Bug #13877
closed
IPsec Profile Wizard/Windows: IKEv2 VPN using GCM configured by the generated script fails to connect with "The IPsec cipher transform is not compatible with the policy"
100%
Description
I was exporting a test config to Windows which had a large number of different P1 options, and the profile generated the following command:
Set-VpnConnectionIPsecConfiguration -Name "VPN (k9) - Mobile IPsec" ` -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group2 ` -CipherTransformConstants GCMAES128 -AuthenticationTransformConstants SHA256128 -PfsGroup PFS2048 ` -PassThru -Force
This resulted in an error when Windows tried to connect:
The IPsec cipher transform is not compatible with the policy
Similar to #12948, but #12948 suggested setting AuthenticationTransformConstants to None which did not help this case, and it wasn't set that way in the profile as the previous fix there seemed to imply it should be.
In this case, I had to set AuthenticationTransformConstants to GCMAES128 and at that point it succeeded.
I have the server config handy that ended up exporting that in my lab.
Related issues
Updated by Kris Phillips over 1 year ago
Redmine 13368 may be related, as it's in a similar vein: https://redmine.pfsense.org/issues/13368
Updated by Jim Pingle about 1 year ago
After testing, the value of AuthenticationTransformConstants should be set to match CipherTransformConstants when using GCM. Though PowerShell accepts 'None' it won't connect. With them set to match, the VPN connects and passes traffic successfully. This seems to be the original intent of NG 7211 but the extra handling added in #12948 which also broke #13368 also broke this in a slightly different way.
Updated by Jim Pingle about 1 year ago
- Related to Bug #12948: IPsec Profile Wizard/Windows: Script generated for IKEv2 VPN using GCM does not use an optimal Phase 2 hash configuration added
Updated by Jim Pingle about 1 year ago
- Related to Bug #13368: IPsec Profile Wizard/Windows: Cannot generate a script for IKEv2 VPN using GCM ciphers when mobile P2 has no hash algorithms selected added
Updated by Jim Pingle about 1 year ago
- Subject changed from IPsec Windows Profile can make an incompatible set of VPN options to IPsec Profile Wizard/Windows: IKEv2 VPN using GCM configured by the generated script fails to connect with "The IPsec cipher transform is not compatible with the policy"
Updated by Jim Pingle about 1 year ago
Tested on Windows 10 and Windows 11 against a VPN with and without a P2 hash selected and it worked as expected in every case to have values match as I mentioned above. I'll work these changes into the package shortly.
Updated by Jim Pingle about 1 year ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Fixed in IPsec Profile Wizard pkg v. 1.1, which has been committed and will be available with the next build.