Project

General

Profile

Actions
Copy link

Bug #8766

closed

Improve IPsec encryption and hash warnings

Added by Jim Pingle over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.4.4
Start date:
08/07/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

The selections for IPsec encryption and hash have some options that should be warned against or explained better. The options are there for connecting to less-secure third party devices/vendors but should be avoided in ideal situations.

Addressed by PR https://github.com/pfsense/pfsense/pull/3939 and PR https://github.com/pfsense/pfsense/pull/3960 which were both merged a while ago

Actions
Copy link
 #1

Updated by Chris Macmahon over 5 years ago

The following notes are now on the ipsec p1 page:

Note: Blowfish, 3DES, CAST128, MD5, SHA1, and DH groups 1, 2, 22, 23, and 24 provide weak security and should be avoided.

Enter the Pre-Shared Key string. This key must match on both peers.
This key should be long and random to protect the tunnel and its contents. A weak Pre-Shared Key can lead to a tunnel compromise.

Actions
Copy link
 #2

Updated by Chris Macmahon over 5 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF