List all IKEv2 IKE and ESP proposals of various device clients in this thread/post.
-
Hi everyone!
I'd like to help to gather all the proposals sent from every devices in this post/thread to help other people configure their pfSense IKEv2 settings properly to allow devices of their choosing to connect to the VPN server with the highest security. If would like to contribute, do state your device and the proposals sent from the devices and post them in this thread. Thanks!
Windows native +
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 set to 2:
Phase 1
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Phase 2
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQAndroid Strongswan:
Phase 1:IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_521/ECP_256/ECP_384/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_521/ECP_256/ECP_384/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Phase 2:
ESP:AES_GCM_16_256/AES_GCM_16_128/CHACHA20_POLY1305/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_384_192/HMAC_SHA2_256_128/HMAC_SHA2_512_256/HMAC_SHA1_96/NO_EXT_SEQ -
Great idea!
mac OS Big Sur & iOS 14.3 Phase 1: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Phase 2: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