Actions
Todo #15677
closed
Feedback on pfSense® software Configuration Recipes — IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2
Status:
Rejected
Priority:
Very Low
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Description
Page: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html
Feedback:
re: "Algorithm AES256-GCM, Hash SHA256, DH Group 2"
The phase 1 page says, "Note: SHA1 and DH groups 1, 2, 5, 22, 23, and 24 provide weak security and should be avoided." However it's in the list of "A good starting set of options is" as shown above.
Updated by Jim Pingle 3 months ago
- Status changed from New to Rejected
It's used in the recipe because some operating systems still use it by default when you configure clients using the native UIs for mobile IPsec.
If you are using the IPsec profile wizard or other automated ways (Apple profiles, MS powershell, etc) then you can use stronger values.
So it's OK as it is. The note is accurate but the configuration is still practical, if not ideal.
Actions