ipsec: removing old proposal now that we are 100% upgraded, also tweaking some settings making use of ikev2

2018-11-30 18:27:18 +01:00 · 2018-11-30 18:27:18 +01:00 · 91e34ea5e1
parent 83e0ccc728
commit 91e34ea5e1
4 changed files with 12 additions and 6 deletions
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@ -394,6 +394,7 @@ case "$1" in
        systemctl enable systemd-timesyncd
        systemctl restart systemd-timesyncd
        systemctl restart ssh
+        systemctl reload strongswan
        
        update-grub
        
--- a/files/ipsec.conf.wit
+++ b/files/ipsec.conf.wit
@ -10,9 +10,13 @@ conn %default
    dpddelay=2
    dpdaction=hold
    #closeaction=none
+    #rekeyfuzz = 100%
+    ikelifetime = 4h
+    margintime = 12m
+    reauth = no
    type=transport
-    ike=aes256-sha512-modp4096,aes128-sha1-modp2048!
-    esp=aes256-sha512-modp4096,aes128-sha1-modp2048!
+    ike=aes256-sha512-modp4096!
+    esp=aes256-sha512-modp4096!
    leftcert=FQHOSTNAME.crt
    leftid="C=US, O=Wit, CN=FQHOSTNAME"
    rightid="C=US, O=Wit, CN=*"
--- a/files/wit-logging.conf
+++ b/files/wit-logging.conf
@ -2,6 +2,7 @@ charon {
    install_routes = no
    install_virtual_ip = no
    interfaces_use = lo
+    make_before_break = yes
    syslog {
        auth {
            ike_name = yes
--- a/files/wit-swanctl.conf
+++ b/files/wit-swanctl.conf
@ -3,7 +3,7 @@ connections {
        version = 1
        local_addrs = LOOPBACKv4
        remote_addrs = %any4
-        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+        proposals = aes256-sha512-modp4096

        local {
            auth = pubkey
@ -22,7 +22,7 @@ connections {
                local_ts = LOOPBACKv4
                mode = transport
                start_action = trap
-                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+                esp_proposals = aes256-sha512-modp4096
            }
        }
    }
@ -31,7 +31,7 @@ connections {
        version = 1
        local_addrs = LOOPBACKv6
        remote_addrs = %any6
-        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+        proposals = aes256-sha512-modp4096

        local {
            auth = pubkey
@ -50,7 +50,7 @@ connections {
                local_ts = LOOPBACKv6
                mode = transport
                start_action = trap
-                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
+                esp_proposals = aes256-sha512-modp4096
            }
        }
    }