New ciphers implementing #247

trailofbits · Apr 5, 2017 · c85a63a · c85a63a
1 parent 3df33c0
commit c85a63a
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 8 deletions.
diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml
@@ -19,3 +19,14 @@ strongswan_enabled_plugins:
   - socket-default
   - stroke
   - x509
+
+ciphers:
+  old:
+    ike: aes128gcm16-sha2_256-prfsha256-ecp256!
+    esp: aes128gcm16-sha2_256-ecp256!
+  defaults:
+    ike: aes192gcm16-prfsha512-ecp521!
+    esp: aes192gcm16-ecp521!
+  windows:
+    ike: aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
+    esp: aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2
@@ -7,11 +7,11 @@ conn ikev2-{{ IP_subject_alt_name }}
     dpddelay=35s
 
 {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
-    esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
+    ike={{ ciphers.windows.ike }}
+    esp={{ ciphers.windows.esp }}
 {% else %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256
-    esp=aes128gcm16-sha2_256-ecp256
+    ike={{ ciphers.defaults.ike }}
+    esp={{ ciphers.defaults.esp }}
 {% endif %}
 
     right={{ IP_subject_alt_name }}

diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
@@ -11,11 +11,11 @@ conn %default
     dpddelay=35s
 
 {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
-    esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
+    ike={{ ciphers.windows.ike }}
+    esp={{ ciphers.windows.esp }}
 {% else %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
-    esp=aes128gcm16-sha2_256-ecp256!
+    ike={{ ciphers.defaults.ike }}
+    esp={{ ciphers.defaults.esp }}
 {% endif %}
 
     left=%any