diff options
7 files changed, 186 insertions, 44 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 369e568..871a96a 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1546,7 +1546,9 @@ EOS sub get_dh_cipher_result { my ($cipher) = @_; my $ciph_out; - if ($cipher eq '2' || $cipher eq 'dh-group2') { + if ($cipher eq '1' || $cipher eq 'dh-group1') { + $ciph_out = 'modp768'; + } elsif ($cipher eq '2' || $cipher eq 'dh-group2') { $ciph_out = 'modp1024'; } elsif ($cipher eq '5' || $cipher eq 'dh-group5') { $ciph_out = 'modp1536'; @@ -1576,6 +1578,18 @@ sub get_dh_cipher_result { $ciph_out = 'ecp192'; } elsif ($cipher eq '26' || $cipher eq 'dh-group26') { $ciph_out = 'ecp224'; + } elsif ($cipher eq '27' || $cipher eq 'dh-group27') { + $ciph_out = 'ecp224bp'; + } elsif ($cipher eq '28' || $cipher eq 'dh-group28') { + $ciph_out = 'ecp256bp'; + } elsif ($cipher eq '29' || $cipher eq 'dh-group29') { + $ciph_out = 'ecp384bp'; + } elsif ($cipher eq '30' || $cipher eq 'dh-group30') { + $ciph_out = 'ecp512bp'; + } elsif ($cipher eq '31' || $cipher eq 'dh-group31') { + $ciph_out = 'curve25519'; + } elsif ($cipher eq '32' || $cipher eq 'dh-group32') { + $ciph_out = 'curve448'; } else { $ciph_out = 'unknown'; } diff --git a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def index 59a46ec..09f1a17 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def @@ -1,8 +1,9 @@ help: ESP Perfect Forward Secrecy type: txt default: "enable" -syntax:expression: $VAR(@) in "enable", "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" +syntax:expression: $VAR(@) in "enable", "dh-group1", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26", "dh-group27", "dh-group28", "dh-group29", "dh-group30", "dh-group31", "dh-group32"; "Wrong PFS group settings" val_help: enable; Enable PFS. Use ike-group's dh-group (default) +val_help: dh-group1; Enable PFS. Use Diffie-Hellman group 1 (modp768) val_help: dh-group2; Enable PFS. Use Diffie-Hellman group 2 (modp1024) val_help: dh-group5; Enable PFS. Use Diffie-Hellman group 5 (modp1536) val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) @@ -18,4 +19,10 @@ val_help: dh-group23; Enable PFS. Use Diffie-Hellman group 23 (modp2048s224) val_help: dh-group24; Enable PFS. Use Diffie-Hellman group 24 (modp2048s256) val_help: dh-group25; Enable PFS. Use Diffie-Hellman group 25 (ecp192) val_help: dh-group26; Enable PFS. Use Diffie-Hellman group 26 (ecp224) +val_help: dh-group27; Enable PFS. Use Diffie-Hellman group 27 (ecp224bp) +val_help: dh-group28; Enable PFS. Use Diffie-Hellman group 28 (ecp256bp) +val_help: dh-group29; Enable PFS. Use Diffie-Hellman group 29 (ecp384bp) +val_help: dh-group30; Enable PFS. Use Diffie-Hellman group 30 (ecp512bp) +val_help: dh-group31; Enable PFS. Use Diffie-Hellman group 31 (curve25519) +val_help: dh-group32; Enable PFS. Use Diffie-Hellman group 32 (curve448) val_help: disable; Disable PFS diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def index ba66828..0e61761 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,10 +1,59 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" -val_help: aes128; AES-128 encryption (default) -val_help: aes256; AES-256 encryption -val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit -val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit -val_help: 3des; 3DES encryption -val_help: chacha20poly1305; ChaCha20-Poly1305 encryption +syntax:expression: $VAR(@) in "null", "aes128", "aes192", "aes256", "aes128ctr", "aes192ctr", "aes256ctr", "aes128ccm64", "aes192ccm64", "aes256ccm64", "aes128ccm96", "aes192ccm96", "aes256ccm96", "aes128ccm128", "aes192ccm128", "aes256ccm128", "aes128gcm64", "aes192gcm64", "aes256gcm64", "aes128gcm96", "aes192gcm96", "aes256gcm96", "aes128gcm128", "aes192gcm128", "aes256gcm128", "aes128gmac", "aes192gmac", "aes256gmac", "3des", "blowfish128", "blowfish192", "blowfish256", "camellia128", "camellia192", "camellia256", "camellia128ctr", "camellia192ctr", "camellia256ctr", "camellia128ccm64", "camellia192ccm64", "camellia256ccm64", "camellia128ccm96", "camellia192ccm96", "camellia256ccm96", "camellia128ccm128", "camellia192ccm128", "camellia256ccm128", "serpent128", "serpent192", "serpent256", "twofish128", "twofish192", "twofish256", "cast128", "chacha20poly1305"; "Wrong encryption algorithm" +val_help: null; Null encryption +val_help: aes128; 128 bit AES-CBC (default) +val_help: aes192; 192 bit AES-CBC +val_help: aes256; 256 bit AES-CBC +val_help: aes128ctr; 128 bit AES-COUNTER +val_help: aes192ctr; 192 bit AES-COUNTER +val_help: aes256ctr; 256 bit AES-COUNTER +val_help: aes128ccm64; 128 bit AES-CCM with 64 bit ICV +val_help: aes192ccm64; 192 bit AES-CCM with 64 bit ICV +val_help: aes256ccm64; 256 bit AES-CCM with 64 bit ICV +val_help: aes128ccm96; 128 bit AES-CCM with 96 bit ICV +val_help: aes192ccm96; 192 bit AES-CCM with 96 bit ICV +val_help: aes256ccm96; 256 bit AES-CCM with 96 bit ICV +val_help: aes128ccm128; 128 bit AES-CCM with 128 bit ICV +val_help: aes192ccm128; 192 bit AES-CCM with 128 bit ICV +val_help: aes256ccm128; 256 bit AES-CCM with 128 bit ICV +val_help: aes128gcm64; 128 bit AES-GCM with 64 bit ICV +val_help: aes192gcm64; 192 bit AES-GCM with 64 bit ICV +val_help: aes256gcm64; 256 bit AES-GCM with 64 bit ICV +val_help: aes128gcm96; 128 bit AES-GCM with 96 bit ICV +val_help: aes192gcm96; 192 bit AES-GCM with 96 bit ICV +val_help: aes256gcm96; 256 bit AES-GCM with 96 bit ICV +val_help: aes128gcm128; 128 bit AES-GCM with 128 bit ICV +val_help: aes192gcm128; 192 bit AES-GCM with 128 bit ICV +val_help: aes256gcm128; 256 bit AES-GCM with 128 bit ICV +val_help: aes128gmac; Null encryption with 128 bit AES-GMAC +val_help: aes192gmac; Null encryption with 192 bit AES-GMAC +val_help: aes256gmac; Null encryption with 256 bit AES-GMAC +val_help: 3des; 168 bit 3DES-EDE-CBC +val_help: blowfish128; 128 bit Blowfish-CBC +val_help: blowfish192; 192 bit Blowfish-CBC +val_help: blowfish256; 256 bit Blowfish-CBC +val_help: camellia128; 128 bit Camellia-CBC +val_help: camellia192; 192 bit Camellia-CBC +val_help: camellia256; 256 bit Camellia-CBC +val_help: camellia128ctr; 128 bit Camellia-COUNTER +val_help: camellia192ctr; 192 bit Camellia-COUNTER +val_help: camellia256ctr; 256 bit Camellia-COUNTER +val_help: camellia128ccm64; 128 bit Camellia-CCM with 64 bit ICV +val_help: camellia192ccm64; 192 bit Camellia-CCM with 64 bit ICV +val_help: camellia256ccm64; 256 bit Camellia-CCM with 64 bit ICV +val_help: camellia128ccm96; 128 