Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Windows cipher support

About the relatively weak default ciphers in Windows, and alternatives.

By default, Microsoft supports Diffie-Hellman Group 2 for the key exchange process with a client. In general, cyber-security experts consider this to be weak; and the industry is also on a trend away from SHA1.

At present, Microsoft does not provide a way for us to increase the strength of the ciphers that we use through the VPN GUI. Instead, we must use VpnClient cmdlets to configure stronger algorithms through Powershell.

RA VPN server negotiation example

An example of how the RA VPN server will respond where: (1) the Windows 10 client uses the default algorithms to negotiate, (2) the RA VPN server uses the strong algorithms that we recommend.

# Security Ciphers Proposed by Windows 10
 received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/H
MAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192
84/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IK
_256/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_1024
# Security Ciphers Configured on RA VPN Server
 configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256  
 remote host is behind NAT
 received proposals unacceptable                         # Mismatch in Proposals so negotation fails
 generating IKE_SA_INIT response 0 [ N(NO_PROP) ]