From b173dcaa17cac3b25ff4ef7771a44a79e0d1e713 Mon Sep 17 00:00:00 2001 From: Mykola Baibuz Date: Mon, 27 Jan 2025 22:39:18 +0200 Subject: [PATCH] Enable PFS for Windows IKEv2 --- client/protocols/ikev2_vpn_protocol_windows.cpp | 2 +- client/server_scripts/ipsec/configure_container.sh | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/client/protocols/ikev2_vpn_protocol_windows.cpp b/client/protocols/ikev2_vpn_protocol_windows.cpp index e2e4ca90..b4110f03 100644 --- a/client/protocols/ikev2_vpn_protocol_windows.cpp +++ b/client/protocols/ikev2_vpn_protocol_windows.cpp @@ -238,7 +238,7 @@ ErrorCode Ikev2Protocol::start() "-CipherTransformConstants GCMAES128 " "-EncryptionMethod AES256 " "-IntegrityCheckMethod SHA256 " - "-PfsGroup None " + "-PfsGroup PFS2048 " "-DHGroup Group14 " "-PassThru -Force\"") .arg(tunnelName()); diff --git a/client/server_scripts/ipsec/configure_container.sh b/client/server_scripts/ipsec/configure_container.sh index 76c4dfaf..1f0a45cb 100644 --- a/client/server_scripts/ipsec/configure_container.sh +++ b/client/server_scripts/ipsec/configure_container.sh @@ -33,14 +33,14 @@ conn shared right=%any encapsulation=yes authby=secret - pfs=no + pfs=yes rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear ikev2=never - ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 + ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 ikelifetime=24h salifetime=24h @@ -244,9 +244,9 @@ conn ikev2-cp auto=add ikev2=insist rekey=no - pfs=no - ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 - phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 + pfs=yes + ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048 + phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 ikelifetime=24h salifetime=24h encapsulation=yes