search

Mr-Tbone / AoV

10 stars 1 forks source link

General Error When Using High Security IPSec Settings #3

Closed walkeritgtech closed 6 months ago

walkeritgtech commented 9 months ago

Hello,

Thanks for all the work here, this has been useful in our lab environment for testing different settings.

We receieve a general error when attempting to use the following cryptography settings, but are able to set them afterwards with powershell's Set-VPNConnectionIPSecConfiguration. This is on Windows 11 23H2, running January's 2023 CU.

<CryptographySuite>
         <AuthenticationTransformConstants>GCMAES256</AuthenticationTransformConstants>
         <CipherTransformConstants>GCMAES256</CipherTransformConstants>
         <EncryptionMethod>GCMAES256</EncryptionMethod>
         <IntegrityCheckMethod>SHA384</IntegrityCheckMethod>
         <DHGroup>ECP384</DHGroup>
         <PfsGroup>ECP384</PfsGroup>
 </CryptographySuite>

Running the script with lesser settings is successful. These settings work for example.

      <CryptographySuite>
         <AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
         <CipherTransformConstants>AES128</CipherTransformConstants>
         <EncryptionMethod>AES128</EncryptionMethod>
         <IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
         <DHGroup>Group14</DHGroup>
         <PfsGroup>PFS2048</PfsGroup>
      </CryptographySuite>

Here's the debug when it fails, unfortunately it's the dreaded general error. 

2024-02-05,18:02:38,Start,Starting script WalkerITGTest-AoV-User-Tunnel with installtype: Install option set
2024-02-05,18:02:38,Info,Skipped to get Currentversion from registry due to not exist, setting 0.0.0.0 as version
2024-02-05,18:02:38,Info,Success to start execute script with Installed version: 0.0.0.0, Script version: 1.6.2303.1, Installtype: Install
2024-02-05,18:02:38,info,Success to enumerate Username from WMI to @{username=TEST\vpntest}.
2024-02-05,18:02:38,info,Success to enumerate Username: vpntest and SID: S-1-5-21-1903627400-982974822-0123456789-4616
2024-02-05,18:02:38,Info,Success to verify credentials, The script is running as admin with the current user credentials
2024-02-05,18:02:38,Info,Success to verify the service dmwappushservice, it is already running
2024-02-05,18:02:38,Info,Success to connect CSP over WMI bridge
2024-02-05,18:02:38,Info,Success to disconnect VPN Tunnel WalkerITG AoV User Tunnel
2024-02-05,18:02:38,Info,Success to enumerate existing VPN Tunnels with CSP over WMI
2024-02-05,18:02:38,Info,Skipped to delete VPN Tunnels with CSP over WMI, No VPN Tunnel found
2024-02-05,18:02:38,Info,Skipped to delete VPN Tunnel WalkerITG AoV User Tunnel with PowerShell, no VPN tunnel exist
2024-02-05,18:02:38,Info,Success to get MDM Tracking from registry
2024-02-05,18:02:38,Info,Skipped to delete MDM Tracking from registry, does not exist
2024-02-05,18:02:38,Info,Success to get NetworkList from registry
2024-02-05,18:02:38,Info,Skipped to delete NetworkList from registry, does not exist
2024-02-05,18:02:38,Info,Success to get AutoTriggerDisabledProfilesList from registry
2024-02-05,18:02:38,Info,Skipped to remove AutoTriggerDisabledProfilesList from registry, key does not exist
2024-02-05,18:02:38,Error,Failed to create VPN Profile WalkerITG AoV User Tunnel with error: A general error occurred that is not covered by a more specific error code.

What's weird is that I can set it afterwards just fine using powershell as noted. Is this a continuation of the CSP problems on Win11 or something else?

Happy to provide any further information or testing, thanks again for all the work on this.

Mr-Tbone commented 6 months ago

Yes this is correct. It is a bug in the CSP, and I have no idea if and when it will be solved.