From 91e34ea5e1efdffa5e2c3158817cdb11162feb2d Mon Sep 17 00:00:00 2001
From: toby <toby@wit.com>
Date: Fri, 30 Nov 2018 18:27:18 +0100
Subject: [PATCH] ipsec: removing old proposal now that we are 100% upgraded,
 also tweaking some settings making use of ikev2

---
 debian/wit-network-config.postinst | 1 +
 files/ipsec.conf.wit               | 8 ++++++--
 files/wit-logging.conf             | 1 +
 files/wit-swanctl.conf             | 8 ++++----
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst
index e4998af..87b9367 100755
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@@ -394,6 +394,7 @@ case "$1" in
         systemctl enable systemd-timesyncd
         systemctl restart systemd-timesyncd
         systemctl restart ssh
+        systemctl reload strongswan
         
         update-grub
         
diff --git a/files/ipsec.conf.wit b/files/ipsec.conf.wit
index 7d5223a..283d06a 100644
--- a/files/ipsec.conf.wit
+++ b/files/ipsec.conf.wit
@@ -10,9 +10,13 @@ conn %default
     dpddelay=2
     dpdaction=hold
     #closeaction=none
+    #rekeyfuzz = 100%
+    ikelifetime = 4h
+    margintime = 12m
+    reauth = no
     type=transport
-    ike=aes256-sha512-modp4096,aes128-sha1-modp2048!
-    esp=aes256-sha512-modp4096,aes128-sha1-modp2048!
+    ike=aes256-sha512-modp4096!
+    esp=aes256-sha512-modp4096!
     leftcert=FQHOSTNAME.crt
     leftid="C=US, O=Wit, CN=FQHOSTNAME"
     rightid="C=US, O=Wit, CN=*"
diff --git a/files/wit-logging.conf b/files/wit-logging.conf
index 0cea9b4..0b06a21 100644
--- a/files/wit-logging.conf
+++ b/files/wit-logging.conf
@@ -2,6 +2,7 @@ charon {
     install_routes = no
     install_virtual_ip = no
     interfaces_use = lo
+    make_before_break = yes
     syslog {
         auth {
             ike_name = yes
diff --git a/files/wit-swanctl.conf b/files/wit-swanctl.conf
index 51903e7..635c713 100644
--- a/files/wit-swanctl.conf
+++ b/files/wit-swanctl.conf
@@ -3,7 +3,7 @@ connections {
         version = 1
         local_addrs = LOOPBACKv4
         remote_addrs = %any4
-        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+        proposals = aes256-sha512-modp4096
 
         local {
             auth = pubkey
@@ -22,7 +22,7 @@ connections {
                 local_ts = LOOPBACKv4
                 mode = transport
                 start_action = trap
-                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+                esp_proposals = aes256-sha512-modp4096
             }
         }
     }
@@ -31,7 +31,7 @@ connections {
         version = 1
         local_addrs = LOOPBACKv6
         remote_addrs = %any6
-        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+        proposals = aes256-sha512-modp4096
 
         local {
             auth = pubkey
@@ -50,7 +50,7 @@ connections {
                 local_ts = LOOPBACKv6
                 mode = transport
                 start_action = trap
-                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+                esp_proposals = aes256-sha512-modp4096
             }
         }
     }