233 lines
15 KiB
Diff
233 lines
15 KiB
Diff
diff -up crypto-policies/back-ends/libreswan.pl.libreswan-fix crypto-policies/back-ends/libreswan.pl
|
|
--- crypto-policies/back-ends/libreswan.pl.libreswan-fix 2018-12-17 17:01:44.000000000 +0100
|
|
+++ crypto-policies/back-ends/libreswan.pl 2019-02-18 10:34:57.525777928 +0100
|
|
@@ -26,7 +26,9 @@ sub append {
|
|
|
|
my %group_map = (
|
|
'X448' => '',
|
|
- 'X25519' => '', #dh31 - not in f28
|
|
+ 'X25519' => '',
|
|
+# Disabled for now as it cannot be prioritized over others
|
|
+# 'X25519' => 'dh31',
|
|
'SECP256R1' => 'dh19',
|
|
'SECP384R1' => 'dh20',
|
|
'SECP521R1' => 'dh21',
|
|
@@ -38,31 +40,42 @@ my %group_map = (
|
|
'FFDHE-8192' => 'dh18'
|
|
);
|
|
|
|
+my %cipher_map = (
|
|
+ 'AES-256-CBC' => 'aes256',
|
|
+ 'AES-128-CBC' => 'aes128',
|
|
+ 'AES-256-GCM' => 'aes_gcm256',
|
|
+ 'AES-128-GCM' => 'aes_gcm128',
|
|
+ 'CHACHA20-POLY1305' => 'chacha20_poly1305',
|
|
+# Unused for IKEv2
|
|
+# '3DES-CBC' => '3des',
|
|
+);
|
|
+
|
|
my %cipher_prf_map = (
|
|
- 'AES-256-CBC-HMAC-SHA2-512' => 'aes256-sha2_512',
|
|
- 'AES-256-CBC-HMAC-SHA2-256' => 'aes256-sha2_256',
|
|
- 'AES-128-CBC-HMAC-SHA2-256' => 'aes128-sha2_256',
|
|
- 'AES-256-CBC-HMAC-SHA1' => 'aes256-sha1',
|
|
- 'AES-128-CBC-HMAC-SHA1' => 'aes128-sha1',
|
|
- 'AES-256-GCM-HMAC-SHA2-512' => 'aes_gcm256-sha2_512',
|
|
- 'AES-256-GCM-HMAC-SHA2-256' => 'aes_gcm256-sha2_256',
|
|
- 'AES-128-GCM-HMAC-SHA2-512' => 'aes_gcm128-sha2_512',
|
|
- 'AES-128-GCM-HMAC-SHA2-256' => 'aes_gcm128-sha2_256',
|
|
- 'CHACHA20-POLY1305-HMAC-SHA2-512' => 'chacha20_poly1305-sha2_512',
|
|
- 'CHACHA20-POLY1305-HMAC-SHA2-256' => 'chacha20_poly1305-sha2_256',
|
|
- '3DES-CBC-HMAC-SHA1' => '3des-sha1',
|
|
+ 'AES-256-CBC-HMAC-SHA2-512' => 'sha2_512',
|
|
+ 'AES-256-CBC-HMAC-SHA2-256' => 'sha2_256',
|
|
+ 'AES-128-CBC-HMAC-SHA2-256' => 'sha2_256',
|
|
+# Not needed for IKEv2
|
|
+# 'AES-256-CBC-HMAC-SHA1' => 'sha1',
|
|
+# 'AES-128-CBC-HMAC-SHA1' => 'sha1',
|
|
+ 'AES-256-GCM-HMAC-SHA2-512' => 'sha2_512',
|
|
+ 'AES-256-GCM-HMAC-SHA2-256' => 'sha2_256',
|
|
+ 'AES-128-GCM-HMAC-SHA2-512' => 'sha2_512',
|
|
+ 'AES-128-GCM-HMAC-SHA2-256' => 'sha2_256',
|
|
+ 'CHACHA20-POLY1305-HMAC-SHA2-512' => 'sha2_512',
|
|
+ 'CHACHA20-POLY1305-HMAC-SHA2-256' => 'sha2_256',
|
|
+# '3DES-CBC-HMAC-SHA1' => 'sha1',
|
|
);
|
|
|
|
my %cipher_mac_map = (
|
|
- 'AES-256-CBC-HMAC-SHA2-512' => 'aes256-sha2_512',
|
|
- 'AES-256-CBC-HMAC-SHA2-256' => 'aes256-sha2_256',
|
|
- 'AES-128-CBC-HMAC-SHA2-256' => 'aes128-sha2_256',
|
|
- 'AES-256-CBC-HMAC-SHA1' => 'aes256-sha1',
|
|
- 'AES-128-CBC-HMAC-SHA1' => 'aes128-sha1',
|
|
- 'AES-256-GCM-AEAD' => 'aes_gcm256',
|
|
- 'AES-128-GCM-AEAD' => 'aes_gcm128',
|
|
- 'CHACHA20-POLY1305-AEAD' => 'chacha20_poly1305',
|
|
- '3DES-CBC-HMAC-SHA1' => '3des-sha1',
|
|
+ 'AES-256-CBC-HMAC-SHA2-512' => 'sha2_512',
|
|
