wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 15:43:54 +02:00
Code Issues Projects Releases Wiki Activity

Windows RSA support #9

Browse source
This commit is contained in:
Jack Ivanov 2016-11-27 01:37:17 +03:00
parent d708750bd1
commit 2cb98b4516
7 changed files with 34 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
algo
View file

@ -55,6 +55,12 @@ Do you want to enable VPN always when connected to the cellular network?
OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n} OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n}
if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi
read -p "
Do you want to enable VPN for Windows 10 clients? (Will use insecure algorithms and ciphers)
[y/N]: " -r Win10_Enabled
Win10_Enabled=${Win10_Enabled:-n}
if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi
} }
deploy () { deploy () {

2
config.cfg
View file

@ -59,8 +59,6 @@ ipsec_config:
dpddelay: '35s' dpddelay: '35s'
rekey: 'no' rekey: 'no'
keyexchange: 'ikev2' keyexchange: 'ikev2'
ike: 'aes128gcm16-sha2_256-prfsha256-ecp256!'
esp: 'aes128gcm16-sha2_256-ecp256!'
compress: 'yes' compress: 'yes'
fragmentation: 'yes' fragmentation: 'yes'

8
roles/vpn/templates/client_ipsec.conf.j2
View file

@ -3,6 +3,14 @@ conn ikev2-{{ IP_subject_alt_name }}
{{ key }}={{ value }} {{ key }}={{ value }}
{% endfor %} {% endfor %}
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
{% else %}
ike=aes128gcm16-sha2_256-prfsha256-ecp256
esp=aes128gcm16-sha2_256-ecp256
{% endif %}
right={{ IP_subject_alt_name }} right={{ IP_subject_alt_name }}
rightid={{ IP_subject_alt_name }} rightid={{ IP_subject_alt_name }}
rightsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0

5
roles/vpn/templates/client_ipsec.secrets.j2
View file

@ -1,2 +1,5 @@
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
{{ IP_subject_alt_name }} : RSA {{ IP_subject_alt_name }}_{{ item }}.key
{% else %}
{{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key {{ IP_subject_alt_name }} : ECDSA {{ IP_subject_alt_name }}_{{ item }}.key
{% endif %}

4
roles/vpn/templates/easy-rsa.vars.j2
View file

@ -102,7 +102,11 @@ set_var EASYRSA_DN "cn_only"
# * rsa # * rsa
# * ec # * ec
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
set_var EASYRSA_ALGO rsa
{% else %}
set_var EASYRSA_ALGO ec set_var EASYRSA_ALGO ec
{% endif %}
# Define the named curve, used in ec mode only: # Define the named curve, used in ec mode only:

8
roles/vpn/templates/ipsec.conf.j2
View file

@ -7,6 +7,14 @@ conn %default
{{ key }}={{ value }} {{ key }}={{ value }}
{% endfor %} {% endfor %}
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
{% else %}
ike=aes128gcm16-sha2_256-prfsha256-ecp256
esp=aes128gcm16-sha2_256-ecp256
{% endif %}
left=%any left=%any
leftauth=pubkey leftauth=pubkey
leftid={{ IP_subject_alt_name }} leftid={{ IP_subject_alt_name }}

5
roles/vpn/templates/ipsec.secrets.j2
View file

@ -1,2 +1,5 @@
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
: RSA {{ IP_subject_alt_name }}.key
{% else %}
: ECDSA {{ IP_subject_alt_name }}.key : ECDSA {{ IP_subject_alt_name }}.key
{% endif %}