Project

General

Profile

Actions

Bug #6967

closed

DH Groups 22, 23, 24 missing from Phase 2 selection GUI

Added by Sec Sec almost 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
11/28/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.2
Affected Architecture:

Description

When configuring IPSec you can select DH Groups 22-24 for Phase 1, but for Phase 2 they are missing from the GUI.

I got the following answer about this from support:
For cli you may change /var/etc/ipsec/ipsec.conf in ESP section, e.g. esp = aes128-sha1-modp2048s256!
But it will work only if you will not change ipsec settings via gui and will not reboot device

which to me suggests that the PFSense should be able to handle them just fine if they were added to the GUI

Actions #1

Updated by Jim Thompson almost 5 years ago

  • Assignee set to Steve Beaver
Actions #2

Updated by Steve Beaver over 4 years ago

  • Status changed from New to Feedback
  • Assignee changed from Steve Beaver to Sec Sec
Actions #3

Updated by Steve Beaver over 4 years ago

  • % Done changed from 0 to 100
Actions #4

Updated by Sean McBride over 4 years ago

DH Groups 22-24 are inadvisable:

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

Did this change ship? I'd recommend reverting it if not.

See also #7248.

Actions #5

Updated by Jim Pingle over 4 years ago

This change isn't in 2.3.3 but it's in 2.4. It will most likely stay. Even though they are not recommended they might be needed for connecting to some other bit of third party equipment/vendor/client/etc that cannot be changed.

Actions #6

Updated by Jim Pingle about 4 years ago

  • Status changed from Feedback to Resolved
Actions #7

Updated by Jim Pingle about 4 years ago

  • Target version set to 2.4.0
Actions

Also available in: Atom PDF