USG Flex 200 doesnt allow windows 11 IPSEC Phase 1 conection
Hi my USG Flex was configured for low security ipsec vpn with linux clients
USG Flex 200 doesnt allow windows 11 IPSEC Phase 1 conection:
"Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP, HMAC-MD5 PRF, HMAC-MD5-96, DES, 768 bit MODP; )."
so what can be done on usg flex side or windows 11 side to match connection - there is some force reg keys for regedit but no info about it….. |
All Replies
-
Sorry, phase 1 passes, stuck at phase 2 without any detail info
0 -
Hi @AntonK ,
Using power shell command to change the phase 1 & phase 2 proposal.
1. Show phase 1 & phase 2 proposal of VPN connection
Get-VpnConnection -name "YourConnectionName" | Select-Object -ExpandProperty IPsecCustomPolicy
2. Set phase 1 & phase 2 proposal of VPN connection
Set-VpnConnectionIPsecConfiguration -ConnectionName "YourConnectionName" -EncryptionMethod <IKE Encyption> -IntegrityCheckMethod <IKE Authentication> -DHGroup <DH Group> -CipherTransformConstants <ESP Encyprtion> -AuthenticationTransformConstants <ESP Authentication> -PfsGroup <PFS Group> -Force
Reference:
0 -
- So i can choose in AuthenticationTransformConstants <ESP Authentication> : MD596, SHA196, SHA256128, GCMAE192,GCMAE256, None
and there in no such options in USG200
0 -
Windows default phase 2 is
encryption AES256
authentication SH1
PFS none
also L2TP over IPSec IKEv1 encapsulation is Transport
1 -
Here the string mapping between Windows and USG,
Windows: MD596 to USG: MD5
Windows: SHA196 to USG: SHA1
Windows: SHA256128 to USG: SHA256
1 -
According to this release from Microsoft…
Is KB5036893 installed? Or Preview update of the end of april?
(Windows 10 is affected too, with the equivalent KB5036892)
1 -
Thanks everyone for transport encapsulation and kb5036893, i've made changes and uninstall KB, and made some progress, - ZYXEL wrote that connection done, but windows think 1-2 minutes and breaks it with RasMan 809 Error
0 -
your post is gold!
0 -
Hello, i'm having a problem in phase 1 (logs on zywall say say proposal mismatch ) this in brief is my configuration on this IKEv2 vpn:
phase 1: encryption AES128, authentication SHA256, DH DH2
phase 2: encryption AES128, authentication SHA256, PFS None
THE cmdlet that i'm using in windows 10 is:
Set-VpnConnectionIPsecConfiguration -name "MyVPNName" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group2 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup None -force
do you see any error? I'm not sure about the import of the certificate, where do I have to import it?
PS this VPN works fine with Android (strongSwan) so I suppose that the problem is in the windows client configuration. I uninstalled the KB5036892 and rebooted but nothing changed.
ty
0 -
Yes you need to import the certificate are you using a self-signed certificate?
You can look at getting a DDNS and certificate as a self-signed certificate will be fixed to 1 IP and not domain name
will you be doing certificate mode or Enable Extended Authentication Protocol Server Mode user name and password?
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight