diff options
author | jim-p <jimp@pfsense.org> | 2012-08-02 12:29:16 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2012-08-02 12:38:29 -0400 |
commit | 665340db1142980ca40d49b9dddf1b07e07da3b8 (patch) | |
tree | 506f7bbbb6100e692a1ced4481f4be4c1a9346c6 | |
parent | 919d450395b1cc5f7267c40f7ccc4c64fc27a749 (diff) | |
download | pfsense-665340db1142980ca40d49b9dddf1b07e07da3b8.zip pfsense-665340db1142980ca40d49b9dddf1b07e07da3b8.tar.gz |
Activate more Hash, DH, and PFS options that are available in racoon now. Note that SHA256-512 are RFC4868 compliant in FreeBSD, may break with other incompatible stacks.
-rw-r--r-- | etc/inc/ipsec.inc | 37 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase1.php | 6 | ||||
-rw-r--r-- | usr/local/www/vpn_ipsec_phase2.php | 6 |
3 files changed, 33 insertions, 16 deletions
diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index a2bf219..cf2caa2 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -67,12 +67,31 @@ $p2_ealgos = array( 'des' => array( 'name' => 'DES' )); $p1_halgos = array( + 'md5' => 'MD5', 'sha1' => 'SHA1', - 'md5' => 'MD5'); + 'sha256' => 'SHA256', + 'sha384' => 'SHA384', + 'sha512' => 'SHA512' +); + +$p1_dhgroups = array( + 1 => '1 (768 bit)', + 2 => '2 (1024 bit)', + 5 => '5 (1536 bit)', + 14 => '14 (2048 bit)', + 15 => '15 (3072 bit)', + 16 => '16 (4096 bit)', + 17 => '17 (6144 bit)', + 18 => '18 (8192 bit)' +); $p2_halgos = array( + 'hmac_md5' => 'MD5', 'hmac_sha1' => 'SHA1', - 'hmac_md5' => 'MD5'); + 'hmac_sha256' => 'SHA256', + 'hmac_sha384' => 'SHA384', + 'hmac_sha512' => 'SHA512' +); $p1_authentication_methods = array( 'hybrid_rsa_server' => array( 'name' => 'Hybrid RSA + Xauth', 'mobile' => true ), @@ -91,10 +110,16 @@ $p2_protos = array( 'ah' => 'AH'); $p2_pfskeygroups = array( - '0' => 'off', - '1' => '1', - '2' => '2', - '5' => '5'); + 0 => 'off', + 1 => '1 (768 bit)', + 2 => '2 (1024 bit)', + 5 => '5 (1536 bit)', + 14 => '14 (2048 bit)', + 15 => '15 (3072 bit)', + 16 => '16 (4096 bit)', + 17 => '17 (6144 bit)', + 18 => '18 (8192 bit)' +); /* * ikeid management functions diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index ae62a47..9411b7d 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -753,16 +753,14 @@ function dpdchkbox_change() { <td width="22%" valign="top" class="vncellreq"><?=gettext("DH key group"); ?></td> <td width="78%" class="vtable"> <select name="dhgroup" class="formselect"> - <?php $keygroups = explode(" ", "1 2 5"); foreach ($keygroups as $keygroup): ?> + <?php foreach ($p1_dhgroups as $keygroup => $keygroupname): ?> <option value="<?=$keygroup;?>" <?php if ($keygroup == $pconfig['dhgroup']) echo "selected"; ?>> - <?=htmlspecialchars($keygroup);?> + <?=htmlspecialchars($keygroupname);?> </option> <?php endforeach; ?> </select> <br> <span class="vexpl"> - <em><?=gettext("1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit"); ?></em> - <br> <?=gettext("Must match the setting chosen on the remote side"); ?>. </span> </td> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 2bfd905..74d1359 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -624,12 +624,6 @@ function change_protocol() { <?php endforeach; ?> </select> <br> - <span class="vexpl"> - <em> - <?=gettext("1 = 768 bit, 2 = 1024 bit, 5 = 1536 bit"); ?> - </em> - </span> - <?php else: ?> <select class="formselect" disabled> |