1. Home
  2. pfSense® Software
  3. IPsec
  4. Multiple Phase 1 Encryption Proposals for Mobile Client

Multiple Phase 1 Encryption Proposals for Mobile Client

  • L

    iOS seems to not want to do AES256 in Phase 1 unless you do 1536 DH with SHA256 Hash. Problem is it doesn't actually like 1536 DH, so go figure. Windows does not want to do AES128 at all, but will gladly accept insecure 3DES. I have found an AES combination of proposals that work, but I can only configure it by editing ipsec.conf and doing an "ipsec reload" directly.

    
ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
esp=aes256-sha1,aes256-sha256!

    Is there anyway to configure this combination in pfSense? Why can't we just specify the full range of proposals that strongSwan allows? Using 3DES is not a solution.

    0
  • L

    Just realized I posted it in the wrong subforum. If a mod can move it to IPSEC that would be great.

    Looks like someone requested this functionality four months ago:
    https://redmine.pfsense.org/issues/4826

    Something as simple as "Auto" in AES selection box on Phase 1 that replicates the proposals for each strength would probably work too.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy