IPSec Roadwarrior Windows 10 clients

Thank you IPFire!
During the early stages of the pandemic we all had to work remotely.
Although we are a small company in a niche market and just a handful of people, we couldn’t stop supporting our customers in healthcare. Today I can say IPFire saved us and saved lives.
Luckily we had moved to IPFire completely unaware of what was coming.

OpenVPN was relatively easy to setup but somehow wasn’t working fine for all of us during the early stages of the pandemic. We decided to try the IPSec.
It was a learning curve has we followed the Roadwarrior guide as much as possible!
IPSec is faster and more stable.

But the question remains, is it secure? Have we used right options?
IPSec is more complex and powerful but that makes it prone to mistakes and ignorance.
Looks like windows clients use broken ciphers by default.
Does anyone know what has to be done?

PS. A review of that roadwarrior guide would be a pandemic friendly move with so many people working from home and companies desperate for solutions.

Hello. In my case it was just the other way round. I wasn’t able to get IPSEC up and running on Windows 10 clients. So I tried OpenVPN and it worked flawlessly. I can choose the best possible encryption options and all roadwarriors can connect. Even a site-to-site tunnel between two branches runs 24/7. However, I prefer to use built-in features of Windows to keep the clients lean and fast so I would love to try out IPSEC. So if you can write how you managed to get it up and running, that would be a great help.
And if you write where your problems were with OpenVPN then I might be able to help you.

AFAIK
IPSec RoadWarrior for IpFire is a no-go. Period.
L2TP also not provided.

Therefore, RoadWarrior = OpenVPN.

AFAIK again, BuiltIn IPSec Client of Windows is quite a PITA to configure, i’m trying to play with ShrewSoft client and a Zyxel Appliance, with no luck.
Zyxel IPSec client is a badge engineer of GreenBow, which now manages OpenVPN And IPSec if needed. GreenBow is not cheap, but Zyxel is again a bit more expensive.

Therefore, OpenVPN Connect (app style) and OpenVPN Client (software style) seems a nice way to manage the connection.

Thanks for the feedback.
I was a OpenVPN user since years until it failed with some of my colleagues.
Never understood why it failed so badly.
Although 8 users doesn’t look much.
Perhaps the load of more simultaneous users.
The internet was a mess back in Mar/ Apr.
That didn’t help either.
Considering both your comments I might give OpenVPN another try.

Nevertheless, I followed the IPSec Roadwarrior guide step by step.

Step 1 - Global IPSec Settings
Step 2 - Generate certificates
Step 3 - Create the Connection on IPFire
Local Subnet 192.68.0.0/255.255.255.0
Fill in the form to generate the device certificate

“Keyexchange”: Select “IKEv2”
• “Encryption”: Select “256 bit AES-CBC”, “192 bit AES-CBC”, and “128 bit AES-CBC”
• “Integrity”: Select “SHA2 512 bit”, “SHA2 256 bit”, and “SHA1 (Weak)” (NOTE: SHA1 should not be used, but Windows 10 does not support SHA2 by default. Powershell can be used to allow the use of SHA2. When I have a chance I will revisit this article and revise to remove this cipher)
• “Grouptype”: Select “MODP-2048” and “MODP-1024 (Broken)” (NOTE: MODP-1024 should not be used, but Windows 10 does not support strong encryption by default. Powershell can be used to enable better encryption.

The advanced settings aren’t sufficiently documented.
I assumed the settings are the same for both sections IKE and ESP.
Only works without breaking every 45 min. if we enable ESP grouptype -none-.
Lifetime, DPD and other settings aren’t clear for me.

ie. I only managed to get a stable connection with ESP “none” enabled.

Step 5 - Install the certificate on the Windows PC
Step 6 - Create the connection in Windows

In regard to windows 10 I found this instructions but no further details.
AES-256-CBC and MODP2048
By default, the Windows Agile VPN Client only offers AES-128-CBC, AES-192-CBC, AES-256-CBC, 3DES, SHA-1,SHA-256, SHA-384 and MODP-1024.
By creating and setting the following registry key as a DWORD key, support for MODP2048 can be enabled, disabled or enforced.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256
The values that can be used are 0, 1 or 2. The table tells you what the values mean.
value
meaning
0 (default)
disable AES-256-CBC and MODP-2048
1
Enable AES-256-CBC and MODP-2048
2
Enforce the usage of AES-256-CBC and MODP-2048

By using the Set-VpnConnectionIPsecConfiguration PowerShell cmdlet it is possible to use even more algorithms like AES-GCM and ECP DH groups (at least on Windows 10). The VPN connection may be added in the GUI or via “Add-VpnConnection” cmdlet.

It’s a pity the person who contributed with the IPSec guide didn’t have time to finish it.

From what I read so far it doesn’t look sufficient to be secure using IPSec.

Thank you