Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Mobile IKEv2 for Windows 10 & macOS Sierra (DH group, multiple phase1 proposals)

    IPsec
    3
    3
    2364
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      giox last edited by

      I'm currently using mobile IKEv2 with windows clients, and it works. I followed one of your guides for IKEv2+MSCHAPv2.
      Now I have macOS sierra (10.12) and would like to bring also macs under IKEv2.
      But it does not work.
      I found that the only change needed to make macOS sierra work, is to change "Phase 1 Proposal (Algorithms)" -> "DH Group" to 5. But this breaks windows 10 clients which support DH Group 2 by default.

      I don't know if the following is the right solutuon, bit it seems that strongswan supports having multiple phase 1 proposals, like
      ike = aes256-sha256-modp1024,aes256-sha256-modp1536!
      But… how can I enable it in pfsense ?

      Yes, I know that via Powershell in windows 10 we can set DH group 14 for windows, which is accepted by macOS Sierra too. But I can't do it in our remote windows phones. A solution in which pFsense will accept both proposals will be very good. Is it possible ?

      Thank you

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        At the moment we don't have a way to allow that in the pfSense GUI.

        You can use a VPN profile on OSX to configure the settings you want, there is a profile creation utility available from Apple.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          twitched last edited by

          You can make Windows 10 use Group 14 as described here: https://wiki.strongswan.org/projects/strongswan/wiki/Windows7#AES-256-CBC-and-MODP2048

          Then do the same for IOS using the Apple Configurator 2 (https://support.apple.com/en-us/HT205285) and this tutorial: https://forum.pfsense.org/index.php?topic=106433.0 (Use Group 14 instead of 20, which is what this tutorial has)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post