Improve VPN ciphers

- Improve security by removing support for modp1024 (DH group 2),
  which is less secure and no longer enabled in Libreswan by default.
- The native VPN client on Android devices uses modp1024 for the
  IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes. After this change,
  Android users should instead connect using IKEv2 mode (recommended).
- Users who wish to keep the previous behavior (enable modp1024)
  can define VPN_ENABLE_MODP1024=yes in the "env" file, then re-create
  the Docker container.

run.sh

@@ -173,6 +173,10 @@ if [ -n "$VPN_IKEV2_ONLY" ]; then
   VPN_IKEV2_ONLY=$(nospaces "$VPN_IKEV2_ONLY")
   VPN_IKEV2_ONLY=$(noquotes "$VPN_IKEV2_ONLY")
 fi
+if [ -n "$VPN_ENABLE_MODP1024" ]; then
+  VPN_ENABLE_MODP1024=$(nospaces "$VPN_ENABLE_MODP1024")
+  VPN_ENABLE_MODP1024=$(noquotes "$VPN_ENABLE_MODP1024")
+fi
 if [ -n "$VPN_L2TP_NET" ]; then
   VPN_L2TP_NET=$(nospaces "$VPN_L2TP_NET")
   VPN_L2TP_NET=$(noquotes "$VPN_L2TP_NET")
@@ -310,6 +314,15 @@ case $VPN_IKEV2_ONLY in
     disable_ipsec_xauth=yes
     ;;
 esac
+ike_algs="aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1"
+ike_algs_addl=",aes256-sha2;modp1024,aes128-sha1;modp1024"
+case $VPN_ENABLE_MODP1024 in
+  [yY][eE][sS])
+    echo
+    echo "Enabling modp1024 in ipsec.conf..."
+    ike_algs="$ike_algs$ike_algs_addl"
+    ;;
+esac
 
 if [ "$disable_ipsec_l2tp" = yes ] && [ "$disable_ipsec_xauth" = yes ]; then
 cat <<'EOF'
@@ -357,7 +370,7 @@ conn shared
   dpdtimeout=300
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  ike=$ike_algs
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h