USG Flex 200 doesnt allow windows 11 IPSEC Phase 1 conection
All Replies
-
Hello @PeterUK thank you for you reply:
CERTIFICATE: from object/certificate/my certificate i sent by email the certificate WITH (p12) and WITHOUT (crt) private key to the client. On the windows client I installed the .p12 and.crt files (local computer, trusted root certification authorities)
DDNS: as for ddns i don't mind since the IP is static
EAP: extended auth protocol (server mode) is enabled in phase 1, AAA method: local, allowed user: the right group
Since it works with android i suppose that I messed up with the certificate installation, isn't it?
This is what the fw receives (you can see the proposals configured in the firewall in the previos post):
0 -
LITTLE STEP AHEAD: giving a precise read to what I pasted in the previous post i understood that somehow windows sends a request for AES256 and DH14 (MODP 2048 bit is actually DH14).
As mentioned before I was quite sure to had set AES128 and DH12 for the phase 1 by powershell cmdlet, but it seems that Windows doesn't take care so I obeyed to its will and changed my proposal for phase 1 to: AES256 and DH14 now the error message in windows is changed (IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.…) and in the zywall i get:
i suppose that i am still fighting against phase 1 otherwise the zywall should notify that phase 1 is done, is it? What is the correct step by step walktru to install the certificate?
0 -
I seems MS now don't like self-signed certificate but a real certificate by DDNS works
0 -
which DDNS provider would you reccomend?
0 -
I use noip.com and dynu.com with certificate by RapidSSL Basic DV, No-IP Vital Encrypt DV and sslforfree.com
You will need to install the Intermediate certification authorities and then your certificate in personal
0 -
you will need the certificate with private key on the client devicejust checked you don't just the certificate and Intermediate certification authorities
0 -
Think I have found the reason for self-signed certificate not working windows for IKEv2 only supports (going by testing with a Flex H self-signed certificate) ECDSA-SHA256 which the Flex 200 (non H) supports doing but not for VPN as it don't show up when selecting a certificate.
but a certificate you get for DDNS is not ECDSA-SHA256 and it works…so windows only does this for self-signed certificate? that really odd🤔
1 -
i made a check about the different certificates that one can create and as you said
legacy USG40 (all of them can be selected in IPSEC config):
RSA-SHA256; RSA-SHA512; DSA-SHA256ATP100 (only the first three can be selected in IPSEC config)
RSA-SHA256; RSA-SHA512; DSA-SHA256; ECDSA-SHA256; ECDSA-SHA384Why the two ECDSA cannot be used in IPSec?
0 -
I tried with no-ip.com and sslforfree.com. I created a ddns and connected it in the zywall but when i go to sssforfree.com i don't know how to verificate my domain (email, cname or http file upload are the options). Would you be so kind to write a walktru (i don't mind which providers, anyone is ok) thanks @PeterUK
0 -
The easy free way is to setup a DDNS with no-ip you then point that subdomain to your IP
Setup a Email server like:
setup a admin Email under your subdomain
Go to sslforfree do a 90 days free certificate for your subdomain to which you will verify by receiving Email for admin
you will then get a .zip with
certificate.crt
private.key
rename private.key to certificate.key
run
certutil –MergePFX certificate.crt cert.pfx
import cert.pfx to Flex
import
certificate.crtcert.pfx to client PC certificate in personal and installed Intermediate certification authorities as shown above by certificate.crtVPN client must use your subdomain not IP
0
Freshman Member
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
