Mac OS X VPN Encryption Defaults

I need to connect one Mac (OS X 10.8.2) from our internal network to a site-to-site VPN and was asked to provide some information about our network and encryption settings. What are the OS X defaults for the following?

  • Encryption Type (DES/3DES/AES)
  • Hash (MD5/SHA1)
  • Diffie-Hellman Group (1,2 or 5 )

According to this Cisco VPN support doc, Mac OS X 10.7 (and presumably 10.8) uses 3des or aes encryption, not des.

Where would I find the Hash and DH Group?


After extensive research, I've found consensus on which encryption settings OS X uses for VPNs. These may be useful for anyone setting up a VPN for native OS X or iOS clients.

  • Encryption Type: 3DES or AES (3DES is the default)
  • Authentication Hash: SHA-1
  • Diffie-Hellman Group: DH Group 2 (1024 bit)

Selected sources:

  • Using a Linux L2TP/IPsec VPN server with Mac OS X and iPhone (2010)
    3DES, SHA-1, DH Group 2

  • Set up IPSecuritas VPN for Mac OS X (undated)
    3DES, SHA-1, DH Group 2

  • Use Mobile VPN with IPSec with a Mac OS X or iOS Device (undated, 2011?)
    AES-256 or 3DES, SHA-1, DH Group 2

  • Application Notes for IPSec Policy supporting Apple iPhone VPN Connectivity (2010)
    AES-128, SHA-1, DH Group 2

  • Setting up a Mac/iPhone VPN to a Cisco ASA Router (2009)
    3DES, SHA-1, DH Group 2

  • SonicWALL and iPad, iPhone, iPod VPN solution Part 1 (undated)
    3DES, SHA-1, DH Group 2

  • Diffie-Hellman (DH) Group 2 GroupVPN Limitation with MAC OS X Internet Connect and Windows Built-in L2TP Over IPSec Clients (2007)
    DH Group 2