1

I'm trying to harden the L2TP/IPSec VPN on an El Capitan server. All the resources I can find either just walk you through the basic setup (adding a shared key, etc.) or are for third-party servers. The closest I found was this question, but it only talks about the defaults, not about how to override them.

Specifically, I'm trying to make the following changes to the allowed ciphers:

  • Symmetric cipher - AES only (nothing DES-based due to the short block size), CBC if that's the best available but GCM preferred if possible.
  • Hash: SHA2 family if possible, especially if unable to use GCM.
  • Key exchange: Use a 2048-bit Diffie-Hellman group (or larger), or use ECDH, or at least don't use the default 1024-bit group as it should be presumed compromised by the NSA or similarly-equipped groups already (see WeakDH).

I can't find anything on changing the default ciphers supported by the Mac OS Server for VPN. I'm new to Mac servers (though comfortable on a Unix command line).

The closest things I found are /Library/Server/Configuration/services.mobileconfig, which includes some basic details about VPN and IPSec configuration but nothing that looked like it controlls ciphers, and /Library/Server/Preferences/com.apple.servermgrd.plist, which includes a list of forbiddenSSLCipherSuites (by integer ID only) but nothing about IPSec.

Community
  • 1
CBHacking
  • 191
  • 3
  • For reasons such as this and many, many others, MacOS is not considered a reasonable server operating system. You should migrate to Linux or *BSD. – EEAA Dec 06 '16 at 01:48
  • I'd suggest using openVPN via darwin ports instead: http://darwinports.opendarwin.org/ – randomnickname Dec 06 '16 at 10:37
  • Convincing my employer to make such changes will not be a trivial undertaking, but I'll see what I can do. Thanks... – CBHacking Dec 06 '16 at 19:19
  • I'm curious if you might not already have some other servers in your infrastructure that would work better for the purpose of serving the VPN; or maybe would invest in a dedicated add-on (a dedicated VPN box, even e.g. PFSense [@dim-0 & @EEAA any further comments Re: PfSense]?) It seems like you are security conscious, and knowledgeable of these protocols, so surely for the more secure parts of your net you already have other stuff running. – bourneN5years Dec 06 '16 at 20:05
  • From a completely different angle as well, you can restrict the users in OSX Server (even using the GUI), in several ways, e.g. only allow their IP address; only allow certain, perhaps dedicated vpn-,user accounts; set up large shared keys, and just require your users to use only those. – bourneN5years Dec 06 '16 at 20:07
  • Were you ever able to find an answer to this question? I am trying to harden the VPN ciphers for a client needing to pass a PCI compliance test, and the macOS Server VPN service is an issue. – Jared Jul 09 '18 at 15:19

0 Answers0