From 95bcadb2c2ff0061e36bf4dc5391429ccb61a644 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Wed, 23 May 2018 19:54:37 -0500
Subject: [PATCH] Improve VPN ciphers

- Add back aes256-sha2_512 to phase2alg, required on some Android systems
- Fixes #391
---
 extras/vpnupgrade.sh        | 5 ++++-
 extras/vpnupgrade_centos.sh | 2 +-
 vpnsetup.sh                 | 6 +++++-
 vpnsetup_centos.sh          | 2 +-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index b7165d7468..7d601a4fd2 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -162,7 +162,10 @@ fi
 
 # Update ipsec.conf for Libreswan 3.19 and newer
 IKE_NEW="  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
-PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
+PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
+if uname -m | grep -qi '^arm'; then
+  PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
+fi
 sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 727051ebc3..205599aab7 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -166,7 +166,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 # Update ipsec.conf for Libreswan 3.19 and newer
 IKE_NEW="  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
-PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2"
+PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
 sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/" \
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 2339dddcfb..9be9d09ab1 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -258,7 +258,7 @@ conn shared
   dpdtimeout=120
   dpdaction=clear
   ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2
+  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
   sha2-truncbug=yes
 
 conn l2tp-psk
@@ -291,6 +291,10 @@ if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then
   check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf
 fi
 
+if uname -m | grep -qi '^arm'; then
+  sed -i '/phase2alg/s/,aes256-sha2_512//' /etc/ipsec.conf
+fi
+
 # Specify IPsec PSK
 conf_bk "/etc/ipsec.secrets"
 cat > /etc/ipsec.secrets <<EOF
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 91c35f4489..fd717271d6 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -231,7 +231,7 @@ conn shared
   dpdtimeout=120
   dpdaction=clear
   ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024
-  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2
+  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512
   sha2-truncbug=yes
 
 conn l2tp-psk