Merge 5109463aea into 6e16b9853e

Update docs
Improve VPN ciphers
2024-06-03 20:45:47 +02:00 · 2023-12-10 11:51:16 -07:00 · 2023-12-09 23:57:33 -06:00 · 2023-12-09 23:39:07 -06:00 · 2022-12-18 07:26:52 +01:00
3 changed files with 171 additions and 82 deletions
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@ -570,48 +570,45 @@ sudo chmod 600 ca.cer client.cer client.key

 macOS 14 (Sonoma) 存在[一个小问题](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1486)，可能会导致 IKEv2 VPN 每 24-48 分钟断开并重新连接一次。其他 macOS 版本不受影响。首先[检查你的 macOS 版本](https://support.apple.com/zh-cn/HT201260)。要解决此问题，请按以下步骤操作。

-**注：** 应用此解决方案后，更新后的 VPN 服务器配置可能不适用于 Windows 或 Android 客户端。对于这些客户端，你可能需要在 `ikev2.conf` 中将 `pfs=yes` 更改回 `pfs=no`，然后运行 `service ipsec restart` 或重启 Docker 容器。
+**注：** 如果你在 2023 年 12 月 10 日之后安装了 IPsec VPN，则无需执行任何操作，因为已经包含以下修复。

-1. 编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。首先将 `pfs=no` 替换为 `pfs=yes`。然后找到这些行 `ike=...` 和 `phase2alg=...`，并将它们替换为以下内容，开头必须空两格：
+1. 编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。找到这一行：
   ```
-     ike=aes256-sha2_256;dh19,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
-     phase2alg=aes256-sha2_256,aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+     ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+   ```
+   并将它替换为以下内容：
+   ```
+     ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
   ```
   **注：** Docker 用户需要首先[在容器中运行 Bash shell](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage-zh.md#在容器中运行-bash-shell)。
 1. 保存文件并运行 `service ipsec restart`。Docker 用户：在下面的第 4 步之后退出 (`exit`) 容器并运行 `docker restart ipsec-vpn-server`。
 1. 编辑 VPN 服务器上的 `/opt/src/ikev2.sh`。找到以下部分并将其替换为这些新值：
   ```
-           <key>ChildSecurityAssociationParameters</key>
-           <dict>
-             <key>DiffieHellmanGroup</key>
-             <integer>19</integer>
-             <key>EncryptionAlgorithm</key>
-             <string>AES-256</string>
-             <key>IntegrityAlgorithm</key>
-             <string>SHA2-256</string>
-             <key>LifeTimeInMinutes</key>
-             <integer>1410</integer>
-           </dict>
+     <key>ChildSecurityAssociationParameters</key>
+     <dict>
+       <key>DiffieHellmanGroup</key>
+       <integer>19</integer>
+       <key>EncryptionAlgorithm</key>
+       <string>AES-256-GCM</string>
+       <key>LifeTimeInMinutes</key>
+       <integer>1410</integer>
+     </dict>
   ```
   ```
-           <key>EnablePFS</key>
-           <integer>1</integer>
+     <key>IKESecurityAssociationParameters</key>
+     <dict>
+       <key>DiffieHellmanGroup</key>
+       <integer>19</integer>
+       <key>EncryptionAlgorithm</key>
+       <string>AES-256-GCM</string>
+       <key>IntegrityAlgorithm</key>
+       <string>SHA2-256</string>
+       <key>LifeTimeInMinutes</key>
+       <integer>1410</integer>
+     </dict>
   ```
-   ```
-           <key>IKESecurityAssociationParameters</key>
-           <dict>
-             <key>DiffieHellmanGroup</key>
-             <integer>19</integer>
-             <key>EncryptionAlgorithm</key>
-             <string>AES-256</string>
-             <key>IntegrityAlgorithm</key>
-             <string>SHA2-256</string>
-             <key>LifeTimeInMinutes</key>
-             <integer>1410</integer>
-           </dict>
-   ```
-1. 运行 `sudo ikev2.sh` 为你的每个 macOS 和 iOS (iPhone/iPad) 设备导出（或添加）更新后的客户端配置文件。
-1. 从你的 macOS 和 iOS 设备中移除之前导入的 IKEv2 配置文件（如果有），然后导入更新后的 `.mobileconfig` 文件。请参阅[配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。Docker 用户请看[配置并使用 IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)。
+1. 运行 `sudo ikev2.sh` 为你的每个 macOS 设备导出（或添加）更新后的客户端配置文件。
+1. 从你的 macOS 设备中移除之前导入的 IKEv2 配置文件（如果有），然后导入更新后的 `.mobileconfig` 文件。请参阅[配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)。Docker 用户请看[配置并使用 IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README-zh.md#配置并使用-ikev2-vpn)。

 ### 无法连接多个 IKEv2 客户端

@ -1017,7 +1014,7 @@ To customize IKEv2 or client options, run this script without arguments.
     ikev2=insist
     rekey=no
     pfs=no
-     ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+     ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
     phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
     ikelifetime=24h
     salifetime=24h
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@ -572,48 +572,45 @@ For servers with an external firewall (e.g. [EC2](https://docs.aws.amazon.com/AW

