ipsec: security policies: system: Order by complexity

strongswan uses the cipher suites in the order as listed by first
match instead of complexity. This patch re-orders them so that
maximum complexity is tried first and everything else after.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/vpn/security-policies/system b/config/vpn/security-policies/system
index 8fdfe9a09b62e3ebac833cd1c5e3a15aae14037e..db30e69c9d5827d0436ced86e53db66f0db642ee 100644 (file)
--- a/config/vpn/security-policies/system
+++ b/config/vpn/security-policies/system
@@ -1,7 +1,7 @@
 KEY_EXCHANGE="ikev2"
 KEY_EXCHANGE="ikev2"

-CIPHERS="CHACHA20-POLY1305 AES256-GCM128 AES192-GCM128 AES128-GCM128 AES256-CBC AES192-CBC AES128-CBC"
+CIPHERS="CHACHA20-POLY1305 AES256-GCM128 AES256-CBC AES192-GCM128 AES192-CBC AES128-GCM128 AES128-CBC"

 INTEGRITIES="SHA512 SHA384 SHA256"
 INTEGRITIES="SHA512 SHA384 SHA256"

-GROUP_TYPES="MODP8192 MODP6144 MODP4096 MODP2048 ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
+GROUP_TYPES="CURVE25519 ECP521 ECP384 ECP256 ECP224 ECP192 MODP8192 MODP6144 MODP4096 MODP2048"

 PSEUDO_RANDOM_FUNCTIONS="SHA512 SHA384 SHA256"
 LIFETIME="28800"
 PFS="on"
 PSEUDO_RANDOM_FUNCTIONS="SHA512 SHA384 SHA256"
 LIFETIME="28800"
 PFS="on"