IPSec: Windows 10, Android & iOS with PCI compliant; Multiple VPN Gateway/Connections
MikeForshock
Posts: 34 Freshman Member
PCI Complaint Connections
Configuring a VPN on a FLEX100 that is PCI compliant (AES, Group14+, segmenting, MFA, etc.).Various problems are being encountered that we have tried numerous times to make work.
Windows 10:
PowerShell script to allow higher AES/Has and DH:
$conn_name = “My VPN Connections Name” Set-VpnConnectionIPsecConfiguration -ConnectionName $conn_name -AuthenticationTransformConstants SHA256 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup none -DHGroup ECP384 -PassThru -ForcePhase 1 (AES256, SHA256, DH20 (ECP384) completes
Phase 2 fails and disconnects
UPDATE: I fixed this, because well... Im an idiot... Had -AuthenticationTransformConstants as none... Fixed code above incase anyone copies it.
Android:
Default VPN client within Android 11 (Pixel) does not support DH14 or higher and no PFS.
Any other options?
iOS:
Same problem, stuck at DH2 and no PFS
In all of this Greenbow (ZyXel) clients could be options, just for additional costs, which is a COB.
Multiple VPN Connections
Another issue we keep seeing is the incorrect Gateway/Connection being used for VPN Connections.We have multiple Site-to-Site and single Remote Access VPN profiles, but it seems only the "1" profile is used. This causes the Phase 1 failure for others connecting.
We have entered unique IP ranges, unique Remote/Local ID combinations, unique encryption (AES128, 192, 256; SHA1, 256, 512; DH 14-24), seems we are constantly running into this issue.
What other suggestions would make this function as expected?
0
All Replies
-
Hi @MikeForshock,
The first connection issue occurs because clients send their own capable algorithm to gateway, but when it's not compatible with gateway's settings it can't build up the tunnel.
So we can't have control on the clients.We recommend you to create L2TP connection for that.
For that specify 2 different unique IPs for Local and Peer ID content.
Also, set Phase 1 Settings' Negotiation Mode as Aggressive.
Best regards.
0
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 114 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 65 Switch Ideas
- 901 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 831 Nebula FAQ
- 401 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight