OSX 10.11.4: IPsec IKEv1 DH Group 2 still supported?
The article
HT206154: VPN Key Exchange Enhancements in iOS 9.3, OS X 10.11.4 and Server 5.1
https://support.apple.com/en-us/HT206154 Last Modified: Mar 31, 2016
states:
"DH Group 2 is still supported but it has the lowest priority when finding a proposal match. Both L2TP over IPSec and Cisco IPsec now support DH Groups 14, 5, 2, in that order of preference. For aggressive mode, the VPN client will try first with DH Group 14; if it fails, it will try again with DH Group 2."
The table shows no Group 2.
My personal testes using IKEv1 with a firewall showed, that OSX 10.11.4 does not propose DH 2 for phase 1 any more:
received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
When I switch over the FireWall to DH Goup 14, the connections works, but breaks support for older versions of OSX and iOS which I need.
Did the DH Group change between the subversions of 10.11?
Is there a chnace to specify a IPsec VPN for actual and former OSX and iOS?
Thanx, Marcus