If anyone is keen enough to be running their own VPN server for Apple clients, it’s worth noting
that as of the latest bits (10.11.4 OSX, 9.3 iOS) you can now use larger DH groups and more
modern hash and encryption algorithms for IKE Phase 1:
You were previously restricted to DH Group 2 (1024 bits), with SHA1 or MD5, and 3DES. This was a
matter of some concern following the publication of "Imperfect Forward Secrecy: How Diffie-Hellman
Fails in Practice” [1], which implied that brute-force attacks on the 1024 bit group were realistic,
plus the usual annoyance of 3DES being slow on general-purpose hardware.
There’s not been the same changes in Phase 2, so you are still restricted to using SHA1 for packet
authentication rather than SHA256 (or at least, that appears to be the case talking to my router, a
Mikrotik running 6.34.2).
I didn’t see any announcement of this, and I only stumbled over the Apple support document while
looking for something else. It does seem that Apple are closing off weaknesses that require
a state actor as your opponent.
I’ve tested this with iOS 9.3.1 and OSX 10.11.4. There doesn’t appear to be a performance penalty,
and there’s a substantial security benefit in using a larger DH group for Phase 1 (if you think your
opponent is a state-level actor, that is).
ian