Project

General

Profile

Bug #8766

Improve IPsec encryption and hash warnings

Added by Jim Pingle 10 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
08/07/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

The selections for IPsec encryption and hash have some options that should be warned against or explained better. The options are there for connecting to less-secure third party devices/vendors but should be avoided in ideal situations.

Addressed by PR https://github.com/pfsense/pfsense/pull/3939 and PR https://github.com/pfsense/pfsense/pull/3960 which were both merged a while ago

History

#1 Updated by Chris Macmahon 10 months ago

The following notes are now on the ipsec p1 page:

Note: Blowfish, 3DES, CAST128, MD5, SHA1, and DH groups 1, 2, 22, 23, and 24 provide weak security and should be avoided.

Enter the Pre-Shared Key string. This key must match on both peers.
This key should be long and random to protect the tunnel and its contents. A weak Pre-Shared Key can lead to a tunnel compromise.

#2 Updated by Chris Macmahon 10 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF