USG Flex 200 doesnt allow windows 11 IPSEC Phase 1 conection

Options
2»

All Replies

  • QuiteSmart
    QuiteSmart Posts: 44  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 7
    Options

    Hello @PeterUK thank you for you reply:

    CERTIFICATE: from object/certificate/my certificate i sent by email the certificate WITH (p12) and WITHOUT (crt) private key to the client. On the windows client I installed the .p12 and.crt files (local computer, trusted root certification authorities)

    DDNS: as for ddns i don't mind since the IP is static

    EAP: extended auth protocol (server mode) is enabled in phase 1, AAA method: local, allowed user: the right group

    Since it works with android i suppose that I messed up with the certificate installation, isn't it?

    This is what the fw receives (you can see the proposals configured in the firewall in the previos post):

  • QuiteSmart
    QuiteSmart Posts: 44  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 7
    Options

    LITTLE STEP AHEAD: giving a precise read to what I pasted in the previous post i understood that somehow windows sends a request for AES256 and DH14 (MODP 2048 bit is actually DH14).

    As mentioned before I was quite sure to had set AES128 and DH12 for the phase 1 by powershell cmdlet, but it seems that Windows doesn't take care so I obeyed to its will and changed my proposal for phase 1 to: AES256 and DH14 now the error message in windows is changed (IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.…) and in the zywall i get:

    i suppose that i am still fighting against phase 1 otherwise the zywall should notify that phase 1 is done, is it? What is the correct step by step walktru to install the certificate?

  • PeterUK
    PeterUK Posts: 2,984  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    I seems MS now don't like self-signed certificate but a real certificate by DDNS works

  • QuiteSmart
    QuiteSmart Posts: 44  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    which DDNS provider would you reccomend?

  • PeterUK
    PeterUK Posts: 2,984  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    I use noip.com and dynu.com with certificate by RapidSSL Basic DV, No-IP Vital Encrypt DV and sslforfree.com

    You will need to install the Intermediate certification authorities and then your certificate in personal

  • PeterUK
    PeterUK Posts: 2,984  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    edited May 7
    Options

    you will need the certificate with private key on the client device

    just checked you don't just the certificate and Intermediate certification authorities

  • PeterUK
    PeterUK Posts: 2,984  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    edited May 8
    Options

    Think I have found the reason for self-signed certificate not working windows for IKEv2 only supports (going by testing with a Flex H self-signed certificate) ECDSA-SHA256 which the Flex 200 (non H) supports doing but not for VPN as it don't show up when selecting a certificate.

    but a certificate you get for DDNS is not ECDSA-SHA256 and it works…so windows only does this for self-signed certificate? that really odd🤔

  • QuiteSmart
    QuiteSmart Posts: 44  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    i made a check about the different certificates that one can create and as you said

    legacy USG40 (all of them can be selected in IPSEC config):

    RSA-SHA256; RSA-SHA512; DSA-SHA256

    ATP100 (only the first three can be selected in IPSEC config)

    RSA-SHA256; RSA-SHA512; DSA-SHA256; ECDSA-SHA256; ECDSA-SHA384

    Why the two ECDSA cannot be used in IPSec?

  • QuiteSmart
    QuiteSmart Posts: 44  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I tried with no-ip.com and sslforfree.com. I created a ddns and connected it in the zywall but when i go to sssforfree.com i don't know how to verificate my domain (email, cname or http file upload are the options). Would you be so kind to write a walktru (i don't mind which providers, anyone is ok) thanks @PeterUK

  • PeterUK
    PeterUK Posts: 2,984  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    edited May 9
    Options

    The easy free way is to setup a DDNS with no-ip you then point that subdomain to your IP

    Setup a Email server like:

    https://www.hmailserver.com/

    https://www.mailenable.com/

    setup a admin Email under your subdomain

    Go to sslforfree do a 90 days free certificate for your subdomain to which you will verify by receiving Email for admin

    you will then get a .zip with

    certificate.crt

    private.key

    rename private.key to certificate.key

    run

    certutil –MergePFX certificate.crt cert.pfx

    import cert.pfx to Flex

    import certificate.crt cert.pfx to client PC certificate in personal and installed Intermediate certification authorities as shown above by certificate.crt

    VPN client must use your subdomain not IP

Security Highlight