Fix Bug 5087 add support to specify PFS group when PFS is enabled

2 files changed, 13 insertions, 5 deletions

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 370c62c..58b4c1d 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -818,6 +818,12 @@ if ( $vcVPN->exists('ipsec') ) {
         if ( defined($pfs) ) {
           if ( $pfs eq 'enable' ) {
             $genout .= "\tpfs=yes\n";
+          } elsif ( $pfs eq 'dh-group2' ) {
+            $genout .= "\tpfs=yes\n";
+            $genout .= "\tpfsgroup=modp1024\n";
+          } elsif ( $pfs eq 'dh-group5' ) {
+            $genout .= "\tpfs=yes\n";
+            $genout .= "\tpfsgroup=modp1536\n";
           } else {
             $genout .= "\tpfs=no\n";
           }
diff --git a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def
index 2623cad..82ce8db 100644
--- a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def
+++ b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def
@@ -1,7 +1,9 @@
-help: Set ESP PFS
-type: txt 
+help: Set ESP Perfect Forward Secrecy
+type: txt
 default: "enable"
-syntax:expression: $VAR(@) in "enable", "disable"; "must be enable or disable"
+syntax:expression: $VAR(@) in "enable", "disable", "dh-group2", "dh-group5"; "must be enable, disable, dh-group2 or dh-group5"
 comp_help: possible completions
- enable    	     Set Perfect Forward Secrecy enabled (default)
- disable	     Set Perfect Forward Secrecy disabled
+ enable              Enable PFS. Use ike-group's dh-group (default)
+ dh-group2           Enable PFS. Use Diffie-Hellman group 2
+ dh-group5           Enable PFS. Use Diffie-Hellman group 5
+ disable             Disable PFS