DEPRECATED OPTION: --cipher set to 'AES-256-CBC' etc.
-
@johnpoz Thank you so much, this solved the issue. 2 questions if I may:
#1: There is something that appears strange to me:
- When I create a new RA server through the wizard, the "Enable Data Encryption Negotiation" check box is checked by default.
- After I hit save, go back in and review the settings, I find that check box is unchecked. Is there a specific reason for this to happen?
#2: from your screen shot I see that you are allowing 128 and 192 options. Is there a reason you added these? I thought 256 was most secure so all I had in my first config was 256-GCM.
Thank you for helping me learn.
Pete
-
@cabledude while 256 is more secure.. My vpn connection sure isn't a DoD setup or anything ;)
Was me playing around at some point I am sure - I also limit vpn access to only US, and also have tls set to auth and encryption.. No worried about someone break AES-128-GCM ;) heheh
Was prob me setting it up with multiple levels, and then limiting what I could use on the client and make sure still get in, etc.
I will have to see if I can duplicate what you saying about it not saving.. I will do that in the morning..
-
Dear @johnpoz : I would not dream of criticising your work, as I am way too humble re pfSense. I may have put my question with poor eloquence, sorry for that :)
Limiting VPN access based on GeoIP sounds like genius. May I ask how that is done? pfBlocker? Or is this customisable in the VPN settings?
Thanks,
Pete -
@cabledude use of alias in pfblocker - setup one with the US.. Use that in the rule that allows access to vpn port on wan.
I may have put my question with poor eloquence, sorry for that :)
Not in any way - a very valid question..
edit: And I just ran through the wizard, and your right it does look like it should be enabled by default (check box is checked and 3 listed to be used). But then after the wizard if you look at the settings its not checked? Hmmmm??
That seems like some sort of issue to me.. Have to look into redmine and see if has been reported..
-
@johnpoz thank you for sharing the geoip method. I will look into it as soon as I have some time.
Glad it’s not just me re the checkbox. For me it’s not an issue anymore as I now know where to look, but I’ve been scratching my head for a while
-
@cabledude said in DEPRECATED OPTION: --cipher set to 'AES-256-CBC' etc.:
for sharing the geoip method.
If you need more help on that just ask.
Yeah playing with it a bit - and the check box for negotiation does seem wrong to me. And for sure could confuse new users I think. I even tried toggling it in the wizard and still doesn't seem to actually set it..
You have to actually go into the settings and toggle it.. Possible oversight in the wizard code.. I don't see anything that I can find about it in redmine.
Lets call in @stephenw10 and @jimp see if overlooking something - if not I can put in a redmine about it.
Maybe I need more coffee this morning but from the wizard showing that checked, and 3 algos selected it would sure seem to me that is what should be set. But when you go into the server settings, the algos are there, but the checkbox is not checked.
edit: ah it is thanksgiving, they with family and friends I hope vs reading forum posts ;) like us! hehehe
-
@johnpoz Never could have guessed that a simple beginner like myself could spark this level of attention
And maybe I should learn how to drink coffee (at 52)…
Edit oh yes thanksgiving! I heard about that when I talked to my cousin in San José. I am living in the Netherlands so no thanksgiving here…
-
@cabledude said in DEPRECATED OPTION: --cipher set to 'AES-256-CBC' etc.:
Netherlands so no thanksgiving here…
Well not a national sort of holiday.. But is there not Dankdag, November 3rd I believe?
I believe some of the pilgrims that first came to America did have a long "layover" in the Netherlands ;) In Leiden early 1600s I do believe. And I think they hold some sort of something at Pieterskerk on US turkey day ;)
-
@johnpoz I had to look that up, amazing how I can be taught this kind of stuff about our history by someone not living even close! Yes so it’s a religious act in which we say thanks for crop and labour. Apparently it is still practised today.
The pilgrims, yes, you’re quite right there too. Around 1620 in leiden. I went to school in leiden! My home area. -
I was able to replicate this in 2.5.2 but it looks like it's already fixed in 2.6 so there's little point in opening a bug for it at this point.
Steve
-
@stephenw10 I give thanks for you having a look
-
Ditto. I couldn't replicate it on 2.6.0 / 22.01.
Looks like it was fixed by https://redmine.pfsense.org/issues/12172
