+
+ # Delete cache
+ rm -rf "${NETWORK_CACHE_DIR}/vpn/security-policies/${name}"
+ done
+}
+
+vpn_security_policies_cipher_supported() {
+ local cipher=${1}
+
+ list_match ${cipher} ${!VPN_SUPPORTED_CIPHERS[@]}
+}
+
+
+vpn_security_policies_group_type_supported() {
+ local group_type=${1}
+
+ list_match ${group_type} ${!VPN_SUPPORTED_GROUP_TYPES[@]}
+}
+
+vpn_security_policies_integrity_supported() {
+ local integrity=${1}
+
+ list_match ${integrity} ${!VPN_SUPPORTED_INTEGRITIES[@]}
+}
+
+vpn_security_policies_pseudo_random_function_supported() {
+ local prf="${1}"
+
+ list_match "${prf}" ${!VPN_SUPPORTED_PSEUDO_RANDOM_FUNCTIONS[@]}
+}
+
+vpn_security_policies_cipher_is_aead() {
+ local cipher=${1}
+
+ # All CCM and GCM ciphers are AEAD
+ if string_match "[CG]CM" "${cipher}"; then
+ return ${EXIT_TRUE}
+ fi
+
+ # Poly1305 is AEAD
+ if string_match "POLY1305" "${cipher}"; then
+ return ${EXIT_TRUE}
+ fi
+
+ return ${EXIT_FALSE}
+}
+
+vpn_security_policies_make_ike_proposal() {
+ local name=${1}
+
+ if ! vpn_security_policy_exists ${name}; then
+ return ${EXIT_ERROR}
+ fi
+
+ local config_path="$(vpn_security_policies_path ${name})"
+ local cache_path="${NETWORK_CACHE_DIR}/vpn/security-policies/${name}/ike-proposal"
+
+ # Get data from cache if possible
+ if file_exists "${cache_path}" && ! file_is_newer_than "${config_path}" "${cache_path}"; then
+ fread "${cache_path}"
+ return ${EXIT_OK}
+ fi
+
+ # No or invalid cache data found
+ local proposal=$(_vpn_security_policies_make_ike_proposal "${name}")
+
+ # Write proposal to cache
+ if ! make_parent_directory "${cache_path}" || ! fwrite "${cache_path}" "${proposal}"; then
+ log WARNING "Could not write to cache: ${cache_path}"
+ fi
+
+ print "${proposal}"
+}
+
+_vpn_security_policies_make_ike_proposal() {
+ local name=${1}
+
+ # Read the config settings
+ local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
+ if ! vpn_security_policies_read_config "${name}"; then
+ return ${EXIT_ERROR}
+ fi
+
+ local proposals
+
+ local cipher
+ for cipher in ${CIPHER}; do
+ # Translate cipher
+ local _cipher=${CIPHER_TO_STRONGSWAN[${cipher}]}
+
+ if ! isset _cipher; then
+ log WARN "Unsupported cipher: ${cipher}"
+ continue
+ fi
+
+ if vpn_security_policies_cipher_is_aead "${cipher}"; then
+ local prf
+ for prf in ${PSEUDO_RANDOM_FUNCTIONS}; do
+ local _prf="${PSEUDO_RANDOM_FUNCTION_TO_STRONGSWAN[${prf}]}"
+
+ if ! isset _prf; then
+ log WARN "Unsupported pseudo random function: ${prf}"
+ continue
+ fi
+
+ local group_type
+ for group_type in ${GROUP_TYPE}; do
+ local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
+
+ if ! isset _group_type; then
+ log WARN "Unsupported group-type: ${group_type}"
+ continue
+ fi
+
+ # Put everything together
+ list_append proposals "${_cipher}-${_prf}-${_group_type}"
+ done
+ done
+ else
+ local integrity
+ for integrity in ${INTEGRITIES}; do
+ local _integrity=${INTEGRITY_TO_STRONGSWAN[${integrity}]}
+
+ if ! isset _integrity; then
+ log WARN "Unsupported integrity: ${integrity}"
+ continue
+ fi
+
+ local group_type
+ for group_type in ${GROUP_TYPE}; do
+ local _group_type=${GROUP_TYPE_TO_STRONGSWAN[${group_type}]}
+
+ if ! isset _group_type; then
+ log WARN "Unsupported group-type: ${group_type}"
+ continue
+ fi
+
+ # Put everything together
+ list_append proposals "${_cipher}-${_integrity}-${_group_type}"
+ done
+ done
+ fi