Project

General

Profile

Feature #4826

Allow configuration of multiple phase1 proposals

Added by Moritz Bechler over 4 years ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
07/10/2015
Due date:
% Done:

0%

Estimated time:

Description

Phase 1 configuration is currently restricted to specifiying a single algorithm proposal. Shouldn't be too difficult to handle this like it is done for phase 2 and will safe a lot of hassle when supporting different clients or migrating to a new set of algorithms.

History

#1 Updated by Sean McBride over 2 years ago

That would be great, because currently you have to select the lowest common denominator, which generally results in poor security settings.

#2 Updated by Philip Hofstetter over 2 years ago

this limitation of the pfSense GUI is getting more severe as older crypto gets more and more out of date. Right now, the least common denominator between the latest versions of iOS, macOS and Windows require you to go all the way down to AES-128 (good enough), SHA-1 (this is a problem) and 1024 bit DH (IMHO also a problem).

This isn't a limitation of the strongSwan software - you could easily configure multiple proposals there.

In-fact, the only change that would really be required to offer sensible security to both Windows and iOS would be to allow the PFS group dropdown to allow multiple selection. Then you could chose AES-256, SHA256 and 1024Bit DH for windows (windows doesn't support anything stronger than DH group 2) and AES-256, SHA256 and group 19 for macOS and iOS.

#3 Updated by Jim Pingle 3 months ago

  • Status changed from New to Resolved

Also available in: Atom PDF