 macOS 14 (Sonoma) has [a minor issue](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1486) that may cause IKEv2 VPN to disconnect and reconnect once every 24-48 minutes. Other macOS versions are not affected. First [check your macOS version](https://support.apple.com/en-us/HT201260). To work around this issue, follow the steps below.

-**Note:** After applying this workaround, the updated VPN server configuration may not work with Windows or Android clients. For those clients, you may need to change `pfs=yes` back to `pfs=no` in `ikev2.conf`, then run `service ipsec restart` or restart the Docker container.
+**Note:** If you installed IPsec VPN after December 10, 2023, no action is required because the following fixes are already included.

-1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. First change `pfs=no` to `pfs=yes`. Then find the lines `ike=...` and `phase2alg=...`, and replace them with the following, indented by two spaces:
+1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. Find the line:
   ```
-     ike=aes256-sha2_256;dh19,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
-     phase2alg=aes256-sha2_256,aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+     ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+   ```
+   and replace it with the following:
+   ```
+     ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
   ```
   **Note:** Docker users should first [open a Bash shell inside the container](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#bash-shell-inside-container).
 1. Save the file and run `service ipsec restart`. Docker users: After step 4 below, `exit` the container and run `docker restart ipsec-vpn-server`.
 1. Edit `/opt/src/ikev2.sh` on the VPN server. Find and replace the following sections with these new values:
   ```
-           <key>ChildSecurityAssociationParameters</key>
-           <dict>
-             <key>DiffieHellmanGroup</key>
-             <integer>19</integer>
-             <key>EncryptionAlgorithm</key>
-             <string>AES-256</string>
-             <key>IntegrityAlgorithm</key>
-             <string>SHA2-256</string>
-             <key>LifeTimeInMinutes</key>
-             <integer>1410</integer>
-           </dict>
+     <key>ChildSecurityAssociationParameters</key>
+     <dict>
+       <key>DiffieHellmanGroup</key>
+       <integer>19</integer>
+       <key>EncryptionAlgorithm</key>
+       <string>AES-256-GCM</string>
+       <key>LifeTimeInMinutes</key>
+       <integer>1410</integer>
+     </dict>
   ```
   ```
-           <key>EnablePFS</key>
-           <integer>1</integer>
+     <key>IKESecurityAssociationParameters</key>
+     <dict>
+       <key>DiffieHellmanGroup</key>
+       <integer>19</integer>
+       <key>EncryptionAlgorithm</key>
+       <string>AES-256-GCM</string>
+       <key>IntegrityAlgorithm</key>
+       <string>SHA2-256</string>
+       <key>LifeTimeInMinutes</key>
+       <integer>1410</integer>
+     </dict>
   ```
-   ```
-           <key>IKESecurityAssociationParameters</key>
-           <dict>
-             <key>DiffieHellmanGroup</key>
-             <integer>19</integer>
-             <key>EncryptionAlgorithm</key>
-             <string>AES-256</string>
-             <key>IntegrityAlgorithm</key>
-             <string>SHA2-256</string>
-             <key>LifeTimeInMinutes</key>
-             <integer>1410</integer>
-           </dict>
-   ```
-1. Run `sudo ikev2.sh` to export (or add) updated client config files for each macOS and iOS (iPhone/iPad) device you have.
-1. Remove the previously imported IKEv2 profile (if any) from your macOS and iOS device(s), then import the updated `.mobileconfig` file(s). See [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Docker users, see [Configure and use IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn).
+1. Run `sudo ikev2.sh` to export (or add) updated client config files for each macOS device you have.
+1. Remove the previously imported IKEv2 profile (if any) from your macOS device(s), then import the updated `.mobileconfig` file(s). See [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients). Docker users, see [Configure and use IKEv2 VPN](https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/README.md#configure-and-use-ikev2-vpn).

