Feature #4826
closed
Allow configuration of multiple phase1 proposals
0%
Description
Phase 1 configuration is currently restricted to specifiying a single algorithm proposal. Shouldn't be too difficult to handle this like it is done for phase 2 and will safe a lot of hassle when supporting different clients or migrating to a new set of algorithms.
Updated by Sean McBride about 7 years ago
That would be great, because currently you have to select the lowest common denominator, which generally results in poor security settings.
Updated by Philip Hofstetter about 7 years ago
this limitation of the pfSense GUI is getting more severe as older crypto gets more and more out of date. Right now, the least common denominator between the latest versions of iOS, macOS and Windows require you to go all the way down to AES-128 (good enough), SHA-1 (this is a problem) and 1024 bit DH (IMHO also a problem).
This isn't a limitation of the strongSwan software - you could easily configure multiple proposals there.
In-fact, the only change that would really be required to offer sensible security to both Windows and iOS would be to allow the PFS group dropdown to allow multiple selection. Then you could chose AES-256, SHA256 and 1024Bit DH for windows (windows doesn't support anything stronger than DH group 2) and AES-256, SHA256 and group 19 for macOS and iOS.
Updated by Jim Pingle over 4 years ago
- Status changed from New to Resolved
Added a while ago in #8186 (PR https://github.com/pfsense/pfsense/pull/3711 )