Hello,
I wanted to know if it was possible to change the default cipher algorithms for IPSEC connection.
When I browse online I see that MacOs use :
So I wanted to know how to change this settings
Any one of you have an idea ?
Regards.
MacBook Air 13", macOS 10.14
Have you tried actually connecting using the Mac and its built-in VPN client? Does it give any error messages?
Apple have not as far as I am aware documented any way to customise these settings and normally it will use what the server tells it to - assuming the Apple's client is capable of supporting those modes.
There are various alternative VPN clients for the Mac and some are free and some are not. Many of the firewall/vpn appliance makers make their own Mac VPN clients e.g. Cisco, Juniper, SonicWALL, and SoftEtherVPN.
The generally most competent commercial client is this one https://www.vpntracker.com/us/index.html
Have a look at this one as well https://www.shimovpn.com/
Although interestingly neither seem to list IKEv2.
Thanks to both of you, you have been really helpful
So indeed neither of vpnhtracker or shimovpn propose a IKev2 support
But I think I have find a way to configure the Native VPN.
On this page Apple's Developer site, I find a way to configure VPN profile.
On this xml file I have the possibility to specify the encryptionAlgorithm, IntegrotyAlgorithm and the DeffieHelmanGroup.
I will test to configure the VPN with this file and post if it solve my problem.
Regards
Hi,
thanks for you respond
No I'm not using a MAC as VPN server or Cisco IPsec.
I use one of my Firewall that implement the standard protocol Ikev2.
I can configure this weak cypher on my VPN server but I don't want to use sha1 or DH2.
I want to use instead sha256 and a DH14 that are more secure.
Regards
A few questions, if you don't mind:
Hello,
I have a Remote Access VPN configure ( working with Windows Native VPN Client computers) that use AES256 + SHA256 + DH14.
So I wanted to know if it was possible to configure the Native MacOS VPN client to change its settings to use instead this cyphers on a local Mac computers for the user to be able to connect on remote.
Or if I have to use a third party client VPN to configure this.
By the way I tested to add the cyphers ( the default cyphers of the MacOS VPN Native Client ) on my VPN Gateway ( a Firewall appliance ) and the tunnel works.
So to summarize my environment :
A Mac Computer with Native VPN client wants to connect to a remote site with a IPSec Tunneling on a VPN Server that is a Firewall Appliance that allow only strong cyphers like (SH256/DH14)
Please do ... and thanks for the link, it will come in handy for those who may need to solve these kinds of issues.
Please note that Cisco IPSec aka IPSec is a different protocol to IKEv2.
However regardless I would normally expect this to be configured within the VPN server rather than the VPN client. Since the Mac has never included a Cisco IPSec or IKEv2 server I presume you are not using a Mac as a VPN server.
Thanks for the additional information. I believe John Lockwood has provided the limitations of using the native macOS VPN client for this purpose. I concur with him that Apple hasn't released any detailed information related to this client's implementation to offer you anything related to which protocols & cyphers they will use going forward. Sorry, I couldn't help answer your questions.
Cipher Algorithm for VPN Ikev2
