diff options
| -rwxr-xr-x | scripts/vpn-config.pl | 95 | ||||
| -rw-r--r-- | templates/vpn/ipsec/esp-group/node.tag/pfs/node.def | 7 | ||||
| -rw-r--r-- | templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def | 5 |
3 files changed, 63 insertions, 44 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 5502156..5c00e08 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -928,44 +928,6 @@ if ($vcVPN->exists('ipsec')) { if (defined($encryption) && defined($hash)) { $genout .= "$encryption-$hash"; } - - # - # Perfect Forward Secrecy - # - my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); - if (defined($pfs)) { - if ($pfs eq 'dh-group2') { - $genout .= "-modp1024"; - } elsif ($pfs eq 'dh-group5') { - $genout .= "-modp1536"; - } elsif ($pfs eq 'dh-group14') { - $genout .= "-modp2048"; - } elsif ($pfs eq 'dh-group15') { - $genout .= "-modp3072"; - } elsif ($pfs eq 'dh-group16') { - $genout .= "-modp4096"; - } elsif ($pfs eq 'dh-group17') { - $genout .= "-modp6144"; - } elsif ($pfs eq 'dh-group18') { - $genout .= "-modp8192"; - } elsif ($pfs eq 'dh-group19') { - $genout .= "-ecp256"; - } elsif ($pfs eq 'dh-group20') { - $genout .= "-ecp384"; - } elsif ($pfs eq 'dh-group21') { - $genout .= "-ecp521"; - } elsif ($pfs eq 'dh-group22') { - $genout .= "-modp1024s160"; - } elsif ($pfs eq 'dh-group23') { - $genout .= "-modp2048s224"; - } elsif ($pfs eq 'dh-group24') { - $genout .= "-modp2048s256"; - } elsif ($pfs eq 'dh-group25') { - $genout .= "-ecp192"; - } elsif ($pfs eq 'dh-group26') { - $genout .= "-ecp224"; - } - } } $genout .= "!\n"; @@ -1009,6 +971,63 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\ttype=$espmode\n"; # + # Perfect Forward Secrecy + # + my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); + if (defined($pfs)) { + if ($pfs eq 'enable') { + $genout .= "\tpfs=yes\n"; + } elsif ($pfs eq 'dh-group2') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp1024\n"; + } elsif ($pfs eq 'dh-group5') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp1536\n"; + } elsif ($pfs eq 'dh-group14') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048\n"; + } elsif ($pfs eq 'dh-group15') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp3072\n"; + } elsif ($pfs eq 'dh-group16') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp4096\n"; + } elsif ($pfs eq 'dh-group17') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp6144\n"; + } elsif ($pfs eq 'dh-group18') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp8192\n"; + } elsif ($pfs eq 'dh-group19') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp256\n"; + } elsif ($pfs eq 'dh-group20') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp384\n"; + } elsif ($pfs eq 'dh-group21') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp521\n"; + } elsif ($pfs eq 'dh-group22') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp1024s160\n"; + } elsif ($pfs eq 'dh-group23') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048s224\n"; + } elsif ($pfs eq 'dh-group24') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048s256\n"; + } elsif ($pfs eq 'dh-group25') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp192\n"; + } elsif ($pfs eq 'dh-group26') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp224\n"; + } else { + $genout .= "\tpfs=no\n"; + } + } + + # # Compression # my $compression =$vcVPN->returnValue("ipsec esp-group $esp_group compression"); diff --git a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def index cda2169..59a46ec 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def @@ -1,10 +1,11 @@ help: ESP Perfect Forward Secrecy type: txt -default: "dh-group14" -syntax:expression: $VAR(@) in "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" +default: "enable" +syntax:expression: $VAR(@) in "enable", "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" +val_help: enable; Enable PFS. Use ike-group's dh-group (default) val_help: dh-group2; Enable PFS. Use Diffie-Hellman group 2 (modp1024) val_help: dh-group5; Enable PFS. Use Diffie-Hellman group 5 (modp1536) -val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) (default) +val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) val_help: dh-group15; Enable PFS. Use Diffie-Hellman group 15 (modp3072) val_help: dh-group16; Enable PFS. Use Diffie-Hellman group 16 (modp4096) val_help: dh-group17; Enable PFS. Use Diffie-Hellman group 17 (modp6144) diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def index 3ff5646..307dc09 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def @@ -1,10 +1,9 @@ -help: Diffie-Hellman (DH) key exchange group [REQUIRED] +help: Diffie-Hellman (DH) key exchange group type: u32 -default: 14 syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26" val_help: 2; DH group 2 (modp1024) val_help: 5; DH group 5 (modp1536) -val_help: 14; DH group 14 (modp2048) (default) +val_help: 14; DH group 14 (modp2048) val_help: 15; DH group 15 (modp3072) val_help: 16; DH group 16 (modp4096) val_help: 17; DH group 17 (modp6144) |