CryptographySuite in ProxileXML_Device applies wrong EncryptionMethod

[HomeJeroen]

When we deploy the Always On VPN Device Tunnel with the ProfileXML_Device.xml and include in that file the CryptographySuite as follows:

     <CryptographySuite>
         <AuthenticationTransformConstants>GSMAES128</AuthenticationTransformConstants>
         <CipherTransformConstants>GCMAES128</CipherTransformConstants>
         <EncryptionMethod>GCMAES128</EncryptionMethod>
         <IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
         <DHGroup>Group14</DHGroup>
         <PfsGroup>ECP256</PfsGroup>
      </CryptographySuite>

The setting EncryptionMethod is not applied correctly (at this moment only on Windows 10 21H2, not tested on Windows 11 yet). Instead of applying EncryptionMethod GCMAES128 it changes it to DES. All other settings are applied correctly.

Is this a bug or something else?

[richardhicks]

Correct. This is a bug. It happens when you set the NativeProtocolType to 'Automatic' and specify custom cryptography settings. Microsoft has acknowledged it but won't fix it for some reason. The workaround is to set the NativeProtocolType to 'IKEv2' and then import the XML. Later you can adjust the VpnStrategy value to use SSTP (or prefer SSTP) in rasphone.pbk accordingly.

Details here: https://directaccess.richardhicks.com/2019/01/07/always-on-vpn-ikev2-connection-failure-error-code-800/.

[JeroenTuinstra]

I have actually set the protocol to IKEv2 for NativeProtocolType. And it registers everything except EncryptionMethod, which it changes from GCMAES128 to DES. I guess this is part of the bug - solving it would mean a manual override on each computer?

[richardhicks]

Ok, thanks for the clarification. The issue here is that your syntax is incorrect. Inexplicably, Microsoft uses AES_GCM_128 as the format for the encryption method. Go figure. ;)

Take a close at the available settings in VPNv2/ProfileName/NativeProfile/CryptographySuite/EncryptionMethod. Not very intuitive, I know. :)

https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp

[HomeJeroen]

Thank you very much for this explanation. Will try this out with the new syntax. In your book it still has the old syntax.

[HomeJeroen]

Unfortunately that didn't work. I used the "new" syntax, but now it doesn't apply any correct settings. This is <NativeProfile> section of the ProfileXML_Device.xml:

<NativeProfile>
      <Servers>vpn.conteso.com</Servers>
      <!-- Only SplitTunnel routing policy is supported for the Always On VPN device tunnel. Force tunneling is explicitly not supported. -->
      <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
      <!-- Only IKEv2 is supported for use with the Always On VPN device tunnel. -->
      <NativeProtocolType>IKEv2</NativeProtocolType>
      <!-- Only machine certificate authentication is supported for the Always On VPN device tunnel. -->
      <Authentication>
         <MachineMethod>Certificate</MachineMethod>
      </Authentication>
      <!-- This setting is optional but recommended. -->
      <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
      <CryptographySuite>
         <AuthenticationTransformConstants>GSMAES128</AuthenticationTransformConstants>
         <CipherTransformConstants>GCMAES128</CipherTransformConstants>
         <EncryptionMethod>AES_GCM_128</EncryptionMethod>
         <IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
         <DHGroup>Group14</DHGroup>
         <PfsGroup>ECP256</PfsGroup>
      </CryptographySuite>
   </NativeProfile>

The resulting IPSecCustomPolicy is:

AuthenticationTransformConstants : MD596
CipherTransformConstants         : 
DHGroup                          : None
IntegrityCheckMethod             : MD5
PfsGroup                         : None
EncryptionMethod                 : DES

[HomeJeroen]

Solved it, there was a type error in the <AuthenticationTransformConstants> it said GSMAES128 which should have been GCMAES128. My fault - the xml is working perfect now.

[richardhicks]

Glad you got it sorted out. Not good that it's wrong in my book, though! I will investigate that and add it to the errata for sure.

[richardhicks]

I'm not able to locate the syntax error in the book. Can you tell me where you saw this exactly?

[HomeJeroen]

Sorry, you are absolutely right. You actually don't provide in the book these settings. And in the xml-file that you provide here through github you have as an example only the AES128 settings. So the fault is completley on my side and I made the assumption that I got the settings from the book, I just assumed that with the Powershell command you do use GCMAES128 for -EncryptionMethod and I assumed that that would be the same in the XML - that was the connection with the book.

Thanks for you quick responses and especially the interaction with your readers and users - I haven't come accross that anywhere or with anyone else before. A big thanks for that, you've saved several years of my life and many hairs on my head. Thanks!

[richardhicks]

Thanks for the clarification! BTW, PowerShell does use the syntax 'GCMAES128', which makes that really confusing. Not sure who decided to change things up for XML. ;)

[HomeJeroen]

Well Microsoft, among other companies, have costed me many years and hair ;-)