Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNSense vs PfSense (IPSEC - DH group)
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNSense vs PfSense (IPSEC - DH group) (Read 5935 times)
MrBieR
Newbie
Posts: 11
Karma: 0
OPNSense vs PfSense (IPSEC - DH group)
«
on:
August 02, 2018, 05:40:56 pm »
Hello,
I'm not very much into the 'what is secure and what not' however I noticed that OPNSense has great features and looks better than PfSense - I miss some DH groups.
I believe OPNSense does not support:
- 28 (brainpool ecp256)
- 29 (brainpool ecp384)
- 30 (brainpool ecp512)
The one's that are lower are not secure is what I've read... this is the only reason I cannot go to OPNSense I believe. How hard is it to add these?? I've a VPN tunnel between two offices of my company and there's a lot of data going over the VPN hence I rather have the most secure DH group.
If anyone can teach me (that I'm wrong) or help out to get the DH-group 30 in OPNSense, that would be great!
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: OPNSense vs PfSense (IPSEC - DH group)
«
Reply #1 on:
August 02, 2018, 05:52:29 pm »
Everything above DH14 is considered unbreakable today.
Where did you get this info?
Do you use PSK or certificates?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
MrBieR
Newbie
Posts: 11
Karma: 0
Re: OPNSense vs PfSense (IPSEC - DH group)
«
Reply #2 on:
August 02, 2018, 06:19:10 pm »
PSK
Websites I read;
https://www.keylength.com/en/8/
https://eprint.iacr.org/2016/995.pdf
https://security.stackexchange.com/questions/171418/diffie-hellman-group-matching-to-ipsec-encryption-algorithm
I see that the 14 is recommended since 2003. We're 15 years further now. I don't believe this can still be the case.
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: OPNSense vs PfSense (IPSEC - DH group)
«
Reply #3 on:
August 02, 2018, 06:21:22 pm »
It's also been 10 years to use certificates
Trust me, DH14 is okay.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: OPNSense vs PfSense (IPSEC - DH group)
«
Reply #4 on:
August 02, 2018, 07:33:38 pm »
done via
https://github.com/opnsense/core/commit/062a016b58
Cheers,
Franco
Logged
MrBieR
Newbie
Posts: 11
Karma: 0
Re: OPNSense vs PfSense (IPSEC - DH group)
«
Reply #5 on:
August 02, 2018, 08:24:39 pm »
Thanks both, really helpful!
So I should use certificates and 14+ is good enough. (If available later on, I'll use 30)
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: OPNSense vs PfSense (IPSEC - DH group)
«
Reply #6 on:
August 02, 2018, 10:41:14 pm »
I configured so many VPNs .. also with ASA or Sophos or plain Linux ... to companys like SAP, BMW, Linde .. I never ever saw a DH above 14.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNSense vs PfSense (IPSEC - DH group)