From f58afbc84ba421216ca2615d3e3654902e9a1852 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Wed, 12 Apr 2017 10:17:08 -0500
Subject: [PATCH] Update VPN ciphers

- Add aes256-sha2_512 to the list of allowed ciphers
- Required for Android 7.1.x and (possibly) Chromebook
---
 docs/ikev2-howto-zh.md      | 4 ++--
 docs/ikev2-howto.md         | 4 ++--
 extras/vpnupgrade.sh        | 4 ++--
 extras/vpnupgrade_centos.sh | 4 ++--
 vpnsetup.sh                 | 4 ++--
 vpnsetup_centos.sh          | 4 ++--
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index d17f595..9f2c93a 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -55,8 +55,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
      ikev2=insist
      rekey=no
      fragmentation=yes
-     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-     phase2alg=3des-sha1,aes-sha1,aes-sha2
+     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
+     phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512
    EOF
    ```
 
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 4e49b7a..17ca30a 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -55,8 +55,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
      ikev2=insist
      rekey=no
      fragmentation=yes
-     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-     phase2alg=3des-sha1,aes-sha1,aes-sha2
+     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
+     phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512
    EOF
    ```
 
diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index ac1b9d3..8f97409 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -161,8 +161,8 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then
 fi
 
 # Update ipsec.conf for Libreswan 3.19 and newer
-IKE_NEW="  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
-PHASE2_NEW="  phase2alg=3des-sha1,aes-sha1,aes-sha2"
+IKE_NEW="  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
+PHASE2_NEW="  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512"
 sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index f906bbe..3986942 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -155,8 +155,8 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
 restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 # Update ipsec.conf for Libreswan 3.19 and newer
-IKE_NEW="  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
-PHASE2_NEW="  phase2alg=3des-sha1,aes-sha1,aes-sha2"
+IKE_NEW="  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512"
+PHASE2_NEW="  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512"
 sed -i".old-$(date +%Y-%m-%d-%H:%M:%S)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \
diff --git a/vpnsetup.sh b/vpnsetup.sh
index e5d60cb..4265158 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -228,8 +228,8 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-  phase2alg=3des-sha1,aes-sha1,aes-sha2
+  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
+  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512
   sha2-truncbug=yes
 
 conn l2tp-psk
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 2e6ee3c..bf6eaad 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -212,8 +212,8 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-  phase2alg=3des-sha1,aes-sha1,aes-sha2
+  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024,aes256-sha2_512
+  phase2alg=3des-sha1,aes-sha1,aes-sha2,aes256-sha2_512
   sha2-truncbug=yes
 
 conn l2tp-psk