Project

General

Profile

Actions

Bug #13368

closed

IPsec Profile Wizard/Windows: Cannot generate a script for IKEv2 VPN using GCM ciphers when mobile P2 has no hash algorithms selected

Added by Marcos M over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec Profile Wizard
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

The following P1 cipher suite is supported by Windows natively, yet the wizard prevents it:

AES256-GCM | 128 bits | SHA384 | 20 (nist ecp384)

Phase 1 DH Group unsupported by this client. Supported values are (1, 2, 14, 19, 20, 24)

Switching the Algorithm from AES256-GCM to AES allows the wizard to export a profile.


Files


Related issues

Related to Bug #12948: IPsec Profile Wizard/Windows: Script generated for IKEv2 VPN using GCM does not use an optimal Phase 2 hash configurationResolvedJim Pingle

Actions
Related to Bug #13877: IPsec Profile Wizard/Windows: IKEv2 VPN using GCM configured by the generated script fails to connect with "The IPsec cipher transform is not compatible with the policy"ResolvedJim Pingle

Actions
Actions #1

Updated by Kris Phillips over 1 year ago

I tried to recreate this and got a different error message with the same Phase 1 settings:

Phase 1 Hash Algorithm unsupported by this client. Supported values are (md5, sha1, sha256, sha384)

However, My hash algorithm IS set to SHA384. See attached screenshot.

Either way, according to Microsoft Windows 11 supports all of the items the wizard is saying it doesn't, so may want to change it to just warn "this may not work on older versions of Windows" rather than blocking it outright.

Actions #2

Updated by Kris Phillips over 1 year ago

Setting "Auto" for the algorithm also causes issues. Formerly, it used to error out on "Auto" not being a valid option. Now it throws the attached error.

Seems something is very wrong with the validation here.

Actions #3

Updated by Jim Pingle about 1 year ago

  • Assignee set to Jim Pingle
Actions #4

Updated by Jim Pingle about 1 year ago

  • Subject changed from IPsec Profile wizard for Windows does not allow GCMAES256 export. to IPsec Profile wizard for Windows does not allow GCMAES256 export
  • Description updated (diff)

Moving the unrelated split tunnel part to a new issue (#13897).

Actions #5

Updated by Jim Pingle about 1 year ago

This appears to have been broken by the change in #12948, the fix from that issue forced the P1 hash to 'None' when the P1 is using GCM, which is invalid (IntegrityCheckMethod), it should have been changing the P2 hash when the P2 algo is using GCM (AuthenticationTransformConstants) and the value should have been '' which gets translated by the script to an ultimate value of None in the generated command.

Though based on #13877 that may also not be quite right but that will be a separate change. Both need further testing before I push any changes.

Actions #6

Updated by Jim Pingle about 1 year ago

  • Related to Bug #12948: IPsec Profile Wizard/Windows: Script generated for IKEv2 VPN using GCM does not use an optimal Phase 2 hash configuration added
Actions #7

Updated by Jim Pingle about 1 year ago

After testing, the value of AuthenticationTransformConstants should apparently be set to match CipherTransformConstants when using GCM. Though PowerShell accepts 'None' it won't connect. See #13877.

Actions #8

Updated by Jim Pingle about 1 year ago

  • Related to Bug #13877: IPsec Profile Wizard/Windows: IKEv2 VPN using GCM configured by the generated script fails to connect with "The IPsec cipher transform is not compatible with the policy" added
Actions #9

Updated by Jim Pingle about 1 year ago

  • Subject changed from IPsec Profile wizard for Windows does not allow GCMAES256 export to IPsec Profile Wizard/Windows: Cannot generate a script for IKEv2 VPN using GCM ciphers when mobile P2 has no hash algorithms selected
Actions #10

Updated by Jim Pingle about 1 year ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Fixed in IPsec Profile Wizard pkg v. 1.1, which has been committed and will be available with the next build.

Actions #11

Updated by Jim Pingle about 1 year ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF