My understanding is that SHA1 and 3DES are considered weak and/or compromised yet I still see a lot of information online showing how to set up various client devices to use them.
I believe this might be due to SHA1+3DES being the default for L2TP/IPsec connections in windows (?) and indeed this is where we ended up to make the most devices work.
given these weaknesses and the ongoing proliferation of device types, has anyone got any thoughts/experiences to share in selecting protocols for road warriors and people working from home connecting to an office (and or to a CHR on AWS)?
SHA-2/SHA256?
AES-128/AES-256
IKEv2 instead of l2tp+ipsec?
devices we need to connect include windows (10), linux (ubuntu), android phones and tablets, apple phones and ipads
currently all of these devices work with 3DES+SHA1 and with AES128 enabled some will choose to use AES
I don’t know about Android, but Windows 10 and iOS 11 can do better. Try to use AES256, SHA256, and ECP256. That should be your attempted baseline today. Example configuration here.
thanks pcunite
that is great info. I thought win10 supported more/better but could not see how it was done… I can see how is done via command line in the post you linked to.
I’ll try to find out about android support… hopefully the devices will be smart enough to negotiate the best possible options
I had read that there is relatively little benefit to AES256 over AES128. Is there much to be concerned with in making that decision? (a little slower connection from a tablet is not going to be a concern really… but then overkill on encryption just wastes compute cycles and energy https://www.quora.com/Is-AES256-more-secure-than-AES128-Whats-the-different
is there any compelling reason to move away from l2tp/ipsec in a world of diverse devices?