I recently configured an IKEv1 L2TP/IPSec VPN for a customer. They needed support for a mix of Android 5, iOS 9, and Mac OS X 10.10 clients. During testing and going through debug logs on the VPN gateway, I found that these devices announce support for several authentication hashes, and encryption protocols: OS authentication encryption Android 5 SHA256-128, SHA1-96, MD5-96 AES256, AES128, 3DES, DES iOS 9 SHA1-96, MD5-96 AES256, AES128, 3DES Mac OS X 10.10 SHA1-96, MD5-96 AES256, AES128, 3DES The working configurations I found were: authentication encryption SHA1 3DES SHA1 AES128 SHA1 AES256 and I settled on the last combo as AES256 is the strongest CBC from that list. PS for DH key exchange, only so-called Group 2 1024modp was in the list on all three devices, so there was no other choice available, and no further testing was done. PS2 I tried SHA256 authentication with the Android device, but no successful connection could be set up with the VPN gateway. It looks li...
plenty of grains to pick