OPNSense vs PfSense (IPSEC - DH group)

Started by MrBieR, August 02, 2018, 05:40:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 02, 2018, 05:40:56 PM
Hello,

I'm not very much into the 'what is secure and what not' however I noticed that OPNSense has great features and looks better than PfSense - I miss some DH groups.

I believe OPNSense does not support:
- 28 (brainpool ecp256)
- 29 (brainpool ecp384)
- 30 (brainpool ecp512)
The one's that are lower are not secure is what I've read... this is  the only reason I cannot go to OPNSense I believe. How hard is it to add these??  I've a VPN tunnel between two offices of my company and there's a lot of data going over the VPN hence I rather have the most secure DH group.

If anyone can teach me (that I'm wrong) or help out to get the DH-group 30 in OPNSense, that would be great!
August 02, 2018, 05:52:29 PM #1
Everything above DH14 is considered unbreakable today.
Where did you get this info?
Do you use PSK or certificates?
August 02, 2018, 06:19:10 PM #2
PSK

Websites I read;
https://www.keylength.com/en/8/
https://eprint.iacr.org/2016/995.pdf
https://security.stackexchange.com/questions/171418/diffie-hellman-group-matching-to-ipsec-encryption-algorithm

I see that the 14 is recommended since 2003. We're 15 years further now. I don't believe this can still be the case.
August 02, 2018, 06:21:22 PM #3
It's also been 10 years to use certificates :)
Trust me, DH14 is okay.
August 02, 2018, 07:33:38 PM #4
August 02, 2018, 08:24:39 PM #5
Thanks both, really helpful!

So I should use certificates and 14+ is good enough.  (If available later on, I'll use 30)


August 02, 2018, 10:41:14 PM #6
I configured so many VPNs .. also with ASA or Sophos or plain Linux ... to companys like SAP, BMW, Linde .. I never ever saw a DH above 14.
Print
Go Up Pages1
User actions