Project

General

Profile

Actions

Todo #15677

closed

Feedback on pfSense® software Configuration Recipes — IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2

Added by Steve Y 3 months ago. Updated 3 months ago.

Status:
Rejected
Priority:
Very Low
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Page: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html

Feedback:

re: "Algorithm AES256-GCM, Hash SHA256, DH Group 2"

The phase 1 page says, "Note: SHA1 and DH groups 1, 2, 5, 22, 23, and 24 provide weak security and should be avoided." However it's in the list of "A good starting set of options is" as shown above.

Actions #1

Updated by Jim Pingle 3 months ago

  • Status changed from New to Rejected

It's used in the recipe because some operating systems still use it by default when you configure clients using the native UIs for mobile IPsec.

If you are using the IPsec profile wizard or other automated ways (Apple profiles, MS powershell, etc) then you can use stronger values.

So it's OK as it is. The note is accurate but the configuration is still practical, if not ideal.

Actions

Also available in: Atom PDF