{ item }}.key
+{% else %}
 {{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
-
+{% endif %}
--- a/roles/vpn/templates/easy-rsa.vars.j2
+++ b/roles/vpn/templates/easy-rsa.vars.j2
@ -102,7 +102,11 @@ set_var EASYRSA_DN "cn_only"
 #  * rsa
 #  * ec

+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+set_var EASYRSA_ALGO       rsa
+{% else %}
 set_var EASYRSA_ALGO       ec
+{% endif %}

 # Define the named curve, used in ec mode only:

--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@ -7,6 +7,14 @@ conn %default
    {{ key }}={{ value }}
 {% endfor %}

+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
+    esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
+{% else %}
+    ike=aes128gcm16-sha2_256-prfsha256-ecp256
+    esp=aes128gcm16-sha2_256-ecp256
+{% endif %}
+
    left=%any
    leftauth=pubkey
    leftid={{ IP_subject_alt_name }}
--- a/roles/vpn/templates/ipsec.secrets.j2
+++ b/roles/vpn/templates/ipsec.secrets.j2
@ -1,2 +1,5 @@
+{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
+: RSA {{ IP_subject_alt_name }}.key
+{% else %}
 : ECDSA {{ IP_subject_alt_name }}.key
-
+{% endif %}