+ 'AES-256-CBC-HMAC-SHA2-256' => 'sha2_256',
|
|
+ 'AES-128-CBC-HMAC-SHA2-256' => 'sha2_256',
|
|
+ 'AES-256-CBC-HMAC-SHA1' => 'sha1',
|
|
+ 'AES-128-CBC-HMAC-SHA1' => 'sha1',
|
|
+ 'AES-256-GCM-AEAD' => '',
|
|
+ 'AES-128-GCM-AEAD' => '',
|
|
+ 'CHACHA20-POLY1305-AEAD' => '',
|
|
+# '3DES-CBC-HMAC-SHA1' => '3des-sha1',
|
|
);
|
|
|
|
my %protocol_map = (
|
|
@@ -147,35 +160,52 @@ sub generate_temp_policy() {
|
|
$tmp = '';
|
|
|
|
my $cipher;
|
|
+ my $cm;
|
|
my $group;
|
|
my $mac;
|
|
+ my $mm;
|
|
my $combo;
|
|
|
|
%mac_prio_map = %mac_ike_prio_map;
|
|
my @sorted_mac_list = sort compare @mac_list;
|
|
|
|
- foreach (@group_list) {
|
|
- $group = $group_map{$_};
|
|
- if (!defined($group) || $group eq '') {
|
|
+
|
|
+ foreach (@cipher_list) {
|
|
+ $cipher = $_;
|
|
+ $cm = $cipher_map{$cipher};
|
|
+ if (!defined($cm)) {
|
|
+# print STDERR "libreswan: unknown cipher: $cipher\n";
|
|
next;
|
|
}
|
|
+ $combo = $cm."-";
|
|
+ foreach (@sorted_mac_list) {
|
|
+ $mac = $_;
|
|
|
|
- foreach (@cipher_list) {
|
|
- $cipher = $_;
|
|
- foreach (@sorted_mac_list) {
|
|
- $mac = $_;
|
|
-
|
|
- my $cm=$cipher."-".$mac;
|
|
- $combo = $cipher_prf_map{$cm};
|
|
-
|
|
- if (!defined($combo)) {
|
|
-# print STDERR "libreswan: unknown combo: $cipher-$mac\n";
|
|
- next;
|
|
- }
|
|
+ $mm = $cipher_prf_map{$cipher."-".$mac};
|
|
|
|
- append("${combo};${group}", \$tmp);
|
|
+ if (!defined($mm)) {
|
|
+# print STDERR "libreswan: unknown combo: $cipher-$mac\n";
|
|
+ next;
|
|
}
|
|
+
|
|
+ $combo = $combo.$mm."+";
|
|
}
|
|
+
|
|
+ my $lastc = substr($combo, -1);
|
|
+ if ($lastc eq "-") {
|
|
+ next;
|
|
+ }
|
|
+ # Replace the last + with -
|
|
+ substr($combo, -1) = "-";
|
|
+ foreach (@group_list) {
|
|
+ $group = $group_map{$_};
|
|
+ if (!defined($group) || $group eq '') {
|
|
+ next;
|
|
+ }
|
|
+ $combo = $combo.$group."+";
|
|
+ }
|
|
+ substr($combo, -1) = '';
|
|
+ append("${combo}", \$tmp);
|
|
}
|
|
|
|
if ($tmp ne '') {
|
|
@@ -189,20 +219,35 @@ sub generate_temp_policy() {
|
|
$tmp = '';
|
|
foreach (@cipher_list) {
|
|
$cipher = $_;
|
|
+ $cm = $cipher_map{$cipher};
|
|
+ if (!defined($cm)) {
|
|
+# print STDERR "libreswan: unknown cipher: $cipher\n";
|
|
+ next;
|
|
+ }
|
|
+ $combo = $cm."-";
|
|
foreach (@sorted_mac_list) {
|
|
$mac = $_;
|
|
|
|
- my $cm=$cipher."-".$mac;
|
|
- $combo = $cipher_mac_map{$cm};
|
|
+ $mm = $cipher_mac_map{$cipher."-".$mac};
|
|
|
|
- if (!defined($combo)) {
|
|
+ if (!defined($mm)) {
|
|
next;
|
|
}
|
|
|
|
- if ($tmp !~ $combo) {
|
|
- append("${combo}", \$tmp);
|
|
+ if ($mm eq '') {
|
|
+ # Special handling for AEAD
|
|
+ substr($combo, -1) = '+';
|
|
+ } else {
|
|
+ $combo = $combo.$mm."+";
|
|
}
|
|
}
|
|
+
|
|
+ my $lastc = substr($combo, -1);
|
|
+ if ($lastc eq "-") {
|
|
+ next;
|
|
+ }
|
|
+ substr($combo, -1) = '';
|
|
+ append("${combo}", \$tmp);
|
|
}
|
|
|
|
if ($tmp ne '') {
