OPNSense vs PfSense (IPSEC - DH group)

[MrBieR]

Hello,

I'm not very much into the 'what is secure and what not' however I noticed that OPNSense has great features and looks better than PfSense - I miss some DH groups.

I believe OPNSense does not support:
- 28 (brainpool ecp256)
- 29 (brainpool ecp384)
- 30 (brainpool ecp512)
The one's that are lower are not secure is what I've read... this is  the only reason I cannot go to OPNSense I believe. How hard is it to add these??  I've a VPN tunnel between two offices of my company and there's a lot of data going over the VPN hence I rather have the most secure DH group.

If anyone can teach me (that I'm wrong) or help out to get the DH-group 30 in OPNSense, that would be great!

[mimugmail]

Everything above DH14 is considered unbreakable today.
Where did you get this info?
Do you use PSK or certificates?

[MrBieR]

PSK

Websites I read;
https://www.keylength.com/en/8/
https://eprint.iacr.org/2016/995.pdf
https://security.stackexchange.com/questions/171418/diffie-hellman-group-matching-to-ipsec-encryption-algorithm

I see that the 14 is recommended since 2003. We're 15 years further now. I don't believe this can still be the case.

[mimugmail]

It's also been 10 years to use certificates
Trust me, DH14 is okay.

[franco]

done via https://github.com/opnsense/core/commit/062a016b58


Cheers,
Franco

[MrBieR]

Thanks both, really helpful!

So I should use certificates and 14+ is good enough.  (If available later on, I'll use 30)

[mimugmail]

I configured so many VPNs .. also with ASA or Sophos or plain Linux ... to companys like SAP, BMW, Linde .. I never ever saw a DH above 14.