New ciphers implementing #247 (#352)

Switches to SHA2_512_256 HMAC integrity algorithm and adds cipher compatibility for other platforms.

roles/cloud-gce/tasks/main.yml

@@ -19,7 +19,7 @@
     credentials_file: "{{ credentials_file_path }}"
     project_id: "{{ project_id }}"
     metadata: '{"ssh-keys":"ubuntu:{{ ssh_public_key_lookup }}"}'
-    ip_forward: true
+    # ip_forward: true
     tags:
       - "environment-algo"
   register: google_vm

roles/vpn/defaults/main.yml

@@ -19,3 +19,11 @@ strongswan_enabled_plugins:
   - socket-default
   - stroke
   - x509
+
+ciphers:
+  defaults:
+    ike: aes128gcm16-sha2_512-prfsha512-ecp256!
+    esp: aes128gcm16-sha2_512-ecp256!
+  compat:
+    ike: aes128-sha2_512-prfsha512-ecp256,aes128gcm16-sha2_512-prfsha512-ecp256,aes128-sha2_256-prfsha256-modp2048!
+    esp: aes128-sha2_512-ecp256,aes128gcm16-sha2_512-ecp256,aes128-sha2_256-modp2048!

roles/vpn/templates/client_ipsec.conf.j2

@@ -7,11 +7,11 @@ conn ikev2-{{ IP_subject_alt_name }}
     dpddelay=35s
 
 {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
-    esp=aes128gcm16-sha2_256-ecp256,aes256-sha1-modp1024!
+    ike={{ ciphers.compat.ike }}
+    esp={{ ciphers.compat.esp }}
 {% else %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256
-    esp=aes128gcm16-sha2_256-ecp256
+    ike={{ ciphers.defaults.ike }}
+    esp={{ ciphers.defaults.esp }}
 {% endif %}
 
     right={{ IP_subject_alt_name }}

roles/vpn/templates/client_windows.ps1.j2

@@ -1,3 +1,3 @@
 certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ item }}.p12
 Add-VpnConnection -name "Algo VPN {{ IP_subject_alt_name }} IKEv2" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
-Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none
+Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none

roles/vpn/templates/ipsec.conf.j2

@@ -11,11 +11,11 @@ conn %default
     dpddelay=35s
 
 {% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
-    esp=aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
+    ike={{ ciphers.compat.ike }}
+    esp={{ ciphers.compat.esp }}
 {% else %}
-    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
-    esp=aes128gcm16-sha2_256-ecp256!
+    ike={{ ciphers.defaults.ike }}
+    esp={{ ciphers.defaults.esp }}
 {% endif %}
 
     left=%any

roles/vpn/templates/mobileconfig.j2

@@ -60,7 +60,7 @@
                     <key>EncryptionAlgorithm</key>
                     <string>AES-128-GCM</string>
                     <key>IntegrityAlgorithm</key>
-                    <string>SHA2-256</string>
+                    <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
                     <integer>20</integer>
                 </dict>
@@ -81,7 +81,7 @@
                     <key>EncryptionAlgorithm</key>
                     <string>AES-128-GCM</string>
                     <key>IntegrityAlgorithm</key>
-                    <string>SHA2-256</string>
+                    <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
                     <integer>20</integer>
                 </dict>