From de318d8d25427a27c80206c16dc36c0021dfca2c Mon Sep 17 00:00:00 2001
From: Jeff Leung <jleung@v10networks.ca>
Date: Sat, 31 Jan 2015 07:37:43 +0000
Subject: Allow users to specify aggressive mode for IKEv1 key exchanges

Although strongly not recommended by the developers of strongSwan,
sometimes remote VPN gateways requires this because of interop
reasons or a network admin who doesn't have an idea on why
aggressive mode is bad.
---
 templates/vpn/ipsec/ike-group/node.tag/mode/node.def | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 templates/vpn/ipsec/ike-group/node.tag/mode/node.def

(limited to 'templates/vpn/ipsec/ike-group')

diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def
new file mode 100644
index 0000000..f302d3d
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def
@@ -0,0 +1,6 @@
+help: IKEv1 Phase 1 Mode Selection 
+type: txt
+default: "main"
+syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive"
+val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)
+val_help: ikev2; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.
-- 
cgit v1.2.3


From 82c41cedf5a295ebd2ad28700c4c9a5c9b5a91d3 Mon Sep 17 00:00:00 2001
From: Jeff Leung <jleung@v10networks.ca>
Date: Sat, 7 Feb 2015 03:53:20 +0000
Subject: Remove the default value in ipsec ike-group $name mode

Setting this to a default value breaks ikev2 configurations since
aggressive mode is only applicable for ikev1 tunnels
---
 templates/vpn/ipsec/ike-group/node.tag/mode/node.def | 1 -
 1 file changed, 1 deletion(-)

(limited to 'templates/vpn/ipsec/ike-group')

diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def
index f302d3d..fad935f 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def
@@ -1,6 +1,5 @@
 help: IKEv1 Phase 1 Mode Selection 
 type: txt
-default: "main"
 syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive"
 val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)
 val_help: ikev2; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.
-- 
cgit v1.2.3


From 832208422595261e1044890c18c16998a9aaf421 Mon Sep 17 00:00:00 2001
From: Jeff Leung <jleung@v10networks.ca>
Date: Sun, 8 Feb 2015 07:21:25 +0000
Subject: Correct typo'd aggressive option

Originally we meant aggressive, not ikev2
---
 templates/vpn/ipsec/ike-group/node.tag/mode/node.def | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'templates/vpn/ipsec/ike-group')

diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def
index fad935f..2b67dad 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def
@@ -2,4 +2,4 @@ help: IKEv1 Phase 1 Mode Selection
 type: txt
 syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive"
 val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)
-val_help: ikev2; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.
+val_help: aggressive; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.
-- 
cgit v1.2.3


From e35a282eef077d8cc91e8e5fd7b7a1dcf91750c4 Mon Sep 17 00:00:00 2001
From: Jeff Leung <jleung@v10networks.ca>
Date: Fri, 4 Dec 2015 23:49:35 -0500
Subject: Add ChaCha20 Poly1305 cipher as an available cipher for IKE
 exchanges.

Starting with strongSwan 5.3.3, chacha20poly1305 is a supported cipher for
IKE and ESP configurations with an IKEv2 configuration.
---
 .../vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def | 3 ++-
 .../vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

(limited to 'templates/vpn/ipsec/ike-group')

diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
index 1c02803..05aa407 100644
--- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
+++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
@@ -1,7 +1,8 @@
 help: Encryption algorithm
 type: txt
 default: "aes128"
-syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des"
+syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305"
 val_help: aes128; AES-128 encryption (default)
 val_help: aes256; AES-256 encryption
 val_help: 3des; 3DES encryption
+val_help: chacha20poly1305; ChaCha20-Poly1305 encryption
diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
index 1c02803..05aa407 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
@@ -1,7 +1,8 @@
 help: Encryption algorithm
 type: txt
 default: "aes128"
-syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des"
+syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305"
 val_help: aes128; AES-128 encryption (default)
 val_help: aes256; AES-256 encryption
 val_help: 3des; 3DES encryption
+val_help: chacha20poly1305; ChaCha20-Poly1305 encryption
-- 
cgit v1.2.3


From fcab32f8c5cc416829dc054a41e578eae45951fa Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Mon, 4 May 2015 00:35:54 +0200
Subject: Bug #469: add options for AES-128/256-GCM mode.

---
 .../ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def    | 4 +++-
 .../ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def    | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

(limited to 'templates/vpn/ipsec/ike-group')

diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
index 05aa407..ba66828 100644
--- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
+++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
@@ -1,8 +1,10 @@
 help: Encryption algorithm
 type: txt
 default: "aes128"
-syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305"
+syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305"
 val_help: aes128; AES-128 encryption (default)
 val_help: aes256; AES-256 encryption
+val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit
+val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit
 val_help: 3des; 3DES encryption
 val_help: chacha20poly1305; ChaCha20-Poly1305 encryption
diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
index 05aa407..ba66828 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
@@ -1,8 +1,10 @@
 help: Encryption algorithm
 type: txt
 default: "aes128"
-syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305"
+syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305"
 val_help: aes128; AES-128 encryption (default)
 val_help: aes256; AES-256 encryption
+val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit
+val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit
 val_help: 3des; 3DES encryption
 val_help: chacha20poly1305; ChaCha20-Poly1305 encryption
-- 
cgit v1.2.3


From 1d0a489519e0f67985b5b92ebaf2723b826aef20 Mon Sep 17 00:00:00 2001
From: unixninja92 <charles@unixninja92.com>
Date: Tue, 20 Feb 2018 20:52:19 -0500
Subject: Lowered minimum DPD interval and timeout as per T542

---
 .../ike-group/node.tag/dead-peer-detection/interval/node.def      | 6 +++---
 .../ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def | 8 +++-----
 2 files changed, 6 insertions(+), 8 deletions(-)

(limited to 'templates/vpn/ipsec/ike-group')

diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def
index 4fdebe9..e6175c9 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def
@@ -1,5 +1,5 @@
 help: Keep-alive interval
-type: u32 
+type: u32
 default: 30
-syntax:expression: ($VAR(@) >= 15 && $VAR(@) <= 86400) ; "must be between 15-86400 seconds"
-val_help: u32:15-86400; Keep-alive interval in seconds (default 30)
+syntax:expression: ($VAR(@) >= 2 && $VAR(@) <= 86400) ; "must be between 2-86400 seconds"
+val_help: u32:2-86400; Keep-alive interval in seconds (default 30)
diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
index 939be1c..3378cb5 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
@@ -1,7 +1,5 @@
 help: Keep-alive timeout
-type: u32 
+type: u32
 default: 120
-syntax:expression: ($VAR(@) >= 30 && $VAR(@) <= 86400) ; "must be between 30-86400 seconds"
-val_help: u32:30-86400; Keep-alive timeout in seconds (default 120)
-
-
+syntax:expression: ($VAR(@) >= 10 && $VAR(@) <= 86400) ; "must be between 10-86400 seconds"
+val_help: u32:10-86400; Keep-alive timeout in seconds (default 120)
-- 
cgit v1.2.3


From 90daa5e2cf02ffd3fd5936b4f372f1e85ab62ef6 Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Sun, 3 Jun 2018 05:32:19 +0200
Subject: T674: set DH group default in IKE groups to 2. Using the default: tag
 in the template for now, this issue should be addressed properly when we get
 to rewriting IPsec scripts.

---
 .../vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def     | 1 +
 1 file changed, 1 insertion(+)

(limited to 'templates/vpn/ipsec/ike-group')

diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def
index 307dc09..32deb66 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def
@@ -1,5 +1,6 @@
 help: Diffie-Hellman (DH) key exchange group
 type: u32
+default: 2
 syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26"
 val_help: 2; DH group 2 (modp1024)
 val_help: 5; DH group 5 (modp1536)
-- 
cgit v1.2.3