Merge pull request #1382 from amnezia-vpn/bugfix/ipsec-pfs

Enable PFS for Windows IKEv2
2025-02-06 16:16:38 +01:00 · 2025-02-06 16:16:38 +01:00 · 703b9137e0
commit 703b9137e0
parent f163f0fc1d b173dcaa17
2 changed files with 6 additions and 6 deletions
--- a/client/protocols/ikev2_vpn_protocol_windows.cpp
+++ b/client/protocols/ikev2_vpn_protocol_windows.cpp
@ -238,7 +238,7 @@ ErrorCode Ikev2Protocol::start()
                                "-CipherTransformConstants GCMAES128 "
                                "-EncryptionMethod AES256 "
                                "-IntegrityCheckMethod SHA256 "
-                                "-PfsGroup None "
+                                "-PfsGroup PFS2048 "
                                "-DHGroup Group14 "
                                "-PassThru -Force\"")
                            .arg(tunnelName());
--- a/client/server_scripts/ipsec/configure_container.sh
+++ b/client/server_scripts/ipsec/configure_container.sh
@ -33,14 +33,14 @@ conn shared
  right=%any
  encapsulation=yes
  authby=secret
-  pfs=no
+  pfs=yes
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
@ -244,9 +244,9 @@ conn ikev2-cp
  auto=add
  ikev2=insist
  rekey=no
-  pfs=no
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
-  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+  pfs=yes
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048
+  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
  encapsulation=yes