IPSec interoperability

When selecting the appropriate parameters, it is usually no problem to establish VPN connections with other IPSec products. The required settings are listed below:

Phase 1 parameters:

• Main mode
• TripleDES (3DES), AES-128, AES-256
• MD5-96, SHA1-96, SHA2-256, SHA2-512
• Oakley group 2, 5, 14 to 18 (MODP1024, MODP1536, MODP2048, MODP3072, MODP4096, MODP6144, MODP8192)
• Default key lifetime: 6 hours

Phase 2 parameters:

• ESP
• TripleDES (3DES), AES-128, AES-256
• MD5-96, SHA1-96, SHA2-256, SHA2-384, SHA2-512
• Optional Perfect Forward Secrecy(enabled by default, using same group as in phase 1)
• Default key lifetime: 9 hours

We verify the interoperability with the IPSec client of recent Microsoft Windows releases, Android, MacOS and iOS operating systems regularely. Please understand that we cannot guarantee the interoperability with other products. The number of other products and the differences even between releases of one product makes this impossible. However when considering the log files of both sides it should not be too difficult to remedy the cause of connection problems.

With Android 6.0 the default proposal for phase 2 is SHA2-256. However, the draft version is used, which limits the hash to 96 bit.

When using XAuth this can be activated by enabling the option "SHA2-256 96bit draft version" at "Modules > Network > Interface > ipsec0 > Connections > Connection Name > Phase 2". For L2TP this can only be done by technical support. However, other clients which uses the normal SHA2-256 implementation won't be able to connect anymore.

Alternatively, SHA1-96 can be forced in the phase 2 connection settings.