Mobile IKEv2 for Windows 10 & macOS Sierra (DH group, multiple phase1 proposals)



  • I'm currently using mobile IKEv2 with windows clients, and it works. I followed one of your guides for IKEv2+MSCHAPv2.
    Now I have macOS sierra (10.12) and would like to bring also macs under IKEv2.
    But it does not work.
    I found that the only change needed to make macOS sierra work, is to change "Phase 1 Proposal (Algorithms)" -> "DH Group" to 5. But this breaks windows 10 clients which support DH Group 2 by default.

    I don't know if the following is the right solutuon, bit it seems that strongswan supports having multiple phase 1 proposals, like
    ike = aes256-sha256-modp1024,aes256-sha256-modp1536!
    But… how can I enable it in pfsense ?

    Yes, I know that via Powershell in windows 10 we can set DH group 14 for windows, which is accepted by macOS Sierra too. But I can't do it in our remote windows phones. A solution in which pFsense will accept both proposals will be very good. Is it possible ?

    Thank you


  • Rebel Alliance Developer Netgate

    At the moment we don't have a way to allow that in the pfSense GUI.

    You can use a VPN profile on OSX to configure the settings you want, there is a profile creation utility available from Apple.



  • You can make Windows 10 use Group 14 as described here: https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048

    Then do the same for IOS using the Apple Configurator 2 (https://support.apple.com/en-us/HT205285) and this tutorial: https://forum.pfsense.org/index.php?topic=106433.0 (Use Group 14 instead of 20, which is what this tutorial has)