Skip to main content

Posts

Showing posts from December, 2015

VPN gateway setup for Android 5, iOS 9, and Mac OS X 10.10

I recently configured an IKEv1 L2TP/IPSec VPN for a customer. They needed support for a mix of Android 5, iOS 9, and Mac OS X 10.10 clients. During testing and going through debug logs on the VPN gateway, I found that these devices announce support for several authentication hashes, and encryption protocols:
OSauthenticationencryptionAndroid 5SHA256-128, SHA1-96, MD5-96AES256, AES128, 3DES, DESiOS 9SHA1-96, MD5-96AES256, AES128, 3DESMac OS X 10.10SHA1-96, MD5-96AES256, AES128, 3DES
The working configurations I found were:
authenticationencryptionSHA13DESSHA1AES128SHA1AES256
and I settled on the last combo as AES256 is the strongest CBC from that list.

PS for DH key exchange, only so-called Group 2 1024modp was in the list on all three devices, so there was no other choice available, and no further testing was done.
PS2 I tried SHA256 authentication with the Android device, but no successful connection could be set up with the VPN gateway. It looks like there was some kind of incompatibi…