IKEv2 - Phase 2 Auth Methods - Hash algorithmus Question


  • Hi Guys,

    I pretty much used this HowTo > https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
    and everything is working absolutley fine.

    I use a Windows Server 2012 R2 NPS as Radius Server.
    Also working perfectly fine on different Clients (win7, win8, win10, …)

    Now the Question:

    As Stated in the Howto in Phase2 - we Should Set Hash algorithmus to SHA1 and SHA256. P2 Auth Methods SHA1 and SHA256

    So why do i need SHA1 and why is my whole Setup not working if i disable this shit algorithmus.
    If i disable/uncheck SHA1 i get on the Client Machine (win7 and win10) the "Error 13843: Invalid Payload Received."

    How can i get rid of SHA1 as HA, or is it pretty much safe and "ok" to use it (there and for that purpose) ?


  • An unmodified Windows up until 10 can use the following for Phase 2 (ESP):

    ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
    ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

    As you can see there is no option for SHA256 at this place to choose. It is questionable if this is a real problem because SHA1 is used for integrity in this context, so the upmost would be to send invalid (random) data which claim to be valid. The encryption (confidentialy) should not be broken because of this.
    You might also try the NegotiateDH2048_AES256 registry key to get more modern ciphers to choose from.

    Regards

    Andreas