From 581b8b17bcd26ee3d97774efb6c8e65b6ee2ed85 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 20 Nov 2017 13:10:42 +0100
Subject: [PATCH] ipsec, add support for elliptical curve dh groups and change
 default dhgroup in the process (from 2 -> 24), last but not least some
 dhgroups seemed to be missing an implementation. for
 https://github.com/opnsense/core/issues/1942

---
 src/etc/inc/plugins.inc.d/ipsec.inc | 18 ++++++++++++++++++
 src/www/vpn_ipsec.php               |  3 +++
 src/www/vpn_ipsec_phase1.php        |  5 ++++-
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index a04477659..4a892630a 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -632,6 +632,24 @@ function ipsec_convert_to_modp($index)
         case '18':
             $convertion = "modp8192";
             break;
+        case '19':
+            $convertion = "ecp256";
+            break;
+        case '20':
+            $convertion = "ecp384";
+            break;
+        case '21':
+            $convertion = "ecp521";
+            break;
+        case '22':
+            $convertion = "modp1024s160";
+            break;
+        case '23':
+            $convertion = "modp2048s224";
+            break;
+        case '24':
+            $convertion = "modp2048s256";
+            break;
     }
 
     return $convertion;
diff --git a/src/www/vpn_ipsec.php b/src/www/vpn_ipsec.php
index ab659656a..49f8a771d 100644
--- a/src/www/vpn_ipsec.php
+++ b/src/www/vpn_ipsec.php
@@ -410,6 +410,9 @@ $( document ).ready(function() {
                             16 => '16 (4096&nbsp;bits)',
                             17 => '17 (6144&nbsp;bits)',
                             18 => '18 (8192&nbsp;bits)',
+                            19 => '19 (256&nbsp;bit&nbsp;elliptic&nbsp;curve)',
+                            20 => '20 (384&nbsp;bit&nbsp;elliptic&nbsp;curve)',
+                            21 => '21 (521&nbsp;bit&nbsp;elliptic&nbsp;curve)',
                             22 => '22 (1024(sub 160)&nbsp;bits)',
                             23 => '23 (2048(sub 224)&nbsp;bits)',
                             24 => '24 (2048(sub 256)&nbsp;bits)'
diff --git a/src/www/vpn_ipsec_phase1.php b/src/www/vpn_ipsec_phase1.php
index d97d7fa95..3b3005366 100644
--- a/src/www/vpn_ipsec_phase1.php
+++ b/src/www/vpn_ipsec_phase1.php
@@ -128,7 +128,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $pconfig['authentication_method'] = "pre_shared_key";
         $pconfig['encryption-algorithm'] = array("name" => "3des") ;
         $pconfig['hash-algorithm'] = "sha1";
-        $pconfig['dhgroup'] = "2";
+        $pconfig['dhgroup'] = "24";
         $pconfig['lifetime'] = "28800";
         $pconfig['nat_traversal'] = "on";
         $pconfig['iketype'] = "ikev1";
@@ -951,6 +951,9 @@ endforeach; ?>
                         16 => '16 (4096 bit)',
                         17 => '17 (6144 bit)',
                         18 => '18 (8192 bit)',
+                        19 => '19 (256 bit elliptic curve)',
+                        20 => '20 (384 bit elliptic curve)',
+                        21 => '21 (521 bit elliptic curve)',
                         22 => '22 (1024(sub 160) bit)',
                         23 => '23 (2048(sub 224) bit)',
                         24 => '24 (2048(sub 256) bit)'