IPSec: Windows 10, Android & iOS with PCI compliant; Multiple VPN Gateway/Connections

MikeForshock

PCI Complaint Connections

Configuring a VPN on a FLEX100 that is PCI compliant (AES, Group14+, segmenting, MFA, etc.).
Various problems are being encountered that we have tried numerous times to make work.

Windows 10:
PowerShell script to allow higher AES/Has and DH:

$conn_name = “My VPN Connections Name”
Set-VpnConnectionIPsecConfiguration -ConnectionName $conn_name -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup none -DHGroup ECP384 -PassThru -Force

Phase 1 (AES256, SHA256, DH20 (ECP384) completes
Phase 2 fails and disconnects
UPDATE: I fixed this, because well... Im an idiot... Had -AuthenticationTransformConstants as none... Fixed code above incase anyone copies it.


Android: 
Default VPN client within Android 11 (Pixel) does not support DH14 or higher and no PFS.
Any other options?

iOS:
Same problem, stuck at DH2 and no PFS

In all of this Greenbow (ZyXel) clients could be options, just for additional costs, which is a COB.

Multiple VPN Connections

Another issue we keep seeing is the incorrect Gateway/Connection being used for VPN Connections.
We have multiple Site-to-Site and single Remote Access VPN profiles, but it seems only the "1" profile is used. This causes the Phase 1 failure for others connecting.
We have entered unique IP ranges, unique Remote/Local ID combinations, unique encryption (AES128, 192, 256; SHA1, 256, 512; DH 14-24), seems we are constantly running into this issue.
What other suggestions would make this function as expected?

Zyxel_Can

Hi @MikeForshock,

 

The first connection issue occurs because clients send their own capable algorithm to gateway, but when it's not compatible with gateway's settings it can't build up the tunnel.

So we can't have control on the clients.

 

We recommend you to create L2TP connection for that.

 

For your second question, can you try to configure your VPN Gateway with different Local and Peer ID IP.

For that specify 2 different unique IPs for Local and Peer ID content.

 

Also, set Phase 1 Settings' Negotiation Mode as Aggressive.

 

Best regards.