ipsec: removing old proposal now that we are 100% upgraded, also tweaking some settings making use of ikev2
This commit is contained in:
toby
parent
83e0ccc728
commit
91e34ea5e1
|
|
@ -394,6 +394,7 @@ case "$1" in
|
||||||
systemctl enable systemd-timesyncd
|
systemctl enable systemd-timesyncd
|
||||||
systemctl restart systemd-timesyncd
|
systemctl restart systemd-timesyncd
|
||||||
systemctl restart ssh
|
systemctl restart ssh
|
||||||
|
systemctl reload strongswan
|
||||||
|
|
||||||
update-grub
|
update-grub
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,9 +10,13 @@ conn %default
|
||||||
dpddelay=2
|
dpddelay=2
|
||||||
dpdaction=hold
|
dpdaction=hold
|
||||||
#closeaction=none
|
#closeaction=none
|
||||||
|
#rekeyfuzz = 100%
|
||||||
|
ikelifetime = 4h
|
||||||
|
margintime = 12m
|
||||||
|
reauth = no
|
||||||
type=transport
|
type=transport
|
||||||
ike=aes256-sha512-modp4096,aes128-sha1-modp2048!
|
ike=aes256-sha512-modp4096!
|
||||||
esp=aes256-sha512-modp4096,aes128-sha1-modp2048!
|
esp=aes256-sha512-modp4096!
|
||||||
leftcert=FQHOSTNAME.crt
|
leftcert=FQHOSTNAME.crt
|
||||||
leftid="C=US, O=Wit, CN=FQHOSTNAME"
|
leftid="C=US, O=Wit, CN=FQHOSTNAME"
|
||||||
rightid="C=US, O=Wit, CN=*"
|
rightid="C=US, O=Wit, CN=*"
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,7 @@ charon {
|
||||||
install_routes = no
|
install_routes = no
|
||||||
install_virtual_ip = no
|
install_virtual_ip = no
|
||||||
interfaces_use = lo
|
interfaces_use = lo
|
||||||
|
make_before_break = yes
|
||||||
syslog {
|
syslog {
|
||||||
auth {
|
auth {
|
||||||
ike_name = yes
|
ike_name = yes
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@ connections {
|
||||||
version = 1
|
version = 1
|
||||||
local_addrs = LOOPBACKv4
|
local_addrs = LOOPBACKv4
|
||||||
remote_addrs = %any4
|
remote_addrs = %any4
|
||||||
proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
|
proposals = aes256-sha512-modp4096
|
||||||
|
|
||||||
local {
|
local {
|
||||||
auth = pubkey
|
auth = pubkey
|
||||||
|
|
@ -22,7 +22,7 @@ connections {
|
||||||
local_ts = LOOPBACKv4
|
local_ts = LOOPBACKv4
|
||||||
mode = transport
|
mode = transport
|
||||||
start_action = trap
|
start_action = trap
|
||||||
esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
|
esp_proposals = aes256-sha512-modp4096
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -31,7 +31,7 @@ connections {
|
||||||
version = 1
|
version = 1
|
||||||
local_addrs = LOOPBACKv6
|
local_addrs = LOOPBACKv6
|
||||||
remote_addrs = %any6
|
remote_addrs = %any6
|
||||||
proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
|
proposals = aes256-sha512-modp4096
|
||||||
|
|
||||||
local {
|
local {
|
||||||
auth = pubkey
|
auth = pubkey
|
||||||
|
|
@ -50,7 +50,7 @@ connections {
|
||||||
local_ts = LOOPBACKv6
|
local_ts = LOOPBACKv6
|
||||||
mode = transport
|
mode = transport
|
||||||
start_action = trap
|
start_action = trap
|
||||||
esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
|
esp_proposals = aes256-sha512-modp4096
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue