[rmwaite]

There is no such thing as a client in IPsec - only peers. Both peers must agree to the encryption and authentication parameters before the security association can form. Because of this it is crucial that you are able to adjust to match. Also, while modifying the encryption domain is probably not super likely, I don’t see a reason it shouldn’t be editable.

[Mister_Snuggles]

This is correct, and I basically said as much.

However, with a Mac you are most likely using the VPN in a roadwarrior scenario. In this case, I'd argue that one of the peers should decide on what encryption, authentication, etc should be used and the other peer (the roadwarrior Mac, in this case) should accept it.

In server-to-server or network-to-network scenarios, configuring both peers to match makes sense.

[auslander]

> other peer (the roadwarrior Mac, in this case) should accept it

The goal of proposals in not matching - it is finding minimum security both sides agree on. I would not accept it, if previously strong settings were suddenly downgraded. I, roadwarrior, have same rights and requirements as any server :)

[rmwaite]

I don’t disagree and this is why things like Wireguard are so attractive to people. But IPsec works the way it does mostly due to legacy and mostly because once you figure out the magic words it does work pretty well.