IKEv2 IPSec VPN with DH14 and Windows 7/10 - HELP!

H0lyD1ver Posts: 7
edited April 2021 in Security
I am trying to configure a VPN using IKEv2 over IPSec with a DH of 14 (for PCI Compliance). 

I have successfully created a VPN (and can connect) with DH2, but as soon as I change it to 14 it won't work (even if I modify the Windows Firewall IPSec Settings).

Here's what's on the USG110 VPN Gateway:

and here's the VPN Connection settings:

Here are the windows IPSEC settings:
Key Exchange Settings:
SHA-1    AES-CBC 128    DH14
(NOTE: I find it interesting that windows vpn will connect even if DH14 is the only option AS LONG AS DH2 is set on the USG110 VPN Gateway).

Data Protection (Quick Mode)

Authentication Method
Advanced - Certifcate (the certificate I created/exported from the USG110). 

How do I get Windows to accept a DH14 set on the USG110??? I've spent way too long trying to figure this out. It can't be this difficult...right? 

Best Answers

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,101  Zyxel Employee
    Answer ✓

    Hi @H0lyD1ver  

    There is a document to change DH group on Win10 by PowerSheel. But it is not support on Win7.




    PS C:\>Add-VpnConnection -Name "AAA-IKEv2" -ServerAddress 10.214.30.XX -TunnelType "Ikev2"

    PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "AAA-IKEv2" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group14 -PassThru -Force

  • H0lyD1ver
    H0lyD1ver Posts: 7
    Answer ✓
    Thank you so much! That did the trick and took less than 5 minutes! I wish Zyxel Support would have responded to my support request with that. Very helpful!

All Replies

  • Also, why can I not ping other machines on the LAN? I've got this policy control, but it doesn't let me access it. 

    I also tried changing the local policy to:
    Interface IP, (my external ip address)

    I did all the steps on this link: 

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,101  Zyxel Employee

    Hi @H0lyD1ver  

    After followed the document to change DH as group14 successfully on Win7.

    But PC still using DH2 to establishing VPN tunnel.

    It looks has something wrong on Win7.

  • H0lyD1ver
    H0lyD1ver Posts: 7
    edited November 2018
    Meant to post this October 3rd:

    I'd give you a hug right now if I could. That did the trick!

    Thank you!

    Let me elaborate:
    1. I exported the certificate from the USG110 and imported it into windows 10
    2. Imported that certificate into the VPN user's machine. 
    3. I created the VPN connection on the user's machine using powershell (DOES NOT WORK in Windows 7). Fortunately, all of our outside machines are running Win 10. 
    4. Edit firewall settings > advanced > IPSec settings and selected the certificate imported into Trusted Root
    5. Selected connection properties > networking > IPV4 > Advanced > Use default gateway on remote network. 

    Although, today, for whatever reason, those are all selected yet I still can't connect to machines on the local network. I'll have to do some digging, as it was absolutely working great last month!

    Thank you for all your help! 
  • Well...still can't figure out why all of a sudden I can't communicate past the Zywall. I get an address and I can see on the router that I'm connected, but I can't ping anything on the network...

    I've tried:
    1. Disabling recent security policy rules and re-testing.
    2. Adding an entry for DNS in the configuration payload of the VPN connection.
    3. Setting a policy route
    4. Fiddling with NAT.

    When I run ipconfig I get:
    ipv4: (preferred) - this is part of the pool range I set
    subnet: - Is it supposed to be that?
    Default Gateway: - Is this my probleM? 
  • H0lyD1ver
    H0lyD1ver Posts: 7
    edited November 2018
    This little bugger was the culprit (I unchecked it and now it works):

Security Highlight