Hi!
I began experimenting with our Roadwarrior VPN connections and some of the IPSec features just wont work.
I have a working configuration now, but it doesn’t have the maximum security possible between Mikrotik - Windows 10 VPN.
I created and signed the EC keys and installed the remote key on my Windows machine.
Right now the configuration is this:
Mikrotik:
- Auth. Algorithm: SHA256
- Encr. Algorithm: AES-256-CBC
- PFS Group: ECP256
- Hash Algorithms: SHA256
- Encryption Algorithm: AES-256
- DH Group: ECP256
Windows:
- AuthenticationTransformConstants SHA256128
- CipherTransformConstants AES256
- EncryptionMethod AES256
- IntegrityCheckMethod SHA256
- PfsGroup ECP256
- DHGroup ECP256
This is the working configuration. Everything works as expected, the authentication is lightning fast and the connection speed is realy good.
But I want to reach the maximum available security on Windows 10, which would be:
- AuthenticationTransformConstants SHA256128
- CipherTransformConstants AES256
- EncryptionMethod GCMAES256
- IntegrityCheckMethod SHA256
- PfsGroup ECP384
- DHGroup ECP384
On Mikrotik:
- Auth. Algorithm: SHA256
- Encr. Algorithm: AES-256-GCM
- PFS Group: ECP384
- Hash Algorithms: SHA256
- Encryption Algorithm: AES-256
- DH Group: ECP384
For some reason it wont work. I generated the new keys with SECP384r1 and installed the remote key on the machine.
With only the GCMAES256 settings on I get an “Invalid payload received” error message on the Windows machine.
With only the ECP384 settings on I get an “Internet key exchange credentials cannot be accepted” error message on the Windows machine.
I cant figure out why. I recreated the key many times but it won’t work. My CCR1016 is on 6.45.8 firmware.
Thanks for your help!