(Probably Guide): IKEv2 with Windows 10 and better Security

A Former User

I read many threads about how to configure IKEv2 VPN in Windows without 3DES and SHA1. I also searched the web for hours and didn't find any good resource on this.
That's why I started this post, and hopefully will be a guide for many of you.

First of all, the proof that I got rid of 3DES and SHA1 including secure DH-Key size in a VPN Connection initiated by standard windows-VPN Client (both status.png)

How-To:
1. First of all Set-Up your VPN as mentioned in https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
2. After that change your pfSense IPsec config to the following settings showed in Phase 1 Settings and #2 and Phase 2 Settings
      -> after that it should look like in IPsec overview
3. Now to Windows: It is (actually) not possible to configure this settings via GUI -> It have to be done in PowerShell.

Set-VpnConnectionIPsecConfiguration -ConnectionName "your VPN" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -DHGroup ECP384 -PfsGroup ECP384 -PassThru -AllUserConnection -Force

If you don't have a global VPN-Connection, leave the "-AllUserConnection" away

Finally try to connect via your newly generated connection.

Additional words: I try to make the guide more appealing in future, this is just "Quick-and-Dirty"

Happy to hear from your results with it.

greetz driederer

Edit 1: Guest don't see the attached pictures ->https://kb.hivetech.ch/index.php?action=artikel&cat=1&id=3&artlang=de
Edit 2: After Walking into Problems with strongSwan under Android, I deep-digged into the Problem and found out that Group 24 is considered as broken (or at least questionable) ->https://eprint.iacr.org/2016/961, so I completly removed it and work now with ECP384 (NIST because Windows don't support Brainpool)
Edit 3: additional Hardening (SHA384), verified on Windows 10 and Android with strongSwan 1.8.0


TomT

Thanks for this guide.
I tried setting it up yesterday but got an error when applying the powershell settings .

It kept complaining it couldn't find the VPN profile in the address book.
Yet I had set the correct name for the VPN I have created any idea how to fix it?

Thanks

A Former User

Hi Tom

Try to leave away the "-AllUserConnection" param, because if you didn't create an "all-user-connection" this switch will looking in the wrong connection-list (sort of)

greetings

TomT

Thanks I'll try this and let you know how I get on.

I have a couple of specific IPSEC questions.. I'll open a new thread for those.

TomT

Thanks removing '-alluserconnection' worked and now I can connect.

Daft question, does the 'Virtual Address Pool' have to be in a range on the pfSense box ?
Currently I've added 172.16.100.0/24 in there, but no interfaces on the pfSense have thar range.

From the PC I'm unable to ping anything on the pfSense, and from the pfSense I can't ping the PC… so the connection drops after one minute.

Can you point me in the right direction.

TomT

:-[ just realised I'm doing this on a test pfSense, not my live one so the IP address I was trying to ping was wrong.

Once the VPN is active I can ping the test pfSense box and a client in that IP Range. Connect seems stable for the last few minutes.

Couple of queries…

Should I be able to ping the VPN user from the LAN or pfSense box ? I can't.

When the VPN is connected the VPN user doesn't have internet access. If I remove the 'use default gateway on remote computer' then they do get Internet access but nothing across the VPN.
Is it possible to have VPN traffic go across the VPN, but other traffic go out via the VPN users own Internet ?

Thanks