IPSec Peer Encryption

sjoram · August 19, 2019, 10:18pm

I have a site-to-site VPN running with the following settings:

Proposal:
Auth sha512
Encryption aes-256-cbc
PFS modp3072

Peer:
Hash: sha512
Encryption: aes-256
DH Group: modp1024

My understanding is best practice is to use modp3072 as a minimum for DH groups, but the connection will not establish if I amend the above modp1024 to modp3072.
I was able to amend the PFS from 1024 to 3072 without issue.

sjoram · August 22, 2019, 1:55pm

To add, I have a PPPoE client towards the WAN, MTU/MRU 1432 however I also found I needed a Mangle rule for any TCP MSS over 1387 to reduce to 1386 in & out. I think due to PMTUD issues.
Could this explain why the modp over 1024 fails?