From b42f9c63c232257edccf61638aaff2a37af2208a Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 24 Sep 2018 01:21:45 +0200
Subject: [PATCH] ipsec: security policies: system: Order by complexity

strongswan uses the cipher suites in the order as listed by first
match instead of complexity. This patch re-orders them so that
maximum complexity is tried first and everything else after.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/vpn/security-policies/system | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/vpn/security-policies/system b/config/vpn/security-policies/system
index 8fdfe9a0..db30e69c 100644
--- a/config/vpn/security-policies/system
+++ b/config/vpn/security-policies/system
@@ -1,7 +1,7 @@
 KEY_EXCHANGE="ikev2"
-CIPHERS="CHACHA20-POLY1305 AES256-GCM128 AES192-GCM128 AES128-GCM128 AES256-CBC AES192-CBC AES128-CBC"
+CIPHERS="CHACHA20-POLY1305 AES256-GCM128 AES256-CBC AES192-GCM128 AES192-CBC AES128-GCM128 AES128-CBC"
 INTEGRITIES="SHA512 SHA384 SHA256"
-GROUP_TYPES="MODP8192 MODP6144 MODP4096 MODP2048 ECP521 ECP384 ECP256 ECP224 ECP192 CURVE25519"
+GROUP_TYPES="CURVE25519 ECP521 ECP384 ECP256 ECP224 ECP192 MODP8192 MODP6144 MODP4096 MODP2048"
 PSEUDO_RANDOM_FUNCTIONS="SHA512 SHA384 SHA256"
 LIFETIME="28800"
 PFS="on"
-- 
2.47.2