[Mister_Snuggles]

> For example, even though you can create a basic IKEv2 config, most of the parameters that are needed to actually make it work with a given router are not accessible except in Configurator. You cannot configure the encryption or hash algos, DH Group, group identifiers, etc.

It seems like some of these, such as encryption, hash algorithm, and DH group, should be configured on the server side, not the client side. I know that in the IPSec world the peers are roughly equal, but in this scenario the Mac is definitely playing the role of client. Likewise, there is no ability to configure the traffic selectors, and I'd argue that there probably shouldn't be.

I agree that there should be more configuration exposed in the UI though.

EDIT: I spent about a half hour trying, unsuccessfully, to configure an IKEv2 connection on MacOS to a StrongSwan server. I suspect a configuration problem on the StrongSwan side, but the MacOS side is so opaque that it makes it hard to match up the configs properly.

EDIT2: I remember why I stopped trying to get IKEv2 working - the fact that Split-DNS is not in the protocol yet, but with IKEv1 I can use the Cisco Unity extensions to do it.

[rmwaite]

There is no such thing as a client in IPsec - only peers. Both peers must agree to the encryption and authentication parameters before the security association can form. Because of this it is crucial that you are able to adjust to match. Also, while modifying the encryption domain is probably not super likely, I don’t see a reason it shouldn’t be editable.

[Mister_Snuggles]

This is correct, and I basically said as much.

However, with a Mac you are most likely using the VPN in a roadwarrior scenario. In this case, I'd argue that one of the peers should decide on what encryption, authentication, etc should be used and the other peer (the roadwarrior Mac, in this case) should accept it.

In server-to-server or network-to-network scenarios, configuring both peers to match makes sense.

[auslander]

> other peer (the roadwarrior Mac, in this case) should accept it

The goal of proposals in not matching - it is finding minimum security both sides agree on. I would not accept it, if previously strong settings were suddenly downgraded. I, roadwarrior, have same rights and requirements as any server :)

[rmwaite]

I don’t disagree and this is why things like Wireguard are so attractive to people. But IPsec works the way it does mostly due to legacy and mostly because once you figure out the magic words it does work pretty well.