Better GUI support for IPSec Phase 1 proposals



  • Greetings!

    strongSwan supports a comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms to be used.

    For example, the IKEv2 Phase 1 configuration

    […]
    ike = aes256-sha256-modp2048,aes256-sha256-modp1024!
    […]

    would support both default iOS 11 and Windows 10 clients out of the box (other Phase 2 parameters omitted here). (Note: I understand the weakness of modp1024, see https://weakdh.org/ , my focus here is the pfSense GUI).

    A detailed list of default client proposals was noted here: https://forum.pfsense.org/index.php?topic=119403.msg660675#msg660675

    Is the single Phase 1 proposal a product requirement of the Community Edition? Is there a To Do list to improve the GUI for IPSec Phase 1? The above example suggests allowing multiple DH Groups and the same could be done for the encryption and hash algorithms.

    Can someone comment on this?



  • Evaluating 2.4 here and ran into the same problem when trying to support Android, Apple, and Windows clients.  As near as I can figure, the restriction means that in order to support everyone, phase 1 has to be configured with the only common cypher they all have which is the old, slow, and less secure 3DES/SHA1/MODP1024.

    It's a bit of a head scratcher because the GUI allows you to configure multiple cyphers for phase 2, so the code is there to handle multiple cyphers, it's simply not implmented.  Rather frustrating when you know Strongswan can do the job but the GUI is blocking the functionality.

    Are there plans to correct this?  Or is there a method of manually overriding the ipsec.conf file and preventing pfSense from overwritting it everytime the service is restarted?



  • I hit something similar today. I dont have an answer, but it got me wondering if the config.xml has a defined schema ? Maybe there are additional parameters that can be manually defined in the xml ?
    I have been unable to find a schema so far.


Log in to reply