ipsec, add support for elliptical curve dh groups and change default dhgroup in the process (from 2 -> 24), last but not least some dhgroups seemed to be missing an implementation. for https://github.com/opnsense/core/issues/1942

2026-03-14 00:24:40 +00:00 · 2017-11-20 13:10:42 +01:00 · 2017-11-20 13:10:42 +01:00 · 581b8b17bc
commit 581b8b17bc
parent df4de782b3
3 changed files with 25 additions and 1 deletions
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@ -632,6 +632,24 @@ function ipsec_convert_to_modp($index)
        case '18':
            $convertion = "modp8192";
            break;
+        case '19':
+            $convertion = "ecp256";
+            break;
+        case '20':
+            $convertion = "ecp384";
+            break;
+        case '21':
+            $convertion = "ecp521";
+            break;
+        case '22':
+            $convertion = "modp1024s160";
+            break;
+        case '23':
+            $convertion = "modp2048s224";
+            break;
+        case '24':
+            $convertion = "modp2048s256";
+            break;
    }

    return $convertion;
--- a/src/www/vpn_ipsec.php
+++ b/src/www/vpn_ipsec.php
@ -410,6 +410,9 @@ $( document ).ready(function() {
                            16 => '16 (4096&nbsp;bits)',
                            17 => '17 (6144&nbsp;bits)',
                            18 => '18 (8192&nbsp;bits)',
+                            19 => '19 (256&nbsp;bit&nbsp;elliptic&nbsp;curve)',
+                            20 => '20 (384&nbsp;bit&nbsp;elliptic&nbsp;curve)',
+                            21 => '21 (521&nbsp;bit&nbsp;elliptic&nbsp;curve)',
                            22 => '22 (1024(sub 160)&nbsp;bits)',
                            23 => '23 (2048(sub 224)&nbsp;bits)',
                            24 => '24 (2048(sub 256)&nbsp;bits)'
--- a/src/www/vpn_ipsec_phase1.php
+++ b/src/www/vpn_ipsec_phase1.php
@ -128,7 +128,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        $pconfig['authentication_method'] = "pre_shared_key";
        $pconfig['encryption-algorithm'] = array("name" => "3des") ;
        $pconfig['hash-algorithm'] = "sha1";
-        $pconfig['dhgroup'] = "2";
+        $pconfig['dhgroup'] = "24";
        $pconfig['lifetime'] = "28800";
        $pconfig['nat_traversal'] = "on";
        $pconfig['iketype'] = "ikev1";
@ -951,6 +951,9 @@ endforeach; ?>
                        16 => '16 (4096 bit)',
                        17 => '17 (6144 bit)',
                        18 => '18 (8192 bit)',
+                        19 => '19 (256 bit elliptic curve)',
+                        20 => '20 (384 bit elliptic curve)',
+                        21 => '21 (521 bit elliptic curve)',
                        22 => '22 (1024(sub 160) bit)',
                        23 => '23 (2048(sub 224) bit)',
                        24 => '24 (2048(sub 256) bit)'