|
|
diff -up crypto-policies/tests/outputs/DEFAULT-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/DEFAULT-libreswan.txt
|
|
--- crypto-policies/tests/outputs/DEFAULT-libreswan.txt.libreswan-fix 2018-12-17 17:01:44.000000000 +0100
|
|
+++ crypto-policies/tests/outputs/DEFAULT-libreswan.txt 2019-02-18 10:34:57.526777910 +0100
|
|
@@ -1,5 +1,5 @@
|
|
conn %default
|
|
ikev2=insist
|
|
pfs=yes
|
|
- ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,chacha20_poly1305-sha2_512;dh19,chacha20_poly1305-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes256-sha1;dh19,aes_gcm128-sha2_512;dh19,aes_gcm128-sha2_256;dh19,aes128-sha2_256;dh19,aes128-sha1;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,chacha20_poly1305-sha2_512;dh20,chacha20_poly1305-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes256-sha1;dh20,aes_gcm128-sha2_512;dh20,aes_gcm128-sha2_256;dh20,aes128-sha2_256;dh20,aes128-sha1;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,chacha20_poly1305-sha2_512;dh21,chacha20_poly1305-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes256-sha1;dh21,aes_gcm128-sha2_512;dh21,aes_gcm128-sha2_256;dh21,aes128-sha2_256;dh21,aes128-sha1;dh21,aes_gcm256-sha2_512;dh14,aes_gcm256-sha2_256;dh14,chacha20_poly1305-sha2_512;dh14,chacha20_poly1305-sha2_256;dh14,aes256-sha2_512;dh14,aes256-sha2_256;dh14,aes256-sha1;dh14,aes_gcm128-sha2_512;dh14,aes_gcm128-sha2_256;dh14,aes128-sha2_256;dh14,aes128-sha1;dh14,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,chacha20_poly1305-sha2_512;dh15,chacha20_poly1305-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes256-sha1;dh15,aes_gcm128-sha2_512;dh15,aes_gcm128-sha2_256;dh15,aes128-sha2_256;dh15,aes128-sha1;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,chacha20_poly1305-sha2_512;dh16,chacha20_poly1305-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes256-sha1;dh16,aes_gcm128-sha2_512;dh16,aes_gcm128-sha2_256;dh16,aes128-sha2_256;dh16,aes128-sha1;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,chacha20_poly1305-sha2_512;dh18,chacha20_poly1305-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18,aes256-sha1;dh18,aes_gcm128-sha2_512;dh18,aes_gcm128-sha2_256;dh18,aes128-sha2_256;dh18,aes128-sha1;dh18
|
|
- esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512,aes256-sha1,aes256-sha2_256,aes_gcm128,aes128-sha1,aes128-sha2_256
|
|
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
|
|
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
|
|
diff -up crypto-policies/tests/outputs/FIPS-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/FIPS-libreswan.txt
|
|
--- crypto-policies/tests/outputs/FIPS-libreswan.txt.libreswan-fix 2018-12-17 17:01:44.000000000 +0100
|
|
+++ crypto-policies/tests/outputs/FIPS-libreswan.txt 2019-02-18 10:34:57.526777910 +0100
|
|
@@ -1,5 +1,5 @@
|
|
conn %default
|
|
ikev2=insist
|
|
pfs=yes
|
|
- ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes256-sha1;dh19,aes_gcm128-sha2_512;dh19,aes_gcm128-sha2_256;dh19,aes128-sha2_256;dh19,aes128-sha1;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes256-sha1;dh20,aes_gcm128-sha2_512;dh20,aes_gcm128-sha2_256;dh20,aes128-sha2_256;dh20,aes128-sha1;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes256-sha1;dh21,aes_gcm128-sha2_512;dh21,aes_gcm128-sha2_256;dh21,aes128-sha2_256;dh21,aes128-sha1;dh21,aes_gcm256-sha2_512;dh14,aes_gcm256-sha2_256;dh14,aes256-sha2_512;dh14,aes256-sha2_256;dh14,aes256-sha1;dh14,aes_gcm128-sha2_512;dh14,aes_gcm128-sha2_256;dh14,aes128-sha2_256;dh14,aes128-sha1;dh14,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes256-sha1;dh15,aes_gcm128-sha2_512;dh15,aes_gcm128-sha2_256;dh15,aes128-sha2_256;dh15,aes128-sha1;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes256-sha1;dh16,aes_gcm128-sha2_512;dh16,aes_gcm128-sha2_256;dh16,aes128-sha2_256;dh16,aes128-sha1;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18,aes256-sha1;dh18,aes_gcm128-sha2_512;dh18,aes_gcm128-sha2_256;dh18,aes128-sha2_256;dh18,aes128-sha1;dh18
|
|
- esp=aes_gcm256,aes256-sha2_512,aes256-sha1,aes256-sha2_256,aes_gcm128,aes128-sha1,aes128-sha2_256
|
|
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18
|
|
+ esp=aes_gcm256,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
|
|
diff -up crypto-policies/tests/outputs/FUTURE-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/FUTURE-libreswan.txt
|
|
--- crypto-policies/tests/outputs/FUTURE-libreswan.txt.libreswan-fix 2018-12-17 17:01:44.000000000 +0100
|
|
+++ crypto-policies/tests/outputs/FUTURE-libreswan.txt 2019-02-18 10:34:57.527777893 +0100
|
|
@@ -1,5 +1,5 @@
|
|
conn %default
|
|
ikev2=insist
|
|
pfs=yes
|
|
- ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,chacha20_poly1305-sha2_512;dh19,chacha20_poly1305-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,chacha20_poly1305-sha2_512;dh20,chacha20_poly1305-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,chacha20_poly1305-sha2_512;dh21,chacha20_poly1305-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,chacha20_poly1305-sha2_512;dh15,chacha20_poly1305-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,chacha20_poly1305-sha2_512;dh16,chacha20_poly1305-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,chacha20_poly1305-sha2_512;dh18,chacha20_poly1305-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18
|
|
- esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512,aes256-sha2_256
|
|
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh15+dh16+dh18
|
|
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha2_256
|
|
diff -up crypto-policies/tests/outputs/LEGACY-libreswan.txt.libreswan-fix crypto-policies/tests/outputs/LEGACY-libreswan.txt
|
|
--- crypto-policies/tests/outputs/LEGACY-libreswan.txt.libreswan-fix 2018-12-17 17:01:44.000000000 +0100
|
|
+++ crypto-policies/tests/outputs/LEGACY-libreswan.txt 2019-02-18 10:34:57.527777893 +0100
|
|
@@ -1,5 +1,5 @@
|
|
conn %default
|
|
ikev2=insist
|
|
pfs=yes
|
|
- ike=aes_gcm256-sha2_512;dh19,aes_gcm256-sha2_256;dh19,chacha20_poly1305-sha2_512;dh19,chacha20_poly1305-sha2_256;dh19,aes256-sha2_512;dh19,aes256-sha2_256;dh19,aes256-sha1;dh19,aes_gcm128-sha2_512;dh19,aes_gcm128-sha2_256;dh19,aes128-sha2_256;dh19,aes128-sha1;dh19,3des-sha1;dh19,aes_gcm256-sha2_512;dh20,aes_gcm256-sha2_256;dh20,chacha20_poly1305-sha2_512;dh20,chacha20_poly1305-sha2_256;dh20,aes256-sha2_512;dh20,aes256-sha2_256;dh20,aes256-sha1;dh20,aes_gcm128-sha2_512;dh20,aes_gcm128-sha2_256;dh20,aes128-sha2_256;dh20,aes128-sha1;dh20,3des-sha1;dh20,aes_gcm256-sha2_512;dh21,aes_gcm256-sha2_256;dh21,chacha20_poly1305-sha2_512;dh21,chacha20_poly1305-sha2_256;dh21,aes256-sha2_512;dh21,aes256-sha2_256;dh21,aes256-sha1;dh21,aes_gcm128-sha2_512;dh21,aes_gcm128-sha2_256;dh21,aes128-sha2_256;dh21,aes128-sha1;dh21,3des-sha1;dh21,aes_gcm256-sha2_512;dh5,aes_gcm256-sha2_256;dh5,chacha20_poly1305-sha2_512;dh5,chacha20_poly1305-sha2_256;dh5,aes256-sha2_512;dh5,aes256-sha2_256;dh5,aes256-sha1;dh5,aes_gcm128-sha2_512;dh5,aes_gcm128-sha2_256;dh5,aes128-sha2_256;dh5,aes128-sha1;dh5,3des-sha1;dh5,aes_gcm256-sha2_512;dh14,aes_gcm256-sha2_256;dh14,chacha20_poly1305-sha2_512;dh14,chacha20_poly1305-sha2_256;dh14,aes256-sha2_512;dh14,aes256-sha2_256;dh14,aes256-sha1;dh14,aes_gcm128-sha2_512;dh14,aes_gcm128-sha2_256;dh14,aes128-sha2_256;dh14,aes128-sha1;dh14,3des-sha1;dh14,aes_gcm256-sha2_512;dh15,aes_gcm256-sha2_256;dh15,chacha20_poly1305-sha2_512;dh15,chacha20_poly1305-sha2_256;dh15,aes256-sha2_512;dh15,aes256-sha2_256;dh15,aes256-sha1;dh15,aes_gcm128-sha2_512;dh15,aes_gcm128-sha2_256;dh15,aes128-sha2_256;dh15,aes128-sha1;dh15,3des-sha1;dh15,aes_gcm256-sha2_512;dh16,aes_gcm256-sha2_256;dh16,chacha20_poly1305-sha2_512;dh16,chacha20_poly1305-sha2_256;dh16,aes256-sha2_512;dh16,aes256-sha2_256;dh16,aes256-sha1;dh16,aes_gcm128-sha2_512;dh16,aes_gcm128-sha2_256;dh16,aes128-sha2_256;dh16,aes128-sha1;dh16,3des-sha1;dh16,aes_gcm256-sha2_512;dh18,aes_gcm256-sha2_256;dh18,chacha20_poly1305-sha2_512;dh18,chacha20_poly1305-sha2_256;dh18,aes256-sha2_512;dh18,aes256-sha2_256;dh18,aes256-sha1;dh18,aes_gcm128-sha2_512;dh18,aes_gcm128-sha2_256;dh18,aes128-sha2_256;dh18,aes128-sha1;dh18,3des-sha1;dh18
|
|
- esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512,aes256-sha1,aes256-sha2_256,aes_gcm128,aes128-sha1,aes128-sha2_256,3des-sha1
|
|
+ ike=aes_gcm256-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,chacha20_poly1305-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,aes_gcm128-sha2_512+sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18,aes128-sha2_256-dh19+dh20+dh21+dh5+dh14+dh15+dh16+dh18
|
|
+ esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
|