From 598a0c0a26833b33e70b99f00eaa6246eeb862ce Mon Sep 17 00:00:00 2001
From: Daan Hoogland <dahn@apache.org>
Date: Mon, 9 Mar 2026 09:52:51 +0100
Subject: [PATCH 1/4] make dh group 19 default, support 19-21

---
 ui/src/views/network/CreateVpnCustomerGateway.vue | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/ui/src/views/network/CreateVpnCustomerGateway.vue b/ui/src/views/network/CreateVpnCustomerGateway.vue
index f71fc4709e8d..97090d7fc5ba 100644
--- a/ui/src/views/network/CreateVpnCustomerGateway.vue
+++ b/ui/src/views/network/CreateVpnCustomerGateway.vue
@@ -258,9 +258,12 @@ export default {
         'Group 15': 'modp3072',
         'Group 16': 'modp4096',
         'Group 17': 'modp6144',
-        'Group 18': 'modp8192'
+        'Group 18': 'modp8192',
+        'Group 19': 'modp256',
+        'Group 20': 'modp2048',
+        'Group 21': 'modp2048'
       },
-      ikeDhGroupInitialValue: 'Group 5(modp1536)',
+      ikeDhGroupInitialValue: 'Group 19(modp256)',
       isSubmitted: false,
       ikeversion: 'ike'
     }
@@ -275,12 +278,12 @@ export default {
     initForm () {
       this.formRef = ref()
       this.form = reactive({
-        ikeEncryption: 'aes128',
+        ikeEncryption: 'aes256',
         ikeHash: 'sha1',
         ikeversion: 'ike',
-        ikeDh: 'Group 5(modp1536)',
-        espEncryption: 'aes128',
-        espHash: 'sha1',
+        ikeDh: 'Group 19(modp 256)',
+        espEncryption: 'aes256',
+        espHash: 'sha256',
         perfectForwardSecrecy: 'None',
         ikelifetime: '86400',
         esplifetime: '3600',

From fd9b82a2fde3cc97d7211ff2d18894965f2443d9 Mon Sep 17 00:00:00 2001
From: Daan Hoogland <dahn@apache.org>
Date: Mon, 9 Mar 2026 12:09:57 +0100
Subject: [PATCH 2/4] make group 31 default and update group mnenomics

---
 ui/src/views/network/CreateVpnCustomerGateway.vue     | 11 ++++++-----
 utils/src/main/java/com/cloud/utils/net/NetUtils.java |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/ui/src/views/network/CreateVpnCustomerGateway.vue b/ui/src/views/network/CreateVpnCustomerGateway.vue
index 97090d7fc5ba..bacc04cae311 100644
--- a/ui/src/views/network/CreateVpnCustomerGateway.vue
+++ b/ui/src/views/network/CreateVpnCustomerGateway.vue
@@ -259,11 +259,12 @@ export default {
         'Group 16': 'modp4096',
         'Group 17': 'modp6144',
         'Group 18': 'modp8192',
-        'Group 19': 'modp256',
-        'Group 20': 'modp2048',
-        'Group 21': 'modp2048'
+        'Group 22': 'modp1024s160',
+        'Group 23': 'modp2048s224',
+        'Group 24': 'modp2048s256',
+        'Group 31': 'curve25519'
       },
-      ikeDhGroupInitialValue: 'Group 19(modp256)',
+      ikeDhGroupInitialValue: 'Group 31(curve25519)',
       isSubmitted: false,
       ikeversion: 'ike'
     }
@@ -281,7 +282,7 @@ export default {
         ikeEncryption: 'aes256',
         ikeHash: 'sha1',
         ikeversion: 'ike',
-        ikeDh: 'Group 19(modp 256)',
+        ikeDh: 'Group 31(curve 25519)',
         espEncryption: 'aes256',
         espHash: 'sha256',
         perfectForwardSecrecy: 'None',
diff --git a/utils/src/main/java/com/cloud/utils/net/NetUtils.java b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
index 65878e055e73..5dd923380fa7 100644
--- a/utils/src/main/java/com/cloud/utils/net/NetUtils.java
+++ b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
@@ -1265,7 +1265,7 @@ public static boolean isValidS2SVpnPolicy(final String policyType, final String
             if (group == null && policyType.toLowerCase().matches("ike")) {
                 return false; // StrongSwan requires a DH group for the IKE policy
             }
-            if (group != null && !group.matches("modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192")) {
+            if (group != null && !group.matches("modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192|modp1024s160|modp2048s224|modp2048s256|CURVE_25519")) {
                 return false;
             }
         }

From d83413a29396bc474031307c672f5b7a66a40920 Mon Sep 17 00:00:00 2001
From: Daan Hoogland <dahn@apache.org>
Date: Tue, 10 Mar 2026 10:46:32 +0100
Subject: [PATCH 3/4] simple extra test

---
 utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
index 4495a123b07e..98f5312a5ba1 100644
--- a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
@@ -131,6 +131,7 @@ public void testIsValidS2SVpnPolicy() {
         assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-md5;modp1024"));
         assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1;modp3072,aes128-sha1;modp1536"));
         assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha256;modp3072,aes128-sha512;modp1536"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256;modp1024s160,modp2048s224,modp2048s256,curve25519"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "aes128-sha1"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1,aes256-sha1"));

From 0ba157c848b905592004fb2b732491e4493d522c Mon Sep 17 00:00:00 2001
From: Daan Hoogland <dahn@apache.org>
Date: Tue, 10 Mar 2026 11:22:38 +0100
Subject: [PATCH 4/4] policy update and test

---
 utils/src/main/java/com/cloud/utils/net/NetUtils.java     | 2 +-
 utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/utils/src/main/java/com/cloud/utils/net/NetUtils.java b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
index 5dd923380fa7..d89d9fa2d93c 100644
--- a/utils/src/main/java/com/cloud/utils/net/NetUtils.java
+++ b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
@@ -1265,7 +1265,7 @@ public static boolean isValidS2SVpnPolicy(final String policyType, final String
             if (group == null && policyType.toLowerCase().matches("ike")) {
                 return false; // StrongSwan requires a DH group for the IKE policy
             }
-            if (group != null && !group.matches("modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192|modp1024s160|modp2048s224|modp2048s256|CURVE_25519")) {
+            if (group != null && !group.matches("modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192|modp1024s160|modp2048s224|modp2048s256|curve25519")) {
                 return false;
             }
         }
diff --git a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
index 98f5312a5ba1..5c9d41f90a25 100644
--- a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
@@ -131,7 +131,10 @@ public void testIsValidS2SVpnPolicy() {
         assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-md5;modp1024"));
         assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1;modp3072,aes128-sha1;modp1536"));
         assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha256;modp3072,aes128-sha512;modp1536"));
-        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256;modp1024s160,modp2048s224,modp2048s256,curve25519"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;modp1024s160"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;modp2048s224"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;modp2048s256"));
+        assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "aes256-sha256;curve25519"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "aes128-sha1"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1"));
         assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1,aes256-sha1"));