diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml index cc3ee72a..90cc7aa6 100644 --- a/roles/vpn/defaults/main.yml +++ b/roles/vpn/defaults/main.yml @@ -19,3 +19,14 @@ strongswan_enabled_plugins: - socket-default - stroke - x509 + +ciphers: + old: + ike: aes128gcm16-sha2_256-prfsha256-ecp256! + esp: aes128gcm16-sha2_256-ecp256! + defaults: + ike: aes192gcm16-prfsha512-ecp521! + esp: aes192gcm16-ecp521! + windows: + ike: aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! + esp: aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048! diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2 index ffdbcc89..2df16053 100644 --- a/roles/vpn/templates/client_ipsec.conf.j2 +++ b/roles/vpn/templates/client_ipsec.conf.j2 @@ -7,11 +7,11 @@ conn ikev2-{{ IP_subject_alt_name }} dpddelay=35s {% if Win10_Enabled is defined and Win10_Enabled == "Y" %} - ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! - esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024! + ike={{ ciphers.windows.ike }} + esp={{ ciphers.windows.esp }} {% else %} - ike=aes128gcm16-sha2_256-prfsha256-ecp256 - esp=aes128gcm16-sha2_256-ecp256 + ike={{ ciphers.defaults.ike }} + esp={{ ciphers.defaults.esp }} {% endif %} right={{ IP_subject_alt_name }} diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index 1b3aa7f5..32baddfb 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -11,11 +11,11 @@ conn %default dpddelay=35s {% if Win10_Enabled is defined and Win10_Enabled == "Y" %} - ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048! - esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048! + ike={{ ciphers.windows.ike }} + esp={{ ciphers.windows.esp }} {% else %} - ike=aes128gcm16-sha2_256-prfsha256-ecp256! - esp=aes128gcm16-sha2_256-ecp256! + ike={{ ciphers.defaults.ike }} + esp={{ ciphers.defaults.esp }} {% endif %} left=%any