Project

General

Profile

Bug #6967

DH Groups 22, 23, 24 missing from Phase 2 selection GUI

Added by Sec Sec over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
11/28/2016
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.3.2
Affected Architecture:

Description

When configuring IPSec you can select DH Groups 22-24 for Phase 1, but for Phase 2 they are missing from the GUI.

I got the following answer about this from support:
For cli you may change /var/etc/ipsec/ipsec.conf in ESP section, e.g. esp = aes128-sha1-modp2048s256!
But it will work only if you will not change ipsec settings via gui and will not reboot device

which to me suggests that the PFSense should be able to handle them just fine if they were added to the GUI

Associated revisions

History

#1 Updated by Jim Thompson over 2 years ago

  • Assignee set to Steve Beaver

#2 Updated by Steve Beaver over 2 years ago

  • Status changed from New to Feedback
  • Assignee changed from Steve Beaver to Sec Sec

#3 Updated by Steve Beaver over 2 years ago

  • % Done changed from 0 to 100

#4 Updated by Sean McBride over 2 years ago

DH Groups 22-24 are inadvisable:

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

Did this change ship? I'd recommend reverting it if not.

See also #7248.

#5 Updated by Jim Pingle over 2 years ago

This change isn't in 2.3.3 but it's in 2.4. It will most likely stay. Even though they are not recommended they might be needed for connecting to some other bit of third party equipment/vendor/client/etc that cannot be changed.

#6 Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Resolved

#7 Updated by Jim Pingle about 2 years ago

  • Target version set to 2.4.0

Also available in: Atom PDF