bit Camellia-CCM with 96 bit ICV +val_help: camellia192ccm96; 192 bit Camellia-CCM with 96 bit ICV +val_help: camellia256ccm96; 256 bit Camellia-CCM with 96 bit ICV +val_help: camellia128ccm128; 128 bit Camellia-CCM with 128 bit ICV +val_help: camellia192ccm128; 192 bit Camellia-CCM with 128 bit ICV +val_help: camellia256ccm128; 256 bit Camellia-CCM with 128 bit ICV +val_help: serpent128; 128 bit Serpent-CBC +val_help: serpent192; 192 bit Serpent-CBC +val_help: serpent256; 256 bit Serpent-CBC +val_help: twofish128; 128 bit Twofish-CBC +val_help: twofish192; 192 bit Twofish-CBC +val_help: twofish256; 256 bit Twofish-CBC +val_help: cast128; 128 bit CAST-CBC +val_help: chacha20poly1305; 256 bit ChaCha20/Poly1305 with 128 bit ICV diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/hash/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/hash/node.def index 7d5651c..704e4e7 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/hash/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/hash/node.def @@ -1,9 +1,17 @@ help: Hash algorithm type: txt default: "sha1" -syntax:expression: $VAR(@) in "md5", "sha1", "sha256", "sha384", "sha512"; "must be md5, sha1, sha256, sha384 or sha512" -val_help: md5; MD5 hash -val_help: sha1; SHA1 hash (default) -val_help: sha256; SHA2-256 hash -val_help: sha384; SHA2-384 hash -val_help: sha512; SHA2-512 hash +syntax:expression: $VAR(@) in "md5", "md5_128", "sha1", "sha1_160", "sha256", "sha256_96", "sha384", "sha512", "aesxcbc", "aescmac", "aes128gmac", "aes192gmac", "aes256gmac"; "Wrong hash algorithm" +val_help: md5; MD5 HMAC +val_help: md5_128; MD5_128 HMAC +val_help: sha1; SHA1 HMAC (default) +val_help: sha1_160; SHA1_160 HMAC +val_help: sha256; SHA2_256_128 HMAC +val_help: sha256_96; SHA2_256_96 HMAC +val_help: sha384; SHA2_384_192 HMAC +val_help: sha512; SHA2_512_256 HMAC +val_help: aesxcbc; AES XCBC +val_help: aescmac; AES CMAC +val_help: aes128gmac; 128-bit AES-GMAC +val_help: aes192gmac; 192-bit AES-GMAC +val_help: aes256gmac; 256-bit AES-GMAC diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def index 32deb66..738f099 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def @@ -1,19 +1,26 @@ help: Diffie-Hellman (DH) key exchange group type: u32 default: 2 -syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26" -val_help: 2; DH group 2 (modp1024) -val_help: 5; DH group 5 (modp1536) -val_help: 14; DH group 14 (modp2048) -val_help: 15; DH group 15 (modp3072) -val_help: 16; DH group 16 (modp4096) -val_help: 17; DH group 17 (modp6144) -val_help: 18; DH group 18 (modp8192) -val_help: 19; DH group 19 (ecp256) -val_help: 20; DH group 20 (ecp384) -val_help: 21; DH group 21 (ecp521) -val_help: 22; DH group 22 (modp1024s160) -val_help: 23; DH group 23 (modp2048s224) -val_help: 24; DH group 24 (modp2048s256) -val_help: 25; DH group 25 (ecp192) -val_help: 26; DH group 26 (ecp224) +syntax:expression: ($VAR(@) == 1 || $VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 32)); "Wrong Diffie-Hellman group settings" +val_help: 1; Diffie-Hellman group 1 (modp768) +val_help: 2; Diffie-Hellman group 2 (modp1024) +val_help: 5; Diffie-Hellman group 5 (modp1536) +val_help: 14; Diffie-Hellman group 14 (modp2048) +val_help: 15; Diffie-Hellman