Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple Phase 1 Encryption Proposals for Mobile Client

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 867 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      ltctech
      last edited by

      iOS seems to not want to do AES256 in Phase 1 unless you do 1536 DH with SHA256 Hash. Problem is it doesn't actually like 1536 DH, so go figure. Windows does not want to do AES128 at all, but will gladly accept insecure 3DES. I have found an AES combination of proposals that work, but I can only configure it by editing ipsec.conf and doing an "ipsec reload" directly.

      
ike=aes256-sha1-modp1024,aes128-sha1-modp1024!
esp=aes256-sha1,aes256-sha256!

      Is there anyway to configure this combination in pfSense? Why can't we just specify the full range of proposals that strongSwan allows? Using 3DES is not a solution.

      1 Reply Last reply Reply Quote 0
      • L
        ltctech
        last edited by

        Just realized I posted it in the wrong subforum. If a mod can move it to IPSEC that would be great.

        Looks like someone requested this functionality four months ago:
        https://redmine.pfsense.org/issues/4826

        Something as simple as "Auto" in AES selection box on Phase 1 that replicates the proposals for each strength would probably work too.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.