diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml
index 8df08cc..5c6a1f6 100644
--- a/roles/cloud-gce/tasks/main.yml
+++ b/roles/cloud-gce/tasks/main.yml
@@ -19,7 +19,7 @@
credentials_file: "{{ credentials_file_path }}"
project_id: "{{ project_id }}"
metadata: '{"ssh-keys":"ubuntu:{{ ssh_public_key_lookup }}"}'
- ip_forward: true
+ # ip_forward: true
tags:
- "environment-algo"
register: google_vm
diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml
index cc3ee72..db31281 100644
--- a/roles/vpn/defaults/main.yml
+++ b/roles/vpn/defaults/main.yml
@@ -19,3 +19,11 @@ strongswan_enabled_plugins:
- socket-default
- stroke
- x509
+
+ciphers:
+ defaults:
+ ike: aes128gcm16-sha2_512-prfsha512-ecp256!
+ esp: aes128gcm16-sha2_512-ecp256!
+ compat:
+ ike: aes128-sha2_512-prfsha512-ecp256,aes128gcm16-sha2_512-prfsha512-ecp256,aes128-sha2_256-prfsha256-modp2048!
+ esp: aes128-sha2_512-ecp256,aes128gcm16-sha2_512-ecp256,aes128-sha2_256-modp2048!
diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2
index ffdbcc8..8a12d7d 100644
--- a/roles/vpn/templates/client_ipsec.conf.j2
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@@ -7,11 +7,11 @@ conn ikev2-{{ IP_subject_alt_name }}
dpddelay=35s
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
- ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
- esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
+ ike={{ ciphers.compat.ike }}
+ esp={{ ciphers.compat.esp }}
{% else %}
- ike=aes128gcm16-sha2_256-prfsha256-ecp256
- esp=aes128gcm16-sha2_256-ecp256
+ ike={{ ciphers.defaults.ike }}
+ esp={{ ciphers.defaults.esp }}
{% endif %}
right={{ IP_subject_alt_name }}
diff --git a/roles/vpn/templates/client_windows.ps1.j2 b/roles/vpn/templates/client_windows.ps1.j2
index aa5b708..4df2297 100644
--- a/roles/vpn/templates/client_windows.ps1.j2
+++ b/roles/vpn/templates/client_windows.ps1.j2
@@ -1,3 +1,3 @@
certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ item }}.p12
Add-VpnConnection -name "Algo VPN {{ IP_subject_alt_name }} IKEv2" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
-Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none
+Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none
diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
index 1b3aa7f..03211b9 100644
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@@ -11,11 +11,11 @@ conn %default
dpddelay=35s
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
- ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
- esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
+ ike={{ ciphers.compat.ike }}
+ esp={{ ciphers.compat.esp }}
{% else %}
- ike=aes128gcm16-sha2_256-prfsha256-ecp256!
- esp=aes128gcm16-sha2_256-ecp256!
+ ike={{ ciphers.defaults.ike }}
+ esp={{ ciphers.defaults.esp }}
{% endif %}
left=%any
diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2
index c48bc1b..e954845 100644
--- a/roles/vpn/templates/mobileconfig.j2
+++ b/roles/vpn/templates/mobileconfig.j2
@@ -60,7 +60,7 @@
EncryptionAlgorithm
AES-128-GCM
IntegrityAlgorithm
- SHA2-256
+ SHA2-512
LifeTimeInMinutes
20
@@ -81,7 +81,7 @@
EncryptionAlgorithm
AES-128-GCM
IntegrityAlgorithm
- SHA2-256
+ SHA2-512
LifeTimeInMinutes
20