make dh group 31 default, support 22-24+31 (#12764)

2026-04-27 09:13:58 +01:00 · 2026-04-27 09:13:58 +01:00 · 0b169920f3
parent 64ac0822b4
commit 0b169920f3
3 changed files with 15 additions and 7 deletions
--- a/ui/src/views/network/CreateVpnCustomerGateway.vue
+++ b/ui/src/views/network/CreateVpnCustomerGateway.vue
@ -258,9 +258,13 @@ export default {
        'Group 15': 'modp3072',
        'Group 16': 'modp4096',
        'Group 17': 'modp6144',
-        'Group 18': 'modp8192'
+        'Group 18': 'modp8192',
+        'Group 22': 'modp1024s160',
+        'Group 23': 'modp2048s224',
+        'Group 24': 'modp2048s256',
+        'Group 31': 'curve25519'
      },
-      ikeDhGroupInitialValue: 'Group 5(modp1536)',
+      ikeDhGroupInitialValue: 'Group 31(curve25519)',
      isSubmitted: false,
      ikeversion: 'ike'
    }
@ -275,12 +279,12 @@ export default {
    initForm () {
      this.formRef = ref()
      this.form = reactive({
-        ikeEncryption: 'aes128',
+        ikeEncryption: 'aes256',
        ikeHash: 'sha1',
        ikeversion: 'ike',
-        ikeDh: 'Group 5(modp1536)',
-        espEncryption: 'aes128',
-        espHash: 'sha1',
+        ikeDh: 'Group 31(curve 25519)',
+        espEncryption: 'aes256',
+        espHash: 'sha256',
        perfectForwardSecrecy: 'None',
        ikelifetime: '86400',
        esplifetime: '3600',
--- a/utils/src/main/java/com/cloud/utils/net/NetUtils.java
+++ b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
@ -1265,7 +1265,7 @@ public class NetUtils {
            if (group == null && policyType.toLowerCase().matches("ike")) {
                return false; // StrongSwan requires a DH group for the IKE policy
            }
-            if (group != null && !group.matches("modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192")) {
+            if (group != null && !group.matches("modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192|modp1024s160|modp2048s224|modp2048s256|curve25519")) {
                return false;
            }
        }
--- a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
@ -131,6 +131,10 @@ public class NetUtilsTest {
        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-md5;modp1024"));
        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1;modp3072,aes128-sha1;modp1536"));
        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha256;modp3072,aes128-sha512;modp1536"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;modp1024s160"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;modp2048s224"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;modp2048s256"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;curve25519"));
        assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "aes128-sha1"));
        assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1"));
        assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1,aes256-sha1"));