All,
I wanted first to thank Michael for all the work put into creating the Apple Configuration Profiles feature for IPSec. It’s really quite nice to use.
Anyhow, I was surprised to find that the ciphers used included MODP_1024, which IPFire lists as “Broken”. Now, I’m the first to admit that I do not fully grasp the intricacies of selecting a cipher suite, but this seemed odd to me. I also noticed that the Profile is written to select DH Group 21 (ECP_521), not MODP_1024, which is what ends up getting used.
Using the default configuration profile from IPFire, this is what StrongSwan Reports in the log:
charon: 08[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024 charon: 07[CFG] selected peer config ‘MyConnection' charon: 07[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
If I modify the Configuration Profile to use 256 bit AES-CBC, though, then ECP_521ends up getting used.
charon: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521 Feb 6 09:50:09 stream charon: 13[CFG] selected peer config 'TomMacOS' Feb 6 09:50:09 stream charon: 13[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
Is that an improvement, or does the elimination of GCM actually set things back?
Tom