Mobile IKEv2 for Windows 10 & macOS Sierra (DH group, multiple phase1 proposals)

giox

I'm currently using mobile IKEv2 with windows clients, and it works. I followed one of your guides for IKEv2+MSCHAPv2.
Now I have macOS sierra (10.12) and would like to bring also macs under IKEv2.
But it does not work.
I found that the only change needed to make macOS sierra work, is to change "Phase 1 Proposal (Algorithms)" -> "DH Group" to 5. But this breaks windows 10 clients which support DH Group 2 by default.

I don't know if the following is the right solutuon, bit it seems that strongswan supports having multiple phase 1 proposals, like
ike = aes256-sha256-modp1024,aes256-sha256-modp1536!
But… how can I enable it in pfsense ?

Yes, I know that via Powershell in windows 10 we can set DH group 14 for windows, which is accepted by macOS Sierra too. But I can't do it in our remote windows phones. A solution in which pFsense will accept both proposals will be very good. Is it possible ?

Thank you

jimp

At the moment we don't have a way to allow that in the pfSense GUI.

You can use a VPN profile on OSX to configure the settings you want, there is a profile creation utility available from Apple.

twitched

You can make Windows 10 use Group 14 as described here: https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048

Then do the same for IOS using the Apple Configurator 2 (https://support.apple.com/en-us/HT205285) and this tutorial: https://forum.pfsense.org/index.php?topic=106433.0 (Use Group 14 instead of 20, which is what this tutorial has)