OPNsense Forum

English Forums => General Discussion => Topic started by: MrBieR on August 02, 2018, 05:40:56 pm

Title: OPNSense vs PfSense (IPSEC - DH group)
Post by: MrBieR on August 02, 2018, 05:40:56 pm
Hello,

I'm not very much into the 'what is secure and what not' however I noticed that OPNSense has great features and looks better than PfSense - I miss some DH groups.

I believe OPNSense does not support:
- 28 (brainpool ecp256)
- 29 (brainpool ecp384)
- 30 (brainpool ecp512)
The one's that are lower are not secure is what I've read... this is  the only reason I cannot go to OPNSense I believe. How hard is it to add these??  I've a VPN tunnel between two offices of my company and there's a lot of data going over the VPN hence I rather have the most secure DH group.

If anyone can teach me (that I'm wrong) or help out to get the DH-group 30 in OPNSense, that would be great!
Title: Re: OPNSense vs PfSense (IPSEC - DH group)
Post by: mimugmail on August 02, 2018, 05:52:29 pm
Everything above DH14 is considered unbreakable today.
Where did you get this info?
Do you use PSK or certificates?
Title: Re: OPNSense vs PfSense (IPSEC - DH group)
Post by: MrBieR on August 02, 2018, 06:19:10 pm
PSK

Websites I read;
https://www.keylength.com/en/8/
https://eprint.iacr.org/2016/995.pdf
https://security.stackexchange.com/questions/171418/diffie-hellman-group-matching-to-ipsec-encryption-algorithm

I see that the 14 is recommended since 2003. We're 15 years further now. I don't believe this can still be the case.
Title: Re: OPNSense vs PfSense (IPSEC - DH group)
Post by: mimugmail on August 02, 2018, 06:21:22 pm
It's also been 10 years to use certificates :)
Trust me, DH14 is okay.
Title: Re: OPNSense vs PfSense (IPSEC - DH group)
Post by: franco on August 02, 2018, 07:33:38 pm
done via https://github.com/opnsense/core/commit/062a016b58


Cheers,
Franco
Title: Re: OPNSense vs PfSense (IPSEC - DH group)
Post by: MrBieR on August 02, 2018, 08:24:39 pm
Thanks both, really helpful!

So I should use certificates and 14+ is good enough.  (If available later on, I'll use 30)


Title: Re: OPNSense vs PfSense (IPSEC - DH group)
Post by: mimugmail on August 02, 2018, 10:41:14 pm
I configured so many VPNs .. also with ASA or Sophos or plain Linux ... to companys like SAP, BMW, Linde .. I never ever saw a DH above 14.