]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - html/cgi-bin/ovpnmain.cgi
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
OpenVPN: New AES-GCM cipher for N2N and RW
[ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 037894d50bf941d870e55e311932a71c04dbf94b..ff3d05509d5aa1443369298e5fa3dca235d069a9 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -216,7 +216,7 @@ sub writeserverconf {
     print CONF "dev tun\n";
     print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
     print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
-    print CONF "script-security 3 system\n";
+    print CONF "script-security 3\n";
     print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
     print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
     print CONF "tls-server\n";
@@ -289,6 +289,7 @@ sub writeserverconf {
     }  
     print CONF "status-version 1\n";
     print CONF "status /var/run/ovpnserver.log 30\n";
+    print CONF "ncp-disable\n";
     print CONF "cipher $sovpnsettings{DCIPHER}\n";
     if ($sovpnsettings{'DAUTH'} eq '') {
         print CONF "";
@@ -969,12 +970,18 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
   print SERVERCONF "# Cipher\n"; 
   print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
-  if ($cgiparams{'DAUTH'} eq '') {
-       print SERVERCONF "auth SHA1\n";
+
+  # If GCM cipher is used, do not use --auth
+  if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+    print SERVERCONF unless "# HMAC algorithm\n";
+    print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
-       print SERVERCONF "# HMAC algorithm\n";
-       print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
+    print SERVERCONF "# HMAC algorithm\n";
+    print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
   }
+
   if ($cgiparams{'COMPLZO'} eq 'on') {
    print SERVERCONF "# Enable Compression\n";
    print SERVERCONF "comp-lzo\n";
@@ -1061,19 +1068,32 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
                }
         }
   }
-  print CLIENTCONF "ns-cert-type server\n";   
+  # Check host certificate if X509 is RFC3280 compliant.
+  # If not, old --ns-cert-type directive will be used.
+  # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+  my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+  if ($hostcert !~ /TLS Web Server Authentication/) {
+       print CLIENTCONF "ns-cert-type server\n";
+  } else {
+       print CLIENTCONF "remote-cert-tls server\n";
+  }
   print CLIENTCONF "# Auth. Client\n"; 
   print CLIENTCONF "tls-client\n"; 
   print CLIENTCONF "# Cipher\n"; 
   print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
   print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
-  if ($cgiparams{'DAUTH'} eq '') {
-       print CLIENTCONF "auth SHA1\n";
+
+  # If GCM cipher is used, do not use --auth
+  if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+    print CLIENTCONF unless "# HMAC algorithm\n";
+    print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
-       print CLIENTCONF "# HMAC algorithm\n";
-       print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
+    print CLIENTCONF "# HMAC algorithm\n";
+    print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
   }
+
   if ($cgiparams{'COMPLZO'} eq 'on') {
    print CLIENTCONF "# Enable Compression\n";
    print CLIENTCONF "comp-lzo\n";
@@ -1313,7 +1333,7 @@ END
                <form method='post'><input type='hidden' name='AREUSURE' value='yes' />
                <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
                        <select name='DHLENGHT'>
-                               <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
+                               <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'})</option>
                                <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
                                <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
                                <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
@@ -1995,7 +2015,7 @@ END
            </select></td>
        <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
                <td class='base'><select name='DHLENGHT'>
-                               <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'}</option>
+                               <option value='1024' $selected{'DHLENGHT'}{'1024'}>1024 $Lang::tr{'bit'} ($Lang::tr{'vpn weak'}</option>
                                <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
                                <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
                                <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
@@ -2173,7 +2193,15 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
                }
        }
    }
-   print CLIENTCONF "ns-cert-type server\n";   
+   # Check host certificate if X509 is RFC3280 compliant.
+   # If not, old --ns-cert-type directive will be used.
+   # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+   my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+   if ($hostcert !~ /TLS Web Server Authentication/) {
+               print CLIENTCONF "ns-cert-type server\n";
+   } else {
+               print CLIENTCONF "remote-cert-tls server\n";
+   }
    print CLIENTCONF "# Auth. Client\n"; 
    print CLIENTCONF "tls-client\n"; 
    print CLIENTCONF "# Cipher\n";
@@ -2182,13 +2210,18 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
         print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
      $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
    }
-   if ($confighash{$cgiparams{'KEY'}}[39] eq '') {
-       print CLIENTCONF "# HMAC algorithm\n";
-       print CLIENTCONF "auth SHA1\n";
+
+   # If GCM cipher is used, do not use --auth
+   if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+        print CLIENTCONF unless "# HMAC algorithm\n";
+        print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
    } else {
-   print CLIENTCONF "# HMAC algorithm\n";
-   print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
+        print CLIENTCONF "# HMAC algorithm\n";
+        print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
    }
+
    if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
    print CLIENTCONF "# Enable Compression\n";
    print CLIENTCONF "comp-lzo\n";
@@ -2332,7 +2365,15 @@ else
         print CLIENTCONF "comp-lzo\r\n";
     }
     print CLIENTCONF "verb 3\r\n";
-    print CLIENTCONF "ns-cert-type server\r\n";
+       # Check host certificate if X509 is RFC3280 compliant.
+       # If not, old --ns-cert-type directive will be used.
+       # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
+       my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
+       if ($hostcert !~ /TLS Web Server Authentication/) {
+               print CLIENTCONF "ns-cert-type server\r\n";
+       } else {
+               print CLIENTCONF "remote-cert-tls server\r\n";
+       }
     print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
     if ($vpnsettings{MSSFIX} eq 'on') {
        print CLIENTCONF "mssfix\r\n";
@@ -2631,7 +2672,7 @@ ADV_ERROR:
                $cgiparams{'PMTU_DISCOVERY'} = 'off';
     }
     if ($cgiparams{'DAUTH'} eq '') {
-               $cgiparams{'DAUTH'} = 'SHA1';
+               $cgiparams{'DAUTH'} = 'SHA512';
     }
     if ($cgiparams{'TLSAUTH'} eq '') {
                $cgiparams{'TLSAUTH'} = 'off';
@@ -2821,7 +2862,7 @@ print <<END;
                                <option value='SHA512'                  $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
                                <option value='SHA384'                  $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
                                <option value='SHA256'                  $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
-                               <option value='SHA1'                    $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'})</option>
+                               <option value='SHA1'                    $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
                        </select>
                </td>
                <td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
@@ -4454,7 +4495,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
         $cgiparams{'MSSFIX'} = 'on';
         $cgiparams{'FRAGMENT'} = '1300';
        $cgiparams{'PMTU_DISCOVERY'} = 'off';
-       $cgiparams{'DAUTH'} = 'SHA1';
+       $cgiparams{'DAUTH'} = 'SHA512';
 ###
 # m.a.d n2n end
 ###    
@@ -4520,6 +4561,9 @@ if ($cgiparams{'TYPE'} eq 'net') {
     }
     $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
 
