Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: MarcusKabele
MarcusKabele Author
User level: Level 1
5 points

OSX 10.11.4: IPsec IKEv1 DH Group 2 still supported?

The article

HT206154: VPN Key Exchange Enhancements in iOS 9.3, OS X 10.11.4 and Server 5.1

https://support.apple.com/en-us/HT206154 Last Modified: Mar 31, 2016

states:

"DH Group 2 is still supported but it has the lowest priority when finding a proposal match. Both L2TP over IPSec and Cisco IPsec now support DH Groups 14, 5, 2, in that order of preference. For aggressive mode, the VPN client will try first with DH Group 14; if it fails, it will try again with DH Group 2."

The table shows no Group 2.


My personal testes using IKEv1 with a firewall showed, that OSX 10.11.4 does not propose DH 2 for phase 1 any more:

received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048


When I switch over the FireWall to DH Goup 14, the connections works, but breaks support for older versions of OSX and iOS which I need.


Did the DH Group change between the subversions of 10.11?


Is there a chnace to specify a IPsec VPN for actual and former OSX and iOS?


Thanx, Marcus

Posted on Apr 27, 2016 4:09 PM

Reply

There are no replies.

OSX 10.11.4: IPsec IKEv1 DH Group 2 still supported?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up