X Tutup
Skip to content

make dh group 31 default, support 22-24+31#12764

Open
DaanHoogland wants to merge 4 commits intoapache:4.22from
shapeblue:ghi12505-dhGroups
Open

make dh group 31 default, support 22-24+31#12764
DaanHoogland wants to merge 4 commits intoapache:4.22from
shapeblue:ghi12505-dhGroups

Conversation

@DaanHoogland
Copy link
Contributor

@DaanHoogland DaanHoogland commented Mar 9, 2026
edited
Loading

Description

This PR...

Fixes: #12505

Types of changes

  • Breaking change (fix or feature that would cause existing functionality to change)
  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Enhancement (improves an existing feature and functionality)
  • Cleanup (Code refactoring and cleanup, that may add test cases)
  • Build/CI
  • Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

  • Major
  • Minor

Bug Severity

  • BLOCKER
  • Critical
  • Major
  • Minor
  • Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

@DaanHoogland DaanHoogland requested a review from abh1sar March 9, 2026 08:58
@codecov
Copy link

codecov bot commented Mar 9, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 17.61%. Comparing base (5caf6cd) to head (0ba157c).
⚠️ Report is 17 commits behind head on 4.22.

Files with missing lines Patch % Lines
...ls/src/main/java/com/cloud/utils/net/NetUtils.java 0.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff            @@
##               4.22   #12764   +/-   ##
=========================================
  Coverage     17.60%   17.61%           
- Complexity    15659    15663    +4     
=========================================
  Files          5917     5917           
  Lines        531394   531402    +8     
  Branches      64970    64971    +1     
=========================================
+ Hits          93575    93593   +18     
+ Misses       427269   427255   -14     
- Partials      10550    10554    +4
Flag Coverage Δ
uitests 3.70% <ø> (-0.01%) ⬇️
unittests 18.68% <0.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@DaanHoogland DaanHoogland linked an issue Mar 9, 2026 that may be closed by this pull request
Increase DH Groups for VR from DH 18 to DH 21 or higher #12505
Open
@DaanHoogland DaanHoogland changed the title make dh group 19 default, support 19-21 make dh group 31 default, support 22-24+31 Mar 9, 2026
@DaanHoogland DaanHoogland requested a review from Copilot March 9, 2026 11:54
@DaanHoogland DaanHoogland requested a review from NuxRo March 9, 2026 11:56
Copilot AI reviewed Mar 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Site-to-Site VPN Customer Gateway defaults/options to support additional IKE DH groups (including group 31) and validates them server-side, aligning with newer strongSwan capabilities.

Changes:

  • Expands server-side IKE/ESP policy DH-group validation to include groups 22–24 and 31.
  • Extends the UI DH group dropdown to include groups 22–24 and 31, and changes the default DH group to 31.
  • Updates UI default IKE/ESP algorithm selections (aes256/sha256 defaults).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File Description
utils/src/main/java/com/cloud/utils/net/NetUtils.java Extends DH-group allowlist for S2S VPN policy validation.
ui/src/views/network/CreateVpnCustomerGateway.vue Adds DH groups 22–24 and 31 to the dropdown and changes default selections.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

ui/src/views/network/CreateVpnCustomerGateway.vue
Comment on lines +285 to +286
ikeDh: 'Group 31(curve 25519)',
espEncryption: 'aes256',
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default ikeDh is set to a label-like string (Group 31(...) / curve 25519), but the select stores the raw DH token (e.g., curve25519). Initialize form.ikeDh to the raw value and adjust the submit logic accordingly (it currently assumes parentheses parsing for the default), otherwise the default won’t be selected and ikepolicy may be built with an invalid DH group.

Copilot uses AI. Check for mistakes.
@NuxRo
Copy link
Contributor

NuxRo commented Mar 9, 2026
edited by DaanHoogland
Loading

Strongswan 5.9.8 in ACS 4.22 (Debian Bookworm) does seem to support GROUP 31, so I guess it's ok to make it so and also add more options in the Customer Gateway for this and other versions.

This is what I am seeing in the shell, so groups 1, 2, 5 , 14, 15, 16, 17, 18, 22, 23, 24, 31 can be the options, also keeping PR #12193 in mind:

image

NuxRo
NuxRo approved these changes Mar 9, 2026
View reviewed changes
Copy link
Contributor

@NuxRo NuxRo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@DaanHoogland DaanHoogland requested a review from Copilot March 10, 2026 09:47
@DaanHoogland
Copy link
Contributor Author

DaanHoogland commented Mar 10, 2026

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Mar 10, 2026

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@DaanHoogland DaanHoogland requested a review from Copilot March 10, 2026 10:23
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

ui/src/views/network/CreateVpnCustomerGateway.vue
'Group 31': 'curve25519'
},
ikeDhGroupInitialValue: 'Group 5(modp1536)',
ikeDhGroupInitialValue: 'Group 31(curve25519)',
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ikeDhGroupInitialValue is set to a label-like string (Group 31(curve25519)), but the <a-select> for IKE DH uses :value="DHGroups[group]" (e.g. curve25519). This mismatch makes the initial-value comparison in handleSubmit unreliable and contributes to generating invalid ikepolicy values. Set ikeDhGroupInitialValue to the actual option value (e.g. curve25519) or remove the special-casing logic entirely and always append values.ikeDh.

Suggested change
ikeDhGroupInitialValue: 'Group 31(curve25519)',
ikeDhGroupInitialValue: 'curve25519',

Copilot uses AI. Check for mistakes.
@blueorangutan
Copy link

blueorangutan commented Mar 10, 2026

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 17067

@abh1sar
Copy link
Contributor

abh1sar commented Mar 10, 2026

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Mar 10, 2026

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17069

abh1sar
abh1sar approved these changes Mar 10, 2026
View reviewed changes
Copy link
Contributor

@abh1sar abh1sar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Looks good.
New algorithms need to be tested that they are working correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@NuxRo NuxRo NuxRo approved these changes

@abh1sar abh1sar abh1sar approved these changes

Assignees

No one assigned

Labels

component:UI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Increase DH Groups for VR from DH 18 to DH 21 or higher

5 participants

@DaanHoogland @NuxRo @blueorangutan @abh1sar
X Tutup