> On 13 Jan 2021, at 06:04, Cand Tec <cand...@gmail.com> wrote: > > This is my first time responding to a post so forgive me if I violate any > protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, > all running on high-end repurposed desktops. Due to covid I've had to quickly > setup ikev for a very small number of home users, none of which are > roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't > chew me out, at the time it was just quicker. > Using the UI in Win10 is not the way to go. Apparently the Win10 default > parameters via UI does not provide the required ciphers. > I used powershell to modify the parameters first then use the vpn connection > properties to finalize the settings. It worked 100% of the times without > fail. When I duplicated using only the Win10 UI iand t failed in every > instance. > > Here are the powershell cmds I used to modify my default vpn settings which > has worked everytime - > PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com > -TunnelType "L2tp" > PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" > -AuthenticationTransformConstants None -CipherTransformConstants AES256 > -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup > Group14 -PassThru -Force
Indeed that does not work for IKEv2: ikev1_recv: header ispi 0x94edd5a8931477d9 rspi 0x0000000000000000 nextpayload 1 version 0x10 exchange 2 flags 0x00 msgid 0 length 256 ikev1_recv: IKEv1 not supported Looking at some of the other information provided, I tried this along with the registry edit below: PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection -Force PS> Set-VpnConnectionIPsecConfiguration -ConnectionName "IPB2" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup None -PassThru -AllUserConnection But that doesn’t seem to help anything. > Here's some info I found helpful - > > > <image.png> > > > L2TP issues with Win 10 – phase1 does not form due to insecure default > parameters > REGISTRY SOLUTION: > https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html > > Create a registry key that enforces modern cipher and transform sets. > > STEP 1: Edit Registry or create GPO: > > HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ > STEP 2: Create new DWORD value: > NegotiateDH2048_AES256 > STEP 3: Modify DWORD value: 2 > > > > One caveat, whenever a major Win10 update is installed it tends to reset the > Win10 vpn parameters you modified. It's not consistent, but I've had to reset > it a few times. Other than that it has been flawless so far...if you can call > it that. > > Hopefully this helps. >