+    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -4605,6 +4649,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
            } else {
                print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
            }
+
+               # If GCM ciphers are in usage, HMAC menu is disabled
+               my $hmacdisabled;
+               if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
+                       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
+                       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+                               $hmacdisabled = "disabled='disabled'";
+               };
+
            print <<END;
                    <td width='25%'>&nbsp;</td>
                    <td width='25%'>&nbsp;</td></tr>    
@@ -4683,29 +4736,32 @@ if ($cgiparams{'TYPE'} eq 'net') {
        </tr>
 
        <tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
-               <td><select name='DCIPHER'>
+               <td><select name='DCIPHER'  id="n2ncipher" required>
+                               <option value='AES-256-GCM'             $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+                               <option value='AES-192-GCM'             $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+                               <option value='AES-128-GCM'             $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
                                <option value='CAMELLIA-256-CBC'        $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
                                <option value='CAMELLIA-192-CBC'        $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
                                <option value='CAMELLIA-128-CBC'        $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
                                <option value='AES-256-CBC'             $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
                                <option value='AES-192-CBC'             $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
                                <option value='AES-128-CBC'             $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
-                               <option value='DES-EDE3-CBC'            $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'})</option>
-                               <option value='DESX-CBC'                $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
-                               <option value='SEED-CBC'                $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
-                               <option value='DES-EDE-CBC'             $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</option>
-                               <option value='BF-CBC'                  $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
-                               <option value='CAST5-CBC'               $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
+                               <option value='SEED-CBC'                        $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
+                               <option value='DES-EDE3-CBC'            $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+                               <option value='DESX-CBC'                        $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+                               <option value='DES-EDE-CBC'             $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+                               <option value='BF-CBC'                          $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+                               <option value='CAST5-CBC'                       $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
                        </select>
                </td>
 
                <td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
-               <td><select name='DAUTH'>
+               <td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
                                <option value='whirlpool'               $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
                                <option value='SHA512'                  $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
                                <option value='SHA384'                  $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
                                <option value='SHA256'                  $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
-                               <option value='SHA1'                    $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'} Default)</option>
+                               <option value='SHA1'                    $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
                        </select>
                </td>
        </tr>
@@ -4714,6 +4770,22 @@ if ($cgiparams{'TYPE'} eq 'net') {
 END
 ;
        }
+
+#### JAVA SCRIPT ####
+# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange
+print<<END;
+       <script>
+               var disable_options = false;
+               document.getElementById('n2ncipher').onchange = function () {
+                       if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+                               document.getElementById('n2nhmac').setAttribute('disabled', true);
+                       } else {
+                               document.getElementById('n2nhmac').removeAttribute('disabled');
+                       }
+               }
+       </script>
+END
+
 #jumper
        print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
        print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
@@ -4952,6 +5024,35 @@ END
                }
                if ($set == '1' && $#temp != -1){ print"<option selected>$temp[1]</option>";$set=0;}elsif($set == '0' && $#temp != -1){print"<option>$temp[1]</option>";}
        }       
+
+       my %vpnconfig = ();
+       &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
+       foreach my $vpn (keys %vpnconfig) {
+               # Skip all disabled VPN connections
+               my $enabled = $vpnconfig{$vpn}[0];
+               next unless ($enabled eq "on");
+
+               my $name = $vpnconfig{$vpn}[1];
+
+               # Remote subnets
+               my @networks = split(/\|/, $vpnconfig{$vpn}[11]);
+               foreach my $network (@networks) {
+                       my $selected = "";
+
+                       foreach my $key (keys %ccdroute2hash) {
+                               if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
+                                       foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
+                                               if ($ccdroute2hash{$key}[$i] eq $network) {
+                                                       $selected = "selected";
+                                               }
+                                       }
+                               }
+                       }
+
+                       print "<option value=\"$network\" $selected>$name ($network)</option>\n";
+               }
+       }
+
        #check if green,blue,orange are defined for client
        foreach my $key (keys %ccdroute2hash) {
                if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
@@ -5037,7 +5138,7 @@ END
                $cgiparams{'MSSFIX'} = 'off';
     }
        if ($cgiparams{'DAUTH'} eq '') {
-               $cgiparams{'DAUTH'} = 'SHA1';
+               $cgiparams{'DAUTH'} = 'SHA512';
     }
     if ($cgiparams{'DOVPN_SUBNET'} eq '') {
                $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
@@ -5056,6 +5157,9 @@ END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
 
+    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
+    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
     $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
@@ -5152,18 +5256,21 @@ END
 
                <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
                <td><select name='DCIPHER'>
+                               <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+                               <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+                               <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
                                <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
                                <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
                                <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
                                <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
                                <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
                                <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
-                               <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'})</option>
-                               <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'})</option>
                                <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
-                               <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'})</option>
-                               <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'})</option>
-                               <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'})</option>
+                               <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+                               <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+                               <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+                               <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+                               <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
                        </select>
                </td>
     <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
IPFire 2.x development tree