> On 2015-10-03, at 0040h, matthew j weaver <m...@ice-nine.org> wrote: > > I’ve not yet surfaced where the ikev2 proposal/policy configs hide in OS X.
For anyone still playing the home game: You’ll find the proposal configs for both phases of your VPN interface hiding in /Library/Preferences/com.apple.networkextension.plist . You can export that out to an editable file with defaults(1): # defaults export /Library/Preferences/com.apple.networkextension.plist - > /tmp/t.plist … and jam it back into place with defaults(1): # defaults import /Library/Preferences/com.apple.networkextension.plist - < /tmp/t.plist You’ll need to Apply changes from inside the network preferences GUI to trigger loading the plist. There is documentation hiding here for the various options and values: https://developer.apple.com/library/prerelease/mac/documentation/NetworkExt ension/Reference/NEVPNIKEv2SecurityAssociationParametersClassRef/index.html#/ /apple_ref/doc/constant_group/NEVPNIKEv2EncryptionAlgorithm For instance, DiffieHellmanGroup : 18 EncryptionAlgorithm : 4 IntegrityAlgorithm : 5 and DiffieHellmanGroup : 18 EncryptionAlgorithm : 6 Correspond (respectively) to: ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group modp8192 and childsa enc aes-256-gcm group modp8192 Works fine with os X 10.11.1 and a recent 5.8 snapshot. Thanks again, reyk@ and others for all the work. This is a pleasant future to be living in. weaver
