Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec config info

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 831 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      keen
      last edited by

      hi guys,
      watching my pfsense log I see this:

      /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.

      and what about ? why is not a secure configuration ?

      thanks in advice

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        Because of how aggressive mode works with pre-shared keys. It's the nature of the protocol itself that is insecure, not anything specific to pfSense.

        Use main mode and not aggressive, or use RSA auth and not PSK. Or even better, use IKEv2 if both sides support it.

        There are some times you have to use aggressive+PSK, though, so it's still available, but the IPsec daemon will print that warning to let you know you're doing something that lowers your security.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K Offline
          keen
          last edited by

          many many thanks for your replay  :) ;)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.