From 2cb98b4516038bce9c455f149d164f905c61092a Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 27 Nov 2016 01:37:17 +0300 Subject: [PATCH] Windows RSA support #9 --- algo | 6 ++++++ config.cfg | 2 -- roles/vpn/templates/client_ipsec.conf.j2 | 8 ++++++++ roles/vpn/templates/client_ipsec.secrets.j2 | 5 ++++- roles/vpn/templates/easy-rsa.vars.j2 | 4 ++++ roles/vpn/templates/ipsec.conf.j2 | 8 ++++++++ roles/vpn/templates/ipsec.secrets.j2 | 5 ++++- 7 files changed, 34 insertions(+), 4 deletions(-) diff --git a/algo b/algo index 4911274..cd224d8 100755 --- a/algo +++ b/algo @@ -55,6 +55,12 @@ Do you want to enable VPN always when connected to the cellular network? OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n} if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi +read -p " +Do you want to enable VPN for Windows 10 clients? (Will use insecure algorithms and ciphers) +[y/N]: " -r Win10_Enabled +Win10_Enabled=${Win10_Enabled:-n} +if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi + } deploy () { diff --git a/config.cfg b/config.cfg index 26f1458..51f0021 100644 --- a/config.cfg +++ b/config.cfg @@ -59,8 +59,6 @@ ipsec_config: dpddelay: '35s' rekey: 'no' keyexchange: 'ikev2' - ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!' - esp: 'aes128gcm16-sha2_256-ecp256!' compress: 'yes' fragmentation: 'yes' diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2 index 3b01ff1..2e97c36 100644 --- a/roles/vpn/templates/client_ipsec.conf.j2 +++ b/roles/vpn/templates/client_ipsec.conf.j2 @@ -3,6 +3,14 @@ conn ikev2-{{ IP_subject_alt_name }} {{ key }}={{ value }} {% endfor %} +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! + esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024! +{% else %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256 + esp=aes128gcm16-sha2_256-ecp256 +{% endif %} + right={{ IP_subject_alt_name }} rightid={{ IP_subject_alt_name }} rightsubnet=0.0.0.0/0 diff --git a/roles/vpn/templates/client_ipsec.secrets.j2 b/roles/vpn/templates/client_ipsec.secrets.j2 index ec4a30f..6160312 100644 --- a/roles/vpn/templates/client_ipsec.secrets.j2 +++ b/roles/vpn/templates/client_ipsec.secrets.j2 @@ -1,2 +1,5 @@ +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +{{ IP_subject_alt_name }} : RSA {{ IP_subject_alt_name }}_{{ item }}.key +{% else %} {{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key - +{% endif %} diff --git a/roles/vpn/templates/easy-rsa.vars.j2 b/roles/vpn/templates/easy-rsa.vars.j2 index 50159aa..2805b3b 100644 --- a/roles/vpn/templates/easy-rsa.vars.j2 +++ b/roles/vpn/templates/easy-rsa.vars.j2 @@ -102,7 +102,11 @@ set_var EASYRSA_DN "cn_only" # * rsa # * ec +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +set_var EASYRSA_ALGO rsa +{% else %} set_var EASYRSA_ALGO ec +{% endif %} # Define the named curve, used in ec mode only: diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index 2bd6ad1..c412994 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -7,6 +7,14 @@ conn %default {{ key }}={{ value }} {% endfor %} +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! + esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024! +{% else %} + ike=aes128gcm16-sha2_256-prfsha256-ecp256 + esp=aes128gcm16-sha2_256-ecp256 +{% endif %} + left=%any leftauth=pubkey leftid={{ IP_subject_alt_name }} diff --git a/roles/vpn/templates/ipsec.secrets.j2 b/roles/vpn/templates/ipsec.secrets.j2 index d5793ae..2226f04 100644 --- a/roles/vpn/templates/ipsec.secrets.j2 +++ b/roles/vpn/templates/ipsec.secrets.j2 @@ -1,2 +1,5 @@ +{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +: RSA {{ IP_subject_alt_name }}.key +{% else %} : ECDSA {{ IP_subject_alt_name }}.key - +{% endif %}