White papers

Getting started Overview Architecture Supported platforms Release notes White papers

Getting started Overview Architecture Supported platforms Release notes White papers

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

White papers

White papers On this page:

Migrating OpenVPN to IPsec VPN (IKEv2)

IPsec use case: Remote access VPN (RA VPN)

IPsec RA VPN clients

IPsec RA VPN client (Windows 10)

Windows cipher support

Windows cipher support

About the relatively weak default ciphers in Windows, and alternatives.

By default, Microsoft supports Diffie-Hellman Group 2 for the key exchange process with a client. In general, cyber-security experts consider this to be weak; and the industry is also on a trend away from SHA1.

At present, Microsoft does not provide a way for us to increase the strength of the ciphers that we use through the VPN GUI. Instead, we must use VpnClient cmdlets to configure stronger algorithms through Powershell.

RA VPN server negotiation example

An example of how the RA VPN server will respond where: (1) the Windows 10 client uses the default algorithms to negotiate, (2) the RA VPN server uses the strong algorithms that we recommend.

# Security Ciphers Proposed by Windows 10
 received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/H
MAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192
/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_3
84/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IK
E:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16
_256/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_1024
# Security Ciphers Configured on RA VPN Server
 configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256  
 remote host is behind NAT
 received proposals unacceptable                         # Mismatch in Proposals so negotation fails
 generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

Last updated: June 29, 2022

Related Articles:

Helpful Links

Key Resources

Get Started An introduction to the Ciena Vyatta NOS

The Vyatta NOS Overview Get to know more about how Vyatta NOS is the best solution

Vyatta NOS Architecture Overview An overview of the Vyatta NOS system architecture

Troubleshooting Guide Identify common issues with your configuration and network setup

Copyright © 2023 Ciena Corporation. All rights reserved