Feature #4826
closed
Allow configuration of multiple phase1 proposals
Added by Moritz Bechler over 9 years ago.
Updated over 5 years ago.
Description
Phase 1 configuration is currently restricted to specifiying a single algorithm proposal. Shouldn't be too difficult to handle this like it is done for phase 2 and will safe a lot of hassle when supporting different clients or migrating to a new set of algorithms.
That would be great, because currently you have to select the lowest common denominator, which generally results in poor security settings.
this limitation of the pfSense GUI is getting more severe as older crypto gets more and more out of date. Right now, the least common denominator between the latest versions of iOS, macOS and Windows require you to go all the way down to AES-128 (good enough), SHA-1 (this is a problem) and 1024 bit DH (IMHO also a problem).
This isn't a limitation of the strongSwan software - you could easily configure multiple proposals there.
In-fact, the only change that would really be required to offer sensible security to both Windows and iOS would be to allow the PFS group dropdown to allow multiple selection. Then you could chose AES-256, SHA256 and 1024Bit DH for windows (windows doesn't support anything stronger than DH group 2) and AES-256, SHA256 and group 19 for macOS and iOS.
- Status changed from New to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by