 ### Unable to connect multiple IKEv2 clients

@ -1019,7 +1016,7 @@ View example steps for manually configuring IKEv2 with Libreswan.
     ikev2=insist
     rekey=no
     pfs=no
-     ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+     ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
     phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
     ikelifetime=24h
     salifetime=24h
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@ -157,7 +157,7 @@ confirm_or_abort() {
 show_header() {
 cat <<'EOF'

-IKEv2 Script   Copyright (c) 2020-2023 Lin Song   11 Aug 2023
+IKEv2 Script   Copyright (c) 2020-2023 Lin Song   9 Dec 2023

 EOF
 }
@ -353,7 +353,7 @@ show_start_setup() {
  op_text=default
  if [ -n "$VPN_DNS_NAME" ] || [ -n "$VPN_CLIENT_NAME" ] \
    || [ -n "$VPN_DNS_SRV1" ] || [ -n "$VPN_PROTECT_CONFIG" ] \
-    || [ -n "$VPN_CLIENT_VALIDITY" ]; then
+    || [ -n "$VPN_CLIENT_VALIDITY" ] || [ -n "$VPN_IKEV2_USER_CERTS" ]; then
    op_text=custom
  fi
  bigecho "Starting IKEv2 setup in auto mode, using $op_text options."
@ -652,6 +652,58 @@ EOF
  fi
 }

+check_use_user_cert() {
+  if [ "$use_user_certs" = 1 ]; then
+cat <<'EOF'
+
+'--usercert' argument passed: using certs in $USER_CERTS_DIR
+
+EOF
+  else
+    case $VPN_IKEV2_USER_CERTS in
+      [yY][eE][sS])
+        use_user_certs=1
+cat <<'EOF'
+
+'VPN_IKEV2_USER_CERTS' set to YES: using certs in $USER_CERTS_DIR
+
+EOF
+        ;;
+      *)
+        if grep -qs '^IKEV2_USER_CERTS=.\+' "$CONF_FILE"; then
+          use_user_certs=1
+cat <<'EOF'
+
+'IKEV2_USER_CERTS' set to YES in "$CONF_FILE": using certs in $USER_CERTS_DIR
+
+EOF
+        fi
+        ;;
+    esac
+  fi
+
+# expecting the following file in /user-certs
+# - vpn_ca.p12
+#
+
+  if [ "$use_user_certs" = 1 ]; then
+      if ! [ -e "${USER_CERTS_DIR}vpn_ca.p12" ]; then
+        exiterr "${USER_CERTS_DIR}vpn_ca.p12 must exist."
+      fi
+      if ! [ -n "$VPN_IKEV2_USER_CERTS_PASS" ]; then
+        ca_p12_password=$(grep -s '^IKEV2_USER_CERTS_PASS=.\+' "$CONF_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
+        if [ -z "$ca_p12_password" ]; then
+          bigecho2 "Did not find a password for vpn_ca.p12, using an EMPTY password!"
+          VPN_IKEV2_USER_CERTS_PASS=''
+        else
+          VPN_IKEV2_USER_CERTS_PASS="$ca_p12_password"
+        fi
+      fi
+  fi
+
+  add_user_certs
+}
+
 check_config_password() {
  use_config_password=0
  case $VPN_PROTECT_CONFIG in
@ -872,6 +924,20 @@ install_uuidgen() {
  fi
 }

+update_ikev2_conf() {
+  if grep -qs 'ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1$' "$IKEV2_CONF"; then
+    bigecho2 "Updating IKEv2 configuration..."
+    sed -i \
+      "/ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1$/s/ike=/ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,/" \
+      "$IKEV2_CONF"
+    if [ "$os_type" = "alpine" ]; then
+      ipsec auto --add ikev2-cp >/dev/null
+    else
+      restart_ipsec_service >/dev/null
+    fi
+  fi
+}
+
 create_mobileconfig() {
  [ -z "$server_addr" ] && get_server_address
  p12_file_enc="$export_dir$client_name.enc.p12"
@ -898,9 +964,9 @@ cat > "$mc_file" <<EOF
        <key>ChildSecurityAssociationParameters</key>
        <dict>
          <key>DiffieHellmanGroup</key>
-          <integer>14</integer>
+          <integer>19</integer>
          <key>EncryptionAlgorithm</key>
-          <string>AES-128-GCM</string>
+          <string>AES-256-GCM</string>
          <key>LifeTimeInMinutes</key>
          <integer>1410</integer>
        </dict>
@ -915,9 +981,9 @@ cat > "$mc_file" <<EOF
        <key>IKESecurityAssociationParameters</key>
        <dict>
          <key>DiffieHellmanGroup</key>
-          <integer>14</integer>
+          <integer>19</integer>
          <key>EncryptionAlgorithm</key>
-          <string>AES-256</string>
+          <string>AES-256-GCM</string>
          <key>IntegrityAlgorithm</key>
          <string>SHA2-256</string>
          <key>LifeTimeInMinutes</key>
@ -1093,23 +1159,43 @@ export_client_config() {
  else
    install_uuidgen
  fi
+  update_ikev2_conf
  export_p12_file
  create_mobileconfig
  create_android_profile
 }

