Bug #12948
closed
IPsec Profile Wizard/Windows: Script generated for IKEv2 VPN using GCM does not use an optimal Phase 2 hash configuration
100%
Description
When mixing AE ciphers in a P2 with AEAD ciphers (e.g. AES with AES128-GCM), the wizard will generate a script with the following:
# Set VPN Config Set-VpnConnectionIPsecConfiguration -Name "VPN (pfsense) - UNA IPsec VPN" ` -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 ` -CipherTransformConstants GCMAES128 -AuthenticationTransformConstants SHA256128 -PfsGroup None ` -PassThru -Force
When using the "-GCM" ciphers, the wizard should default to using the most secure valid combination. In this case AuthenticationTransformConstants should be set to None. An invalid combination leads to a Windows error stating:
The IPsec cipher transform is not compatible with the policy.
Supported combinations and more details are listed here:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/description-support-suite-b-cryptographic-ipsec
https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps
Related issues
Updated by Viktor Gurov about 2 years ago
- Assignee set to Viktor Gurov
- Release Notes deleted (
Default)
Updated by Jim Pingle about 2 years ago
- Project changed from pfSense Plus to pfSense Packages
- Category changed from IPsec to IPsec Profile Wizard
- Status changed from New to Pull Request Review
Updated by Viktor Gurov about 2 years ago
- Status changed from Pull Request Review to Feedback
Merged
Updated by
Updated by Jim Pingle about 1 year ago
- Related to Bug #13368: IPsec Profile Wizard/Windows: Cannot generate a script for IKEv2 VPN using GCM ciphers when mobile P2 has no hash algorithms selected added
Updated by Jim Pingle about 1 year ago
- Related to Bug #13877: IPsec Profile Wizard/Windows: IKEv2 VPN using GCM configured by the generated script fails to connect with "The IPsec cipher transform is not compatible with the policy" added
Updated by Jim Pingle about 1 year ago
- Status changed from Resolved to New
- Assignee changed from Viktor Gurov to Jim Pingle
Updated by Jim Pingle about 1 year ago
Updated by Jim Pingle about 1 year ago
- Subject changed from IPsec Export: Windows generates invalid configuration to IPsec Profile Wizard/Windows: Script generated for IKEv2 VPN using GCM does not use an optimal Phase 2 hash configuration
Updated by Jim Pingle about 1 year ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Fixed in IPsec Profile Wizard pkg v. 1.1, which has been committed and will be available with the next build.
Updated by Danilo Zrenjanin about 1 year ago
Tested against:
23.01-RC (amd64) built on Thu Jan 26 21:31:39 UTC 2023 FreeBSD 14.0-CURRENT
ipsec-profile-wizard net 1.1_1
The generated script looks fine:
# IKEv2 VPN Import Script # Automatically generated by pfSense Set-Location -Path $PSScriptRoot # Import Server Certificate CA Import-Certificate -FilePath "pfSense_ikev2_63d3a321cb738.pem" -CertStoreLocation Cert:\LocalMachine\Root\ # Add VPN Connection Add-VpnConnection -Name "VPN (pftest2) - Remote-IPsec" -TunnelType "Ikev2" -EncryptionLevel Required ` -ServerAddress IPsec_Cert -PassThru # Set VPN Config Set-VpnConnectionIPsecConfiguration -Name "VPN (pftest2) - Remote-IPsec" ` -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256 -DHGroup Group14 ` -CipherTransformConstants GCMAES128 -AuthenticationTransformConstants GCMAES128 -PfsGroup PFS2048 ` -PassThru -Force
I was able to import the config and connect successfully from Windows 10 machine.
This ticket can be resolved.
Updated by Jim Pingle about 1 year ago
- Status changed from Feedback to Resolved