Project

General

Profile

Actions
Copy link

Bug #13877

closed

IPsec Profile Wizard/Windows: IKEv2 VPN using GCM configured by the generated script fails to connect with "The IPsec cipher transform is not compatible with the policy"

Added by Jim Pingle over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec Profile Wizard
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

I was exporting a test config to Windows which had a large number of different P1 options, and the profile generated the following command:

Set-VpnConnectionIPsecConfiguration -Name "VPN (k9) - Mobile IPsec" `
 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group2 `
 -CipherTransformConstants GCMAES128 -AuthenticationTransformConstants SHA256128 -PfsGroup PFS2048 `
 -PassThru -Force

This resulted in an error when Windows tried to connect:

The IPsec cipher transform is not compatible with the policy

Similar to #12948, but #12948 suggested setting AuthenticationTransformConstants to None which did not help this case, and it wasn't set that way in the profile as the previous fix there seemed to imply it should be.

In this case, I had to set AuthenticationTransformConstants to GCMAES128 and at that point it succeeded.

I have the server config handy that ended up exporting that in my lab.

Related issues

Related to Bug #12948: IPsec Profile Wizard/Windows: Script generated for IKEv2 VPN using GCM does not use an optimal Phase 2 hash configurationResolvedJim Pingle

Actions
Related to Bug #13368: IPsec Profile Wizard/Windows: Cannot generate a script for IKEv2 VPN using GCM ciphers when mobile P2 has no hash algorithms selectedResolvedJim Pingle

Actions
Actions
Copy link

Also available in: Atom PDF