+add_user_certs() {
+  bigecho2 "Adding user CA certificate..."
+
+# gnutils-bin has certtool
+# certtool can create a working p12 from a key+crt but certtool is not installed in the img
+# certtool --to-p12 --outder --load-certificate a.crt --load-privkey a.key --outfile a.p12
+
+  pk12util -i "$USER_CERTS_DIR"vpn_ca.p12 -d /etc/ipsec.d/ -W "$VPN_IKEV2_USER_CERTS_PASS"
+
+  bigecho2 "Get cert nickname and set as CA_NAME"
+  CA_NAME=$(openssl pkcs12 -info -in "$USER_CERTS_DIR"vpn_ca.p12 -passin pass:"$VPN_IKEV2_USER_CERTS_PASS" -nokeys |grep 'friendlyName:'|awk -F":" '{gsub(/^[ \t]+/, "", $2); gsub(/[ \t]+$/, "", $2); print $2}')
+
+  bigecho2 "Update permissions on new CA cert: $CA_NAME"
+  certutil -M -d /etc/ipsec.d/ -t "CTu,u,u" -n "$CA_NAME"
+}
+
 create_ca_server_certs() {
-  bigecho2 "Generating CA and server certificates..."
-  certutil -z <(head -c 1024 /dev/urandom) \
-    -S -x -n "$CA_NAME" \
-    -s "O=IKEv2 VPN,CN=$CA_NAME" \
-    -k rsa -g 3072 -v 120 \
-    -d "$CERT_DB" -t "CT,," -2 >/dev/null 2>&1 <<ANSWERS || exiterr "Failed to create CA certificate."
+  if [ "$use_user_certs" = 0 ]; then
+    bigecho2 "Generating CA certificate...$CA_NAME"
+    certutil -z <(head -c 1024 /dev/urandom) \
+      -S -x -n "$CA_NAME" \
+      -s "O=IKEv2 VPN,CN=$CA_NAME" \
+      -k rsa -g 3072 -v 120 \
+      -d "$CERT_DB" -t "CT,," -2 >/dev/null 2>&1 <<ANSWERS || exiterr "Failed to create CA certificate."
 y

 N
 ANSWERS
-  sleep 1
+    sleep 1
+  fi
+  bigecho2 "Generating server certificates...$CA_NAME"
  if [ "$use_dns_name" = 1 ]; then
    certutil -z <(head -c 1024 /dev/urandom) \
      -S -c "$CA_NAME" -n "$server_addr" \
@ -1174,7 +1260,7 @@ conn ikev2-cp
  ikev2=insist
  rekey=no
  pfs=no
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
@ -1505,6 +1591,7 @@ ikev2setup() {
  revoke_client=0
  delete_client=0
  remove_ikev2=0
+  use_user_certs=0
  while [ "$#" -gt 0 ]; do
    case $1 in
      --auto)
@ -1543,6 +1630,10 @@ ikev2setup() {
        remove_ikev2=1
        shift
        ;;
+        --usercert)
+        use_user_certs=1
+        shift
+        ;;
      -h|--help)
        show_usage
        ;;
@ -1554,11 +1645,13 @@ ikev2setup() {

  CA_NAME="IKEv2 VPN CA"
  CERT_DB="sql:/etc/ipsec.d"
-  CONF_DIR="/etc/ipsec.d"
+  CONF_DIR="/etc/ipsec.d/"
  CONF_FILE="/etc/ipsec.d/.vpnconfig"
  IKEV2_CONF="/etc/ipsec.d/ikev2.conf"
  IPSEC_CONF="/etc/ipsec.conf"
+  USER_CERTS_DIR="/user-certs/"

+  check_use_user_cert
  check_arguments
  check_config_password
  get_export_dir
@ -1693,7 +1786,9 @@ ikev2setup() {
    esac
  fi

-  check_cert_exists_and_exit "$CA_NAME"
+  if [ "$use_user_certs" = 0 ]; then
+    check_cert_exists_and_exit "$CA_NAME"
+  fi

  if [ "$use_defaults" = 0 ]; then
    show_header
Author	SHA1	Message	Date
ikkemaniac	e81c689ad0	Merge `5109463aea` into `6e16b9853e`	2023-12-10 11:51:16 -07:00
hwdsl2	6e16b9853e	Update docs	2023-12-09 23:57:33 -06:00
hwdsl2	5a9402b75b	Improve VPN ciphers - Update VPN ciphers for compatibility with macOS 14 (Sonoma). Ref: #1486, libreswan/libreswan#1450	2023-12-09 23:39:07 -06:00
ikkemaniac	5109463aea	add option to provide user CA cert. Mount /user-certs, $VPN_IKEV2_USER_CERTS, $VPN_IKEV2_USER_CERTS_PASS, $IKEV2_USER_CERTS_PASS	2022-12-18 07:26:52 +01:00