Bug #13368
closed
IPsec Profile Wizard/Windows: Cannot generate a script for IKEv2 VPN using GCM ciphers when mobile P2 has no hash algorithms selected
Added by Marcos M almost 2 years ago.
Updated about 1 year ago.
Category:
IPsec Profile Wizard
Description
The following P1 cipher suite is supported by Windows natively, yet the wizard prevents it:
AES256-GCM | 128 bits | SHA384 | 20 (nist ecp384)
Phase 1 DH Group unsupported by this client. Supported values are (1, 2, 14, 19, 20, 24)
Switching the Algorithm from AES256-GCM to AES allows the wizard to export a profile.
Files
I tried to recreate this and got a different error message with the same Phase 1 settings:
Phase 1 Hash Algorithm unsupported by this client. Supported values are (md5, sha1, sha256, sha384)
However, My hash algorithm IS set to SHA384. See attached screenshot.
Either way, according to Microsoft Windows 11 supports all of the items the wizard is saying it doesn't, so may want to change it to just warn "this may not work on older versions of Windows" rather than blocking it outright.
Setting "Auto" for the algorithm also causes issues. Formerly, it used to error out on "Auto" not being a valid option. Now it throws the attached error.
Seems something is very wrong with the validation here.
- Assignee set to Jim Pingle
- Subject changed from IPsec Profile wizard for Windows does not allow GCMAES256 export. to IPsec Profile wizard for Windows does not allow GCMAES256 export
- Description updated (diff)
Moving the unrelated split tunnel part to a new issue (#13897).
This appears to have been broken by the change in #12948, the fix from that issue forced the P1 hash to 'None' when the P1 is using GCM, which is invalid (IntegrityCheckMethod), it should have been changing the P2 hash when the P2 algo is using GCM (AuthenticationTransformConstants) and the value should have been '' which gets translated by the script to an ultimate value of None in the generated command.
Though based on #13877 that may also not be quite right but that will be a separate change. Both need further testing before I push any changes.
- Related to Bug #12948: IPsec Profile Wizard/Windows: Script generated for IKEv2 VPN using GCM does not use an optimal Phase 2 hash configuration added
After testing, the value of AuthenticationTransformConstants should apparently be set to match CipherTransformConstants when using GCM. Though PowerShell accepts 'None' it won't connect. See #13877.
- Related to Bug #13877: IPsec Profile Wizard/Windows: IKEv2 VPN using GCM configured by the generated script fails to connect with "The IPsec cipher transform is not compatible with the policy" added
- Subject changed from IPsec Profile wizard for Windows does not allow GCMAES256 export to IPsec Profile Wizard/Windows: Cannot generate a script for IKEv2 VPN using GCM ciphers when mobile P2 has no hash algorithms selected
- Status changed from New to Feedback
- % Done changed from 0 to 100
Fixed in IPsec Profile Wizard pkg v. 1.1, which has been committed and will be available with the next build.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
