Mac OS X VPN Encryption Defaults
I need to connect one Mac (OS X 10.8.2) from our internal network to a site-to-site VPN and was asked to provide some information about our network and encryption settings. What are the OS X defaults for the following?
- Encryption Type (DES/3DES/AES)
- Hash (MD5/SHA1)
- Diffie-Hellman Group (1,2 or 5 )
According to this Cisco VPN support doc, Mac OS X 10.7 (and presumably 10.8) uses 3des or aes encryption, not des.
Where would I find the Hash and DH Group?
After extensive research, I've found consensus on which encryption settings OS X uses for VPNs. These may be useful for anyone setting up a VPN for native OS X or iOS clients.
- Encryption Type: 3DES or AES (3DES is the default)
- Authentication Hash: SHA-1
- Diffie-Hellman Group: DH Group 2 (1024 bit)
Selected sources:
Using a Linux L2TP/IPsec VPN server with Mac OS X and iPhone (2010)
3DES, SHA-1, DH Group 2Set up IPSecuritas VPN for Mac OS X (undated)
3DES, SHA-1, DH Group 2Use Mobile VPN with IPSec with a Mac OS X or iOS Device (undated, 2011?)
AES-256 or 3DES, SHA-1, DH Group 2Application Notes for IPSec Policy supporting Apple iPhone VPN Connectivity (2010)
AES-128, SHA-1, DH Group 2Setting up a Mac/iPhone VPN to a Cisco ASA Router (2009)
3DES, SHA-1, DH Group 2SonicWALL and iPad, iPhone, iPod VPN solution Part 1 (undated)
3DES, SHA-1, DH Group 2Diffie-Hellman (DH) Group 2 GroupVPN Limitation with MAC OS X Internet Connect and Windows Built-in L2TP Over IPSec Clients (2007)
DH Group 2