vpn: Enable stronger Phase 1 ciphersuites
Prefer aes128-sha1-modp2048 and 3des-sha1-modp1536 to 3des-sha1-modp1024.
This allows both Phase 1 and Phase 2 to negotiate aes128 + sha1, the bare
minimum allowed under the UK CESG security guidelines. Without this
patch, our client only proposes 3des-sha1-modp1024 and
aes128-md5-modp2048 for Phase 1.
Note that we are still running strongSwan 5.0.2 (2013). On 5.4.0+
the default is aes128-sha256-modp3072, which doesn't seem to work
correctly on 5.0.2. Long-term we should try to enable the sha256
ciphersuites.
BUG=chromium:619273
TEST=manually connect to test VPN
TEST=`FEATURES=test emerge-link vpn-manager`
TEST=test_that IP network_VPNConnect.l2tpipsec_{psk,cert}
Change-Id: Iec02a85b0ad2ae3cf1842b1df1fff484f8273f08
Reviewed-on: https://chromium-review.googlesource.com/350862
Commit-Ready: Kevin Cernekee <cernekee@chromium.org>
Tested-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Justin Schuh <jschuh@chromium.org>
Reviewed-by: Kirtika Ruchandani <kirtika@google.com>
1 file changed
