Appendixes

Shortcuts

Connection Panel

Esc

Closes the window.

Ctrl+Enter

Opens the Configuration Panel (main interface).

Arrow keys

The Up and Down arrow keys are used to select a VPN connection.

Ctrl+O

Opens the selected VPN connection.

Ctrl+W

Closes the selected VPN connection.

VPN configuration tree

F2

Used to edit the name of the selected.

Del

Deletes a selected phase, following confirmation by the user.

If the actual configuration is selected (root of the tree), the software asks whether a full reset of the configuration should be performed.

Ctrl+O

Opens the corresponding VPN tunnel if a Child SA is selected.

Ctrl+W

Closes the corresponding VPN tunnel if a Child SA is selected.

Ctrl+C

Copies the selected phase to the clipboard.

Ctrl+V

Pastes (adds) the phase that has previously been copied to the clipboard.

Ctrl+N

If the VPN configuration is selected, creates a new IKE Auth. If an IKE Auth is selected, creates a Child SA.

Ctrl+S

Saves the VPN configuration.

Configuration Panel

Ctrl+Enter

Switches to the Connection Panel.

Ctrl+D

Opens the Console window with VPN traces.

Ctrl+Alt+R

Restarts the IKE service.

Ctrl+Alt+T

Enables trace mode (log generation).

Ctrl+S

Saves the VPN configuration.

Administrator logs

ID Log define

ID Log value

Severity

Log string

LOGID_STARTERINIT

1001

Notice

Starter service is started.

LOGID_VPNCONFSTARTING

2001

Notice

GUI is starting.

LOGID_VPNCONFSTOPPED

2002

Notice

GUI has closed.

LOGID_TGBIKESTARTED

3001

Notice

IKE has started (status %d).

LOGID_TGBIKESTOPPED

3002

Notice

IKE has stopped.

LOGID_TUNNELOPEN

3004

Info

Tunnel %s is asked to open.

LOGID_VPNCONFCRASHED

2003

Notice

GUI crashed (state %d).

LOGID_TGBIKECRASHED

3003

Notice

IKE crashed (state %d).

LOGID_STARTERSTOP

