From 025387df916a00efdb08c848704ddff0e7f42e73 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Thu, 29 Sep 2022 22:52:40 -0500
Subject: [PATCH] Improve VPN ciphers

- Improve security by removing support for modp1024 (DH group 2),
  which is less secure and no longer enabled in Libreswan by default.
- The native VPN client on Android devices uses modp1024 for the
  IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. After this change,
  Android users should instead connect using IKEv2 mode (recommended).
---
 extras/vpnupgrade_alpine.sh | 2 +-
 extras/vpnupgrade_amzn.sh   | 2 +-
 extras/vpnupgrade_centos.sh | 2 +-
 extras/vpnupgrade_ubuntu.sh | 2 +-
 vpnsetup_alpine.sh          | 2 +-
 vpnsetup_amzn.sh            | 2 +-
 vpnsetup_centos.sh          | 2 +-
 vpnsetup_ubuntu.sh          | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/extras/vpnupgrade_alpine.sh b/extras/vpnupgrade_alpine.sh
index 05bf56b..66a1ffd 100755
--- a/extras/vpnupgrade_alpine.sh
+++ b/extras/vpnupgrade_alpine.sh
@@ -209,7 +209,7 @@ update_ikev2_script() {
 
 update_config() {
   bigecho "Updating VPN configuration..."
-  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
+  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
   PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
   if uname -m | grep -qi '^arm'; then
     if ! modprobe -q sha512; then
diff --git a/extras/vpnupgrade_amzn.sh b/extras/vpnupgrade_amzn.sh
index 19f1d7a..a2ddebd 100755
--- a/extras/vpnupgrade_amzn.sh
+++ b/extras/vpnupgrade_amzn.sh
@@ -203,7 +203,7 @@ update_ikev2_script() {
 
 update_config() {
   bigecho "Updating VPN configuration..."
-  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
+  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
   PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
   dns_state=0
   DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index e511b75..ed1a74f 100755
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -255,7 +255,7 @@ update_ikev2_script() {
 
 update_config() {
   bigecho "Updating VPN configuration..."
-  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
+  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
   PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
   dns_state=0
   DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
diff --git a/extras/vpnupgrade_ubuntu.sh b/extras/vpnupgrade_ubuntu.sh
index 97a87d8..77d380e 100755
--- a/extras/vpnupgrade_ubuntu.sh
+++ b/extras/vpnupgrade_ubuntu.sh
@@ -239,7 +239,7 @@ update_ikev2_script() {
 
 update_config() {
   bigecho "Updating VPN configuration..."
-  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
+  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
   PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
   if uname -m | grep -qi '^arm'; then
     if ! modprobe -q sha512; then
diff --git a/vpnsetup_alpine.sh b/vpnsetup_alpine.sh
index 2030e2f..198fb34 100755
--- a/vpnsetup_alpine.sh
+++ b/vpnsetup_alpine.sh
@@ -337,7 +337,7 @@ conn shared
   dpdtimeout=300
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h
diff --git a/vpnsetup_amzn.sh b/vpnsetup_amzn.sh
index 81d71bb..a6de477 100755
--- a/vpnsetup_amzn.sh
+++ b/vpnsetup_amzn.sh
@@ -353,7 +353,7 @@ conn shared
   dpdtimeout=300
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index cfe1e4d..af8b34d 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -453,7 +453,7 @@ conn shared
   dpdtimeout=300
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h
diff --git a/vpnsetup_ubuntu.sh b/vpnsetup_ubuntu.sh
index 8d07010..cc42589 100755
--- a/vpnsetup_ubuntu.sh
+++ b/vpnsetup_ubuntu.sh
@@ -398,7 +398,7 @@ conn shared
   dpdtimeout=300
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h