IPsec Mobile VPN - Client doesn't work properly in different P1/P2 settings

[jerryc20]

Hi,

I have completed IPsec mobile VPN setting on OPNsense 21.1.7 and my MacBook and iPhone can connect to server then access network properly, but I encountered connection problems if I changed P1/P2 with stronger encryption algorithms.

Below I listed my settings and connection results.
Key Exchange version: IKEv1
Authentication method: Mutual PSK + Xauth
Negotiation mode: Main
My identifier: My IP address

Case 1: Client can connect to the server, and VPN connection works properly. 
P1: AES (128 bits) + SHA1 + DH Group 2
P2: AES (128 bits) + MD5 + Off

Case 2: Change P1's Hash algorithm to SHA256. Client can't connect to the server, it pops up "Server didn't respond."
P1: AES (128 bits) + SHA256 + DH Group 2
P2: AES (128 bits) + MD5 + Off

Case 3: Based on case 1 and change P2's Hash algorithm to SHA1. Client can connect to the server, but can't access remote network (ping failure).
P1: AES (128 bits) + SHA1 + DH Group 2
P2: AES (128 bits) + SHA1 + Off

Case 4: Based on case 1 and change P2's Encryption algorithms to AES 192bits. Client can't connect to the server, it pops up "Server didn't respond."
P1: AES (128 bits) + SHA1 + DH Group 2
P2: AES (192 bits) + MD5 + Off

Does anyone know what problems are?
Appreciate any ideas, suggestions, or guidance. Thanks.

[rainerle]

Hi,

read through here...
https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations

...and then this:
https://ldx.ca/notes/ipsec-os-x-el-capitan.html
The author compiled a list of all possible setups and the compatible clients.

And if that is too boring for you have a look here:
https://forum.opnsense.org/index.php?topic=12147.0

Hope that helps
Rainer

[jerryc20]

Hi Rainer,

Thanks a lot for these articles. I am studying them.