From e40dd6219bc14f41fcf7fd55ac2c1b85fd0e9ac0 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Wed, 18 Jan 2017 20:10:43 -0600
Subject: [PATCH] Bugfix

- Libreswan 3.19 removed MODP1024 from the ike= default list,
  which breaks compatibility with Android 5.x and others
- This commit explicitly adds MODP1024 back to the ike= list
- Fixes #101. Thanks @keijodputt!
---
 docs/ikev2-howto-zh.md      | 4 ++--
 docs/ikev2-howto.md         | 4 ++--
 extras/vpnupgrade.sh        | 8 +++++++-
 extras/vpnupgrade_centos.sh | 8 +++++++-
 vpnsetup.sh                 | 2 +-
 vpnsetup_centos.sh          | 2 +-
 6 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index 86dbf4f..2848062 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -58,8 +58,8 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
      ikev2=insist
      rekey=no
      fragmentation=yes
-     ike=3des-sha1,aes-sha1,aes256-sha2_256;modp1024,aes256-sha2_256;modp2048
-     phase2alg=3des-sha1,aes-sha1,aes256-sha2_256
+     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
+     phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
    EOF
    ```
 
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 9031087..0b99e68 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -58,8 +58,8 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
      ikev2=insist
      rekey=no
      fragmentation=yes
-     ike=3des-sha1,aes-sha1,aes256-sha2_256;modp1024,aes256-sha2_256;modp2048
-     phase2alg=3des-sha1,aes-sha1,aes256-sha2_256
+     ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
+     phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
    EOF
    ```
 
diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index 74e5eb0..57f9880 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -87,6 +87,9 @@ Replace this line:
 with the following:
   encapsulation=yes
 
+Re-add "MODP1024" to the list of allowed "ike=" ciphers.
+(Removed from the default list in Libreswan 3.19)
+
 Your other VPN configuration files will not be modified.
 
 EOF
@@ -154,7 +157,10 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs -F "$swan_ver"; then
 fi
 
 # Update ipsec.conf options
-sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
+sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
+    /etc/ipsec.conf
 
 # Restart IPsec service
 service ipsec restart
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 2816a44..c2c1378 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -83,6 +83,9 @@ Replace this line:
 with the following:
   encapsulation=yes
 
+Re-add "MODP1024" to the list of allowed "ike=" ciphers.
+(Removed from the default list in Libreswan 3.19)
+
 Your other VPN configuration files will not be modified.
 
 EOF
@@ -151,7 +154,10 @@ restorecon /usr/local/sbin -Rv 2>/dev/null
 restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 # Update ipsec.conf options
-sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
+sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" \
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
+    -e "s/ike=3des-sha1,aes-sha1,aes256-sha2_256/ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024/" \
+    /etc/ipsec.conf
 
 # Restart IPsec service
 service ipsec restart
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 3522e86..2933482 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -219,7 +219,7 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
+  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
   phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
   sha2-truncbug=yes
 
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 943777c..8656c57 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -206,7 +206,7 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
-  ike=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
+  ike=3des-sha1,3des-sha1;modp1024,aes-sha1,aes-sha1;modp1024,aes256-sha2_512,aes256-sha2_512;modp1024,aes256-sha2_256,aes256-sha2_256;modp1024
   phase2alg=3des-sha1,aes-sha1,aes256-sha2_512,aes256-sha2_256
   sha2-truncbug=yes