group 15 (modp3072) +val_help: 16; Diffie-Hellman group 16 (modp4096) +val_help: 17; Diffie-Hellman group 17 (modp6144) +val_help: 18; Diffie-Hellman group 18 (modp8192) +val_help: 19; Diffie-Hellman group 19 (ecp256) +val_help: 20; Diffie-Hellman group 20 (ecp384) +val_help: 21; Diffie-Hellman group 21 (ecp521) +val_help: 22; Diffie-Hellman group 22 (modp1024s160) +val_help: 23; Diffie-Hellman group 23 (modp2048s224) +val_help: 24; Diffie-Hellman group 24 (modp2048s256) +val_help: 25; Diffie-Hellman group 25 (ecp192) +val_help: 26; Diffie-Hellman group 26 (ecp224) +val_help: 27; Diffie-Hellman group 27 (ecp224bp) +val_help: 28; Diffie-Hellman group 28 (ecp256bp) +val_help: 29; Diffie-Hellman group 29 (ecp384bp) +val_help: 30; Diffie-Hellman group 30 (ecp512bp) +val_help: 31; Diffie-Hellman group 31 (curve25519) +val_help: 32; Diffie-Hellman group 32 (curve448) diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def index ba66828..0e61761 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,10 +1,59 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" -val_help: aes128; AES-128 encryption (default) -val_help: aes256; AES-256 encryption -val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit -val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit -val_help: 3des; 3DES encryption -val_help: chacha20poly1305; ChaCha20-Poly1305 encryption +syntax:expression: $VAR(@) in "null", "aes128", "aes192", "aes256", "aes128ctr", "aes192ctr", "aes256ctr", "aes128ccm64", "aes192ccm64", "aes256ccm64", "aes128ccm96", "aes192ccm96", "aes256ccm96", "aes128ccm128", "aes192ccm128", "aes256ccm128", "aes128gcm64", "aes192gcm64", "aes256gcm64", "aes128gcm96", "aes192gcm96", "aes256gcm96", "aes128gcm128", "aes192gcm128", "aes256gcm128", "aes128gmac", "aes192gmac", "aes256gmac", "3des", "blowfish128", "blowfish192", "blowfish256", "camellia128", "camellia192", "camellia256", "camellia128ctr", "camellia192ctr", "camellia256ctr", "camellia128ccm64", "camellia192ccm64", "camellia256ccm64", "camellia128ccm96", "camellia192ccm96", "camellia256ccm96", "camellia128ccm128", "camellia192ccm128", "camellia256ccm128", "serpent128", "serpent192", "serpent256", "twofish128", "twofish192", "twofish256", "cast128", "chacha20poly1305"; "Wrong encryption algorithm" +val_help: null; Null encryption +val_help: aes128; 128 bit AES-CBC (default) +val_help: aes192; 192 bit AES-CBC +val_help: aes256; 256 bit AES-CBC +val_help: aes128ctr; 128 bit AES-COUNTER +val_help: aes192ctr; 192 bit AES-COUNTER +val_help: aes256ctr; 256 bit AES-COUNTER +val_help: aes128ccm64; 128 bit AES-CCM with 64 bit ICV +val_help: aes192ccm64; 192 bit AES-CCM with 64 bit ICV +val_help: aes256ccm64; 256 bit AES-CCM with 64 bit ICV +val_help: aes128ccm96; 128 bit AES-CCM with 96 bit ICV +val_help: aes192ccm96; 192 bit AES-CCM with 96 bit ICV +val_help: aes256ccm96; 256 bit AES-CCM with 96 bit ICV +val_help: aes128ccm128; 128 bit AES-CCM with 128 bit ICV +val_help: aes192ccm128; 192 bit AES-CCM with 128 bit ICV +val_help: aes256ccm128; 256 bit AES-CCM with 128 bit ICV +val_help: aes128gcm64; 128 bit AES-GCM with 64 bit ICV +val_help: aes192gcm64; 192 bit AES-GCM with 64 bit ICV +val_help: aes256gcm64; 256 bit AES-GCM with 64 bit ICV +val_help: