} else {
print CONF "\tauto=start\n";
}
+
+ # Fragmentation
+ print CONF "\tfragmentation=yes\n";
+
print CONF "\n";
}#foreach key
print SECRETS $last_secrets if ($last_secrets);
if (!$errormessage) {
&General::log("ipsec", "Creating cacert...");
if (open(STDIN, "-|")) {
- my $opt = " req -x509 -nodes -rand /proc/interrupts:/proc/net/rt_cache";
+ my $opt = " req -x509 -sha256 -nodes";
$opt .= " -days 999999";
- $opt .= " -newkey rsa:2048";
+ $opt .= " -newkey rsa:4096";
$opt .= " -keyout ${General::swroot}/private/cakey.pem";
$opt .= " -out ${General::swroot}/ca/cacert.pem";
if (!$errormessage) {
&General::log("ipsec", "Creating host cert...");
if (open(STDIN, "-|")) {
- my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
- $opt .= " -newkey rsa:1024";
+ my $opt = " req -sha256 -nodes";
+ $opt .= " -newkey rsa:2048";
$opt .= " -keyout ${General::swroot}/certs/hostkey.pem";
$opt .= " -out ${General::swroot}/certs/hostreq.pem";
$errormessage = &callssl ($opt);
print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
close ($fh);
- my $opt = " ca -days 999999";
+ my $opt = " ca -md sha256 -days 999999";
$opt .= " -batch -notext";
$opt .= " -in ${General::swroot}/certs/hostreq.pem";
$opt .= " -out ${General::swroot}/certs/hostcert.pem";
# Sign the certificate request
&General::log("ipsec", "Signing your cert $cgiparams{'NAME'}...");
- my $opt = " ca -days 999999";
+ my $opt = " ca -md sha256 -days 999999";
$opt .= " -batch -notext";
$opt .= " -in $filename";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
(my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
(my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
- # Create the Host certificate request
+ # Create the Client certificate request
&General::log("ipsec", "Creating a cert...");
if (open(STDIN, "-|")) {
my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache";
- $opt .= " -newkey rsa:1024";
+ $opt .= " -newkey rsa:2048";
$opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
exit (0);
}
- # Sign the host certificate request
+ # Sign the client certificate request
&General::log("ipsec", "Signing the cert $cgiparams{'NAME'}...");
#No easy way for specifying the contain of subjectAltName without writing a config file...
basicConstraints=CA:FALSE
nsComment="OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
+ extendedKeyUsage=clientAuth
authorityKeyIdentifier=keyid,issuer:always
END
;
print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'});
close ($fh);
- my $opt = " ca -days 999999 -batch -notext";
+ my $opt = " ca -md sha256 -days 999999 -batch -notext";
$opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem";
$opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
$opt .= " -extfile $v3extname";
$cgiparams{'REMOTE_ID'} = '';
#use default advanced value
- $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[18];
- $cgiparams{'IKE_INTEGRITY'} = 'sha2_256|sha|md5'; #[19];
+ $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64'; #[18];
+ $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19];
$cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20];
$cgiparams{'IKE_LIFETIME'} = '3'; #[16];
- $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|3des'; #[21];
- $cgiparams{'ESP_INTEGRITY'} = 'sha2_256|sha1|md5'; #[22];
+ $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes192|aes128|aes256gcm128|aes192gcm128|aes128gcm128|aes256gcm96|aes192gcm96|aes128gcm96|aes256gcm64|aes192gcm64|aes128gcm64'; #[21];
+ $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22];
$cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
$cgiparams{'ESP_KEYLIFE'} = '1'; #[17];
$cgiparams{'COMPRESSION'} = 'on'; #[13];
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) {
+ if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha|md5|aesxcbc)$/) {
+ if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(aes256|aes192|aes128|3des|camellia256|camellia192|camellia128)$/) {
+ if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
goto ADVANCED_ERROR;
}
foreach my $val (@temp) {
- if ($val !~ /^(sha2_512|sha2_384|sha2_256|sha1|md5|aesxcbc)$/) {
+ if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) {
$errormessage = $Lang::tr{'invalid input'};
goto ADVANCED_ERROR;
}
$checked{'IKE_ENCRYPTION'}{'aes256'} = '';
$checked{'IKE_ENCRYPTION'}{'aes192'} = '';
$checked{'IKE_ENCRYPTION'}{'aes128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = '';
+ $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = '';
$checked{'IKE_ENCRYPTION'}{'3des'} = '';
$checked{'IKE_ENCRYPTION'}{'camellia256'} = '';
$checked{'IKE_ENCRYPTION'}{'camellia192'} = '';
$checked{'ESP_ENCRYPTION'}{'aes256'} = '';
$checked{'ESP_ENCRYPTION'}{'aes192'} = '';
$checked{'ESP_ENCRYPTION'}{'aes128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = '';
