Project

General

Profile

Actions

Bug #13368

open

IPsec Profile wizard for Windows does not allow GCMAES256 export.

Added by Marcos M 2 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec Profile Wizard
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

The following P1 cipher suite is supported by Windows natively, yet the wizard prevents it:

AES256-GCM | 128 bits | SHA384 | 20 (nist ecp384)

Phase 1 DH Group unsupported by this client. Supported values are (1, 2, 14, 19, 20, 24)

Switching the Algorithm from AES256-GCM to AES allows the wizard to export a profile.

Additionally, the DestinationPrefix parameter for Add-VpnConnectionRoute does not accept 0.0.0.0/0, hence the command will fail when the P2 includes that as the local network. This command is meant for split tunneling and should not be included when the P2 local network is 0.0.0.0/0.


Files

Actions #1

Updated by Kris Phillips about 2 months ago

I tried to recreate this and got a different error message with the same Phase 1 settings:

Phase 1 Hash Algorithm unsupported by this client. Supported values are (md5, sha1, sha256, sha384)

However, My hash algorithm IS set to SHA384. See attached screenshot.

Either way, according to Microsoft Windows 11 supports all of the items the wizard is saying it doesn't, so may want to change it to just warn "this may not work on older versions of Windows" rather than blocking it outright.

Actions #2

Updated by Kris Phillips about 2 months ago

Setting "Auto" for the algorithm also causes issues. Formerly, it used to error out on "Auto" not being a valid option. Now it throws the attached error.

Seems something is very wrong with the validation here.

Actions

Also available in: Atom PDF