From 5e84cd416531c852763b04fed36f1bb8158df35b Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 19 Jul 2017 21:04:26 +0200
Subject: [PATCH] security-polices: Create a system policy

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 Makefile.am                         | 10 ++++++++++
 config/vpn/security-policies/system |  7 +++++++
 2 files changed, 17 insertions(+)
 create mode 100644 config/vpn/security-policies/system

diff --git a/Makefile.am b/Makefile.am
index caaba382..560b65c9 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -32,6 +32,7 @@ bashcompletiondir= $(datadir)/bash-completion/completions
 libexecdir       = $(prefix)/lib
 pkgconfigdatadir = $(datadir)/pkgconfig
 pppdir           = $(sysconfdir)/ppp
+systemconfigdir  = $(datadir)/network
 sysctldir        = $(prefix)/lib/sysctl.d
 tmpfilesdir      = $(prefix)/lib/tmpfiles.d
 udevrulesdir     = $(udevdir)/rules.d
@@ -273,6 +274,15 @@ EXTRA_DIST += \
 
 # ------------------------------------------------------------------------------
 
+systemconfig_vpndir = $(systemconfigdir)/vpn
+
+dist_systemconfig_vpn_security_policies_DATA = \
+	config/vpn/security-policies/system
+
+systemconfig_vpn_security_policiesdir = $(systemconfig_vpndir)/security-policies
+
+# ------------------------------------------------------------------------------
+
 dist_sysctl_DATA = \
 	src/sysctl/network.conf
 
diff --git a/config/vpn/security-policies/system b/config/vpn/security-policies/system
new file mode 100644
index 00000000..accf8a2c
--- /dev/null
+++ b/config/vpn/security-policies/system
@@ -0,0 +1,7 @@
+KEY_EXCHANGE="ikev2"
+CIPHER="AES256-GCM128 AES192-GCM128 AES128-GCM128 AES256-CBC AES192-CBC AES128-CBC"
+INTEGRITY="SHA512 SHA384 SHA256"
+GROUP_TYPE="MODP8192 MODP4096 MODP2048"
+LIFETIME="28800"
+PFS="on"
+COMPRESSION="on"
-- 
2.39.2