From 102ccbc17de100d21a776fa7abb9f58b0cca5ff4 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sat, 5 May 2018 18:51:24 -0500
Subject: [PATCH] Clean up VPN ciphers

- Remove aes256-sha2_512
- Change sha2-truncbug to no for newer Android versions
- Fixes #303
---
 extras/vpnupgrade.sh        | 4 ++--
 extras/vpnupgrade_centos.sh | 4 ++--
 vpnsetup.sh                 | 8 +++-----
 vpnsetup_centos.sh          | 6 +++---
 4 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index 783961d..9d81e59 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -161,8 +161,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
 fi
 
 # Update ipsec.conf for Libreswan 3.19 and newer
-IKE_NEW="  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
-PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
+IKE_NEW="  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
+PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
 if [ "$(uname -m | cut -c1-3)" = "arm" ]; then
   PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
 fi
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 6b4527c..61d9d39 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -165,8 +165,8 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
 restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 # Update ipsec.conf for Libreswan 3.19 and newer
-IKE_NEW="  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
-PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
+IKE_NEW="  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
+PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
 sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 1733605..bfe9fcf 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -245,9 +245,9 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
-  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
-  sha2-truncbug=yes
+  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
+  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2
+  sha2-truncbug=no
 
 conn l2tp-psk
   auto=add
@@ -276,11 +276,9 @@ EOF
 
 # Workarounds for systems with ARM CPU (e.g. Raspberry Pi)
 # - Set "left" to private IP instead of "%defaultroute"
-# - Remove unsupported ESP algorithm
 if [ "$(uname -m | cut -c1-3)" = "arm" ]; then
   PRIVATE_IP=$(ip -4 route get 1 | awk '{print $NF;exit}')
   check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf
-  sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
 fi
 
 # Specify IPsec PSK
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index deb0e6a..f70157b 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -233,9 +233,9 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
-  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
-  sha2-truncbug=yes
+  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
+  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2
+  sha2-truncbug=no
 
 conn l2tp-psk
   auto=add