Bug #6967
closedDH Groups 22, 23, 24 missing from Phase 2 selection GUI
100%
Description
When configuring IPSec you can select DH Groups 22-24 for Phase 1, but for Phase 2 they are missing from the GUI.
I got the following answer about this from support:
For cli you may change /var/etc/ipsec/ipsec.conf in ESP section, e.g. esp = aes128-sha1-modp2048s256!
But it will work only if you will not change ipsec settings via gui and will not reboot device
which to me suggests that the PFSense should be able to handle them just fine if they were added to the GUI
Updated by Anonymous almost 8 years ago
- Status changed from New to Feedback
- Assignee changed from Anonymous to Sec Sec
Updated by Anonymous almost 8 years ago
- % Done changed from 0 to 100
Applied in changeset 0be9d722226790674bd35c8087286442e5766232.
Updated by Sean McBride almost 8 years ago
DH Groups 22-24 are inadvisable:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
Did this change ship? I'd recommend reverting it if not.
See also #7248.
Updated by Jim Pingle almost 8 years ago
This change isn't in 2.3.3 but it's in 2.4. It will most likely stay. Even though they are not recommended they might be needed for connecting to some other bit of third party equipment/vendor/client/etc that cannot be changed.