+ $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = '';
$checked{'ESP_ENCRYPTION'}{'3des'} = '';
$checked{'ESP_ENCRYPTION'}{'camellia256'} = '';
$checked{'ESP_ENCRYPTION'}{'camellia192'} = '';
<td class='boldbase' width="15%">$Lang::tr{'encryption'}</td>
<td class='boldbase'>
<select name='IKE_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
- <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
- <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>AES (192 bit)</option>
- <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
- <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>3DES</option>
- <option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>Camellia (256 bit)</option>
- <option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>Camellia (192 bit)</option>
- <option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>Camellia (128 bit)</option>
+ <option value='aes256' $checked{'IKE_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
+ <option value='aes192' $checked{'IKE_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
+ <option value='aes128' $checked{'IKE_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
+ <option value='aes256gcm128' $checked{'IKE_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
+ <option value='aes192gcm128' $checked{'IKE_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+ <option value='aes128gcm128' $checked{'IKE_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+ <option value='aes256gcm96' $checked{'IKE_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
+ <option value='aes192gcm96' $checked{'IKE_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+ <option value='aes128gcm96' $checked{'IKE_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+ <option value='aes256gcm64' $checked{'IKE_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
+ <option value='aes192gcm64' $checked{'IKE_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+ <option value='aes128gcm64' $checked{'IKE_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+ <option value='3des' $checked{'IKE_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+ <option value='camellia256' $checked{'IKE_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+ <option value='camellia192' $checked{'IKE_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+ <option value='camellia128' $checked{'IKE_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
</select>
</td>
<td class='boldbase'>
<select name='ESP_ENCRYPTION' multiple='multiple' size='6' style='width: 100%'>
- <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>AES (256 bit)</option>
- <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>AES (192 bit)</option>
- <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>AES (128 bit)</option>
- <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>3DES</option>
- <option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>Camellia (256 bit)</option>
- <option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>Camellia (192 bit)</option>
- <option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>Camellia (128 bit)</option>
+ <option value='aes256' $checked{'ESP_ENCRYPTION'}{'aes256'}>256 bit AES-CBC</option>
+ <option value='aes192' $checked{'ESP_ENCRYPTION'}{'aes192'}>192 bit AES-CBC</option>
+ <option value='aes128' $checked{'ESP_ENCRYPTION'}{'aes128'}>128 bit AES-CBC</option>
+ <option value='aes256gcm128' $checked{'ESP_ENCRYPTION'}{'aes256gcm128'}>256 bit AES-GCM/128 bit ICV</option>
+ <option value='aes192gcm128' $checked{'ESP_ENCRYPTION'}{'aes192gcm128'}>192 bit AES-GCM/128 bit ICV</option>
+ <option value='aes128gcm128' $checked{'ESP_ENCRYPTION'}{'aes128gcm128'}>128 bit AES-GCM/128 bit ICV</option>
+ <option value='aes256gcm96' $checked{'ESP_ENCRYPTION'}{'aes256gcm96'}>256 bit AES-GCM/96 bit ICV</option>
+ <option value='aes192gcm96' $checked{'ESP_ENCRYPTION'}{'aes192gcm96'}>192 bit AES-GCM/96 bit ICV</option>
+ <option value='aes128gcm96' $checked{'ESP_ENCRYPTION'}{'aes128gcm96'}>128 bit AES-GCM/96 bit ICV</option>
+ <option value='aes256gcm64' $checked{'ESP_ENCRYPTION'}{'aes256gcm64'}>256 bit AES-GCM/64 bit ICV</option>
+ <option value='aes192gcm64' $checked{'ESP_ENCRYPTION'}{'aes192gcm64'}>192 bit AES-GCM/64 bit ICV</option>
+ <option value='aes128gcm64' $checked{'ESP_ENCRYPTION'}{'aes128gcm64'}>128 bit AES-GCM/64 bit ICV</option>
+ <option value='3des' $checked{'ESP_ENCRYPTION'}{'3des'}>168 bit 3DES-EDE-CBC</option>
+ <option value='camellia256' $checked{'ESP_ENCRYPTION'}{'camellia256'}>256 bit Camellia-CBC</option>
+ <option value='camellia192' $checked{'ESP_ENCRYPTION'}{'camellia192'}>192 bit Camellia-CBC</option>
+ <option value='camellia128' $checked{'ESP_ENCRYPTION'}{'camellia128'}>128 bit Camellia-CBC</option>
</select>
</td>
</tr>