From 56a72e5af20124959ad4145c7db88ef1891d5f9e Mon Sep 17 00:00:00 2001
From: Jack Ivanov <gunph1ld@users.noreply.github.com>
Date: Tue, 11 Apr 2017 22:08:03 +0200
Subject: [PATCH] New ciphers implementing #247 (#352)

Switches to SHA2_512_256 HMAC integrity algorithm and adds cipher compatibility for other platforms.
---
 roles/cloud-gce/tasks/main.yml            | 2 +-
 roles/vpn/defaults/main.yml               | 8 ++++++++
 roles/vpn/templates/client_ipsec.conf.j2  | 8 ++++----
 roles/vpn/templates/client_windows.ps1.j2 | 2 +-
 roles/vpn/templates/ipsec.conf.j2         | 8 ++++----
 roles/vpn/templates/mobileconfig.j2       | 4 ++--
 6 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml
index 8df08cc..5c6a1f6 100644
--- a/roles/cloud-gce/tasks/main.yml
+++ b/roles/cloud-gce/tasks/main.yml
@@ -19,7 +19,7 @@
     credentials_file: "{{ credentials_file_path }}"
     project_id: "{{ project_id }}"
     metadata: '{"ssh-keys":"ubuntu:{{ ssh_public_key_lookup }}"}'
-    ip_forward: true
+    # ip_forward: true
     tags:
       - "environment-algo"
   register: google_vm
diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml
index cc3ee72..db31281 100644
--- a/roles/vpn/defaults/main.yml
+++ b/roles/vpn/defaults/main.yml
@@ -19,3 +19,11 @@ strongswan_enabled_plugins:
   - socket-default
   - stroke
   - x509
+
+ciphers:
+  defaults:
+    ike: aes128gcm16-sha2_512-prfsha512-ecp256!
+    esp: aes128gcm16-sha2_512-ecp256!
+  compat:
+    ike: aes128-sha2_512-prfsha512-ecp256,aes128gcm16-sha2_512-prfsha512-ecp256,aes128-sha2_256-prfsha256-modp2048!
+    esp: aes128-sha2_512-ecp256,aes128gcm16-sha2_512-ecp256,aes128-sha2_256-modp2048!
diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2
index ffdbcc8..8a12d7d 100644
--- a/roles/vpn/templates/client_ipsec.conf.j2
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@@ -7,11 +7,11 @@ conn ikev2-{{ IP_subject_alt_name }}
     dpddelay=35s
 
 {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
-    esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
+    ike={{ ciphers.compat.ike }}
+    esp={{ ciphers.compat.esp }}
 {% else %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256
-    esp=aes128gcm16-sha2_256-ecp256
+    ike={{ ciphers.defaults.ike }}
+    esp={{ ciphers.defaults.esp }}
 {% endif %}
 
     right={{ IP_subject_alt_name }}
diff --git a/roles/vpn/templates/client_windows.ps1.j2 b/roles/vpn/templates/client_windows.ps1.j2
index aa5b708..4df2297 100644
--- a/roles/vpn/templates/client_windows.ps1.j2
+++ b/roles/vpn/templates/client_windows.ps1.j2
@@ -1,3 +1,3 @@
 certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ item }}.p12
 Add-VpnConnection -name "Algo VPN {{ IP_subject_alt_name }} IKEv2" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
-Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none
+Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none
diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
index 1b3aa7f..03211b9 100644
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@@ -11,11 +11,11 @@ conn %default
     dpddelay=35s
 
 {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
-    esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
+    ike={{ ciphers.compat.ike }}
+    esp={{ ciphers.compat.esp }}
 {% else %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
-    esp=aes128gcm16-sha2_256-ecp256!
+    ike={{ ciphers.defaults.ike }}
+    esp={{ ciphers.defaults.esp }}
 {% endif %}
 
     left=%any
diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2
index c48bc1b..e954845 100644
--- a/roles/vpn/templates/mobileconfig.j2
+++ b/roles/vpn/templates/mobileconfig.j2
@@ -60,7 +60,7 @@
                     <key>EncryptionAlgorithm</key>
                     <string>AES-128-GCM</string>
                     <key>IntegrityAlgorithm</key>
-                    <string>SHA2-256</string>
+                    <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
                     <integer>20</integer>
                 </dict>
@@ -81,7 +81,7 @@
                     <key>EncryptionAlgorithm</key>
                     <string>AES-128-GCM</string>
                     <key>IntegrityAlgorithm</key>
-                    <string>SHA2-256</string>
+                    <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
                     <integer>20</integer>
                 </dict>