USG Flex 200 doesnt allow windows 11 IPSEC Phase 1 conection

AntonK
AntonK Posts: 5
First Comment Second Anniversary

Hi my USG Flex was configured for low security ipsec vpn with linux clients

USG Flex 200 doesnt allow windows 11 IPSEC Phase 1 conection:

"Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP, HMAC-MD5 PRF, HMAC-MD5-96, DES, 768 bit MODP; )."

so what can be done on usg flex side or windows 11 side to match connection - there is some force reg keys for regedit but no info about it…..

«1

All Replies

  • AntonK
    AntonK Posts: 5
    First Comment Second Anniversary

    Sorry, phase 1 passes, stuck at phase 2 without any detail info

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @AntonK ,

    Using power shell command to change the phase 1 & phase 2 proposal.

    1. Show phase 1 & phase 2 proposal of VPN connection

    Get-VpnConnection -name "YourConnectionName" | Select-Object -ExpandProperty IPsecCustomPolicy
    

    2. Set phase 1 & phase 2 proposal of VPN connection

    Set-VpnConnectionIPsecConfiguration -ConnectionName "YourConnectionName" -EncryptionMethod <IKE  Encyption> -IntegrityCheckMethod <IKE Authentication> -DHGroup <DH Group> -CipherTransformConstants <ESP Encyprtion> -AuthenticationTransformConstants <ESP Authentication> -PfsGroup <PFS Group> -Force
    

    Reference:

    https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2022-ps

  • AntonK
    AntonK Posts: 5
    First Comment Second Anniversary
    1. So i can choose in AuthenticationTransformConstants <ESP Authentication> : MD596, SHA196, SHA256128, GCMAE192,GCMAE256, None

    and there in no such options in USG200

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 2

    Windows default phase 2 is

    encryption AES256

    authentication SH1

    PFS none

    also L2TP over IPSec IKEv1 encapsulation is Transport

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Here the string mapping between Windows and USG,

    Windows: MD596 to USG: MD5

    Windows: SHA196 to USG: SHA1

    Windows: SHA256128 to USG: SHA256

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    According to this release from Microsoft…

    https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23h2#3291msgdesc

    Is KB5036893 installed? Or Preview update of the end of april?

    (Windows 10 is affected too, with the equivalent KB5036892)
    https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22h2#3291msgdesc

  • AntonK
    AntonK Posts: 5
    First Comment Second Anniversary

    Thanks everyone for transport encapsulation and kb5036893, i've made changes and uninstall KB, and made some progress, - ZYXEL wrote that connection done, but windows think 1-2 minutes and breaks it with RasMan 809 Error

  • QuiteSmart
    QuiteSmart Posts: 48  Freshman Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN
    edited May 6

    Hello, i'm having a problem in phase 1 (logs on zywall say say proposal mismatch ) this in brief is my configuration on this IKEv2 vpn:

    phase 1: encryption AES128, authentication SHA256, DH DH2

    phase 2: encryption AES128, authentication SHA256, PFS None

    THE cmdlet that i'm using in windows 10 is:

    Set-VpnConnectionIPsecConfiguration -name "MyVPNName" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group2 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup None -force

    do you see any error? I'm not sure about the import of the certificate, where do I have to import it?

    PS this VPN works fine with Android (strongSwan) so I suppose that the problem is in the windows client configuration. I uninstalled the KB5036892 and rebooted but nothing changed.

    ty

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 6

    Yes you need to import the certificate are you using a self-signed certificate?

    You can look at getting a DDNS and certificate as a self-signed certificate will be fixed to 1 IP and not domain name

    will you be doing certificate mode or Enable Extended Authentication Protocol Server Mode user name and password?


Security Highlight