proposal: Remove some weaker and rarely used DH groups from the default proposal

This fixes an interoperability issue with Windows Server 2012 R2 gateways.
They insist on using modp1024 for IKE, however, Microsoft's IKEv2
implementation seems only to consider the first 15 DH groups in the proposal.
Depending on the loaded plugins modp1024 is now at position 17 or even
later, causing the server to reject the proposal.  By removing some of
the weaker and rarely used DH groups from the default proposal we make
sure modp1024 is among the first 15 DH groups.  The removed groups may
still be used by configuring custom proposals.

1 files changed, 5 insertions, 3 deletions

diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 0315e4ebc..6675c1d6d 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -861,16 +861,18 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case MODP_768_BIT:
 				/* weak */
 				break;
-			case MODP_2048_BIT:
-			case MODP_2048_256:
 			case MODP_2048_224:
 			case MODP_1536_BIT:
-			case MODP_1024_BIT:
 			case MODP_1024_160:
 			case ECP_224_BIT:
 			case ECP_224_BP:
 			case ECP_192_BIT:
 			case NTRU_112_BIT:
+				/* rarely used */
+				break;
+			case MODP_2048_BIT:
+			case MODP_2048_256:
+			case MODP_1024_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;
 			default: