Project

General

Profile

Actions
Copy link

Bug #12948

closed

IPsec Profile Wizard/Windows: Script generated for IKEv2 VPN using GCM does not use an optimal Phase 2 hash configuration

Added by Marcos M about 2 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec Profile Wizard
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

When mixing AE ciphers in a P2 with AEAD ciphers (e.g. AES with AES128-GCM), the wizard will generate a script with the following:

# Set VPN Config
Set-VpnConnectionIPsecConfiguration -Name "VPN (pfsense) - UNA IPsec VPN" `
 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 `
 -CipherTransformConstants GCMAES128 -AuthenticationTransformConstants SHA256128 -PfsGroup None `
 -PassThru -Force

When using the "-GCM" ciphers, the wizard should default to using the most secure valid combination. In this case AuthenticationTransformConstants should be set to None. An invalid combination leads to a Windows error stating:

The IPsec cipher transform is not compatible with the policy.

Supported combinations and more details are listed here:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/description-support-suite-b-cryptographic-ipsec
https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps

Related issues

Related to Bug #13368: IPsec Profile Wizard/Windows: Cannot generate a script for IKEv2 VPN using GCM ciphers when mobile P2 has no hash algorithms selectedResolvedJim Pingle

Actions
Related to Bug #13877: IPsec Profile Wizard/Windows: IKEv2 VPN using GCM configured by the generated script fails to connect with "The IPsec cipher transform is not compatible with the policy"ResolvedJim Pingle

Actions
Actions
Copy link

Also available in: Atom PDF