aes128gcm96; 128 bit AES-GCM with 96 bit ICV +val_help: aes192gcm96; 192 bit AES-GCM with 96 bit ICV +val_help: aes256gcm96; 256 bit AES-GCM with 96 bit ICV +val_help: aes128gcm128; 128 bit AES-GCM with 128 bit ICV +val_help: aes192gcm128; 192 bit AES-GCM with 128 bit ICV +val_help: aes256gcm128; 256 bit AES-GCM with 128 bit ICV +val_help: aes128gmac; Null encryption with 128 bit AES-GMAC +val_help: aes192gmac; Null encryption with 192 bit AES-GMAC +val_help: aes256gmac; Null encryption with 256 bit AES-GMAC +val_help: 3des; 168 bit 3DES-EDE-CBC +val_help: blowfish128; 128 bit Blowfish-CBC +val_help: blowfish192; 192 bit Blowfish-CBC +val_help: blowfish256; 256 bit Blowfish-CBC +val_help: camellia128; 128 bit Camellia-CBC +val_help: camellia192; 192 bit Camellia-CBC +val_help: camellia256; 256 bit Camellia-CBC +val_help: camellia128ctr; 128 bit Camellia-COUNTER +val_help: camellia192ctr; 192 bit Camellia-COUNTER +val_help: camellia256ctr; 256 bit Camellia-COUNTER +val_help: camellia128ccm64; 128 bit Camellia-CCM with 64 bit ICV +val_help: camellia192ccm64; 192 bit Camellia-CCM with 64 bit ICV +val_help: camellia256ccm64; 256 bit Camellia-CCM with 64 bit ICV +val_help: camellia128ccm96; 128 bit Camellia-CCM with 96 bit ICV +val_help: camellia192ccm96; 192 bit Camellia-CCM with 96 bit ICV +val_help: camellia256ccm96; 256 bit Camellia-CCM with 96 bit ICV +val_help: camellia128ccm128; 128 bit Camellia-CCM with 128 bit ICV +val_help: camellia192ccm128; 192 bit Camellia-CCM with 128 bit ICV +val_help: camellia256ccm128; 256 bit Camellia-CCM with 128 bit ICV +val_help: serpent128; 128 bit Serpent-CBC +val_help: serpent192; 192 bit Serpent-CBC +val_help: serpent256; 256 bit Serpent-CBC +val_help: twofish128; 128 bit Twofish-CBC +val_help: twofish192; 192 bit Twofish-CBC +val_help: twofish256; 256 bit Twofish-CBC +val_help: cast128; 128 bit CAST-CBC +val_help: chacha20poly1305; 256 bit ChaCha20/Poly1305 with 128 bit ICV diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/hash/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/hash/node.def index 7d5651c..704e4e7 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/hash/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/hash/node.def @@ -1,9 +1,17 @@ help: Hash algorithm type: txt default: "sha1" -syntax:expression: $VAR(@) in "md5", "sha1", "sha256", "sha384", "sha512"; "must be md5, sha1, sha256, sha384 or sha512" -val_help: md5; MD5 hash -val_help: sha1; SHA1 hash (default) -val_help: sha256; SHA2-256 hash -val_help: sha384; SHA2-384 hash -val_help: sha512; SHA2-512 hash +syntax:expression: $VAR(@) in "md5", "md5_128", "sha1", "sha1_160", "sha256", "sha256_96", "sha384", "sha512", "aesxcbc", "aescmac", "aes128gmac", "aes192gmac", "aes256gmac"; "Wrong hash algorithm" +val_help: md5; MD5 HMAC +val_help: md5_128; MD5_128 HMAC +val_help: sha1; SHA1 HMAC (default) +val_help: sha1_160; SHA1_160 HMAC +val_help: sha256; SHA2_256_128 HMAC +val_help: sha256_96; SHA2_256_96 HMAC +val_help: sha384; SHA2_384_192 HMAC +val_help: sha512; SHA2_512_256 HMAC +val_help: aesxcbc; AES XCBC +val_help: aescmac; AES CMAC +val_help: aes128gmac; 128-bit AES-GMAC +val_help: aes192gmac; 192-bit AES-GMAC +val_help: aes256gmac; 256-bit AES-GMAC |