Hi,
I have completed IPsec mobile VPN setting on OPNsense 21.1.7 and my MacBook and iPhone can connect to server then access network properly, but I encountered connection problems if I changed P1/P2 with stronger encryption algorithms.
Below I listed my settings and connection results.
Key Exchange version: IKEv1
Authentication method: Mutual PSK + Xauth
Negotiation mode: Main
My identifier: My IP address
Case 1: Client can connect to the server, and VPN connection works properly.
P1: AES (128 bits) + SHA1 + DH Group 2
P2: AES (128 bits) + MD5 + Off
Case 2: Change P1's Hash algorithm to SHA256. Client can't connect to the server, it pops up "Server didn't respond."
P1: AES (128 bits) + SHA256 + DH Group 2
P2: AES (128 bits) + MD5 + Off
Case 3: Based on case 1 and change P2's Hash algorithm to SHA1. Client can connect to the server, but can't access remote network (ping failure).
P1: AES (128 bits) + SHA1 + DH Group 2
P2: AES (128 bits) + SHA1 + Off
Case 4: Based on case 1 and change P2's Encryption algorithms to AES 192bits. Client can't connect to the server, it pops up "Server didn't respond."
P1: AES (128 bits) + SHA1 + DH Group 2
P2: AES (192 bits) + MD5 + Off
Does anyone know what problems are?
Appreciate any ideas, suggestions, or guidance. Thanks.
Hi,
read through here...
https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
...and then this:
https://ldx.ca/notes/ipsec-os-x-el-capitan.html
The author compiled a list of all possible setups and the compatible clients.
And if that is too boring for you have a look here:
https://forum.opnsense.org/index.php?topic=12147.0
Hope that helps
Rainer
Hi Rainer,
Thanks a lot for these articles. I am studying them. :)