diff --git a/docs/clients-zh.md b/docs/clients-zh.md
index 1c25a600cf..b851be4244 100644
--- a/docs/clients-zh.md
+++ b/docs/clients-zh.md
@@ -221,7 +221,7 @@ Windows Phone 8.1 及以上版本用户可以尝试按照 参见)。如果仍然无法连接,请尝试下一步。
-1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `phase2alg=...` 一行并在末尾加上 `,aes256-sha2_256` 字样。保存修改并运行 `service ipsec restart`。
+1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。找到 `sha2-truncbug` 一行并将它的值在 `yes` 和 `no` 之间切换。保存修改并运行 `service ipsec restart` (参见)
diff --git a/docs/clients.md b/docs/clients.md
index d62f84d409..64484d2116 100644
--- a/docs/clients.md
+++ b/docs/clients.md
@@ -221,7 +221,7 @@ To fix this error, please follow these steps:
### Windows 10 version 1803
-If you are unable to connect using Windows 10 version 1803 or above, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Then find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`.
+If you are unable to connect using Windows 10 version 1803 or above: Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart`.
Also, after upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix for [Windows Error 809](#windows-error-809) and reboot.
@@ -231,11 +231,10 @@ OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but y
### Android 6 and above
-If you are unable to connect using Android 6 or above, try these steps in order:
+If you are unable to connect using Android 6 or above:
1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step.
-1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (Ref). If still unable to connect, try the next step.
-1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes256-sha2_256` at the end. Save the file and run `service ipsec restart`.
+1. Edit `/etc/ipsec.conf` on the VPN server. Find the line `sha2-truncbug` and toggle its value (between `yes` and `no`). Save the file and run `service ipsec restart` (Ref).
diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index 06c0b834b9..4e667fdb2e 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -56,8 +56,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
ikev2=insist
rekey=no
fragmentation=yes
- ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
- phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null
+ ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+ phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
EOF
```
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 0699e81a48..816d241d6a 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -56,8 +56,8 @@ Before continuing, make sure you have successfully /dev/null | grep -qF "$SWAN_VER"; then
fi
# Update ipsec.conf
-IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
-PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512"
+IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
+PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
if uname -m | grep -qi '^arm'; then
- PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null"
+ PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
fi
sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
+ -e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 230b4f092a..ea85036ee8 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -120,20 +120,19 @@ NOTE: Libreswan versions 3.19 and newer require some configuration changes.
1. Replace "auth=esp" with "phase2=esp"
2. Replace "forceencaps=yes" with "encapsulation=yes"
- 3. Consolidate VPN ciphers for "ike=" and "phase2alg=",
- re-add "MODP1024" to the list of allowed "ike=" ciphers,
- which was removed from the defaults in Libreswan 3.19
+ 3. Optimize VPN ciphers for "ike=" and "phase2alg="
+ 4. Replace "sha2-truncbug=yes" with "sha2-truncbug=no"
EOF
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
cat <<'EOF'
- 4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
+ 5. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
EOF
fi
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
cat <<'EOF'
- 4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
+ 5. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
EOF
fi
@@ -217,12 +216,13 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf
-IKE_NEW=" ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
-PHASE2_NEW=" phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512"
+IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
+PHASE2_NEW=" phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
+ -e "s/^[[:space:]]\+sha2-truncbug=yes\$/ sha2-truncbug=no/g" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 885f58831a..eea63b89de 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -258,9 +258,9 @@ conn shared
dpddelay=30
dpdtimeout=120
dpdaction=clear
- ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
- phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512
- sha2-truncbug=yes
+ ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+ phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+ sha2-truncbug=no
conn l2tp-psk
auto=add
@@ -288,7 +288,7 @@ conn xauth-psk
EOF
if uname -m | grep -qi '^arm'; then
- sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
+ sed -i '/phase2alg/s/,aes256-sha2_512,aes128-sha2_512//' /etc/ipsec.conf
fi
# Specify IPsec PSK
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 783e137cc6..964b17d270 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -245,9 +245,9 @@ conn shared
dpddelay=30
dpdtimeout=120
dpdaction=clear
- ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
- phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes_gcm-null,aes256-sha2_512
- sha2-truncbug=yes
+ ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+ phase2alg=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+ sha2-truncbug=no
conn l2tp-psk
auto=add