Actions
Bug #12948
closedIPsec Profile Wizard/Windows: Script generated for IKEv2 VPN using GCM does not use an optimal Phase 2 hash configuration
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
Description
When mixing AE ciphers in a P2 with AEAD ciphers (e.g. AES with AES128-GCM), the wizard will generate a script with the following:
# Set VPN Config Set-VpnConnectionIPsecConfiguration -Name "VPN (pfsense) - UNA IPsec VPN" ` -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 ` -CipherTransformConstants GCMAES128 -AuthenticationTransformConstants SHA256128 -PfsGroup None ` -PassThru -Force
When using the "-GCM" ciphers, the wizard should default to using the most secure valid combination. In this case AuthenticationTransformConstants
should be set to None
. An invalid combination leads to a Windows error stating:
The IPsec cipher transform is not compatible with the policy.
Supported combinations and more details are listed here:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/description-support-suite-b-cryptographic-ipsec
https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps
Related issues
Actions