New ciphers implementing #247

2025-09-05 03:23:14 +02:00 · 2017-04-05 17:32:59 +02:00 · 2017-04-05 17:32:59 +02:00 · 92b07aa6f0
commit 92b07aa6f0
parent b06524d3e0
3 changed files with 19 additions and 8 deletions
--- a/roles/vpn/defaults/main.yml
+++ b/roles/vpn/defaults/main.yml
@ -19,3 +19,14 @@ strongswan_enabled_plugins:
  - socket-default
  - stroke
  - x509
+
+ciphers:
+  old:
+    ike: aes128gcm16-sha2_256-prfsha256-ecp256!
+    esp: aes128gcm16-sha2_256-ecp256!
+  defaults:
+    ike: aes192gcm16-prfsha512-ecp521!
+    esp: aes192gcm16-ecp521!
+  windows:
+    ike: aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
+    esp: aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
--- a/roles/vpn/templates/client_ipsec.conf.j2
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@ -7,11 +7,11 @@ conn ikev2-{{ IP_subject_alt_name }}
    dpddelay=35s

 {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
-    esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
+    ike={{ ciphers.windows.ike }}
+    esp={{ ciphers.windows.esp }}
 {% else %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256
-    esp=aes128gcm16-sha2_256-ecp256
+    ike={{ ciphers.defaults.ike }}
+    esp={{ ciphers.defaults.esp }}
 {% endif %}

    right={{ IP_subject_alt_name }}
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@ -11,11 +11,11 @@ conn %default
    dpddelay=35s

 {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
-    esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
+    ike={{ ciphers.windows.ike }}
+    esp={{ ciphers.windows.esp }}
 {% else %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
-    esp=aes128gcm16-sha2_256-ecp256!
+    ike={{ ciphers.defaults.ike }}
+    esp={{ ciphers.defaults.esp }}
 {% endif %}

    left=%any