Mac OS X VPN Encryption Defaults

Question

I need to connect one Mac (OS X 10.8.2) from our internal network to a site-to-site VPN and was asked to provide some information about our network and encryption settings. What are the OS X defaults for the following?

• Encryption Type (DES/3DES/AES)
• Hash (MD5/SHA1)
• Diffie-Hellman Group (1,2 or 5 )

According to this Cisco VPN support doc, Mac OS X 10.7 (and presumably 10.8) uses 3des or aes encryption, not des.

Where would I find the Hash and DH Group?

Answer 1

After extensive research, I've found consensus on which encryption settings OS X uses for VPNs. These may be useful for anyone setting up a VPN for native OS X or iOS clients.

• Encryption Type: 3DES or AES (3DES is the default)
• Authentication Hash: SHA-1
• Diffie-Hellman Group: DH Group 2 (1024 bit)

Selected sources:

• Using a Linux L2TP/IPsec VPN server with Mac OS X and iPhone (2010)
  3DES, SHA-1, DH Group 2

• Set up IPSecuritas VPN for Mac OS X (undated)
  3DES, SHA-1, DH Group 2

• Use Mobile VPN with IPSec with a Mac OS X or iOS Device (undated, 2011?)
  AES-256 or 3DES, SHA-1, DH Group 2

• Application Notes for IPSec Policy supporting Apple iPhone VPN Connectivity (2010)
  AES-128, SHA-1, DH Group 2

• Setting up a Mac/iPhone VPN to a Cisco ASA Router (2009)
  3DES, SHA-1, DH Group 2

• SonicWALL and iPad, iPhone, iPod VPN solution Part 1 (undated)
  3DES, SHA-1, DH Group 2

• Diffie-Hellman (DH) Group 2 GroupVPN Limitation with MAC OS X Internet Connect and Windows Built-in L2TP Over IPSec Clients (2007)
  DH Group 2