From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 23 Sep 2018 23:21:45 +0000 (+0200)
Subject: ipsec: security policies: system: Order by complexity
X-Git-Tag: 010~1
X-Git-Url: http://git.ipfire.org/?p=network.git;a=commitdiff_plain;h=b42f9c63c232257edccf61638aaff2a37af2208a

ipsec: security policies: system: Order by complexity

strongswan uses the cipher suites in the order as listed by first
match instead of complexity. This patch re-orders them so that
maximum complexity is tried first and everything else after.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/vpn/security-policies/system b/config/vpn/security-policies/system
index 8fdfe9a0..db30e69c 100644
--- a/config/vpn/security-policies/system
+++ b/config/vpn/security-policies/system
@@ -1,7 +1,7 @@
 KEY_EXCHANGE="ikev2"
-CIPHERS="CHACHA20-POLY1305 AES256-GCM128 AES192-GCM128 AES128-GCM128 AES256-CBC AES192-CBC AES128-CBC"
+CIPHERS="CHACHA20-POLY1305 AES256-GCM128 AES256-CBC AES192-GCM128 AES192-CBC AES128-GCM128 AES128-CBC"
 INTEGRITIES="SHA512 SHA384 SHA256"
-GROUP_TYPES="MODP8192 MODP6144 MODP4096 MODP2048 ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
+GROUP_TYPES="CURVE25519 ECP521 ECP384 ECP256 ECP224 ECP192 MODP8192 MODP6144 MODP4096 MODP2048"
 PSEUDO_RANDOM_FUNCTIONS="SHA512 SHA384 SHA256"
 LIFETIME="28800"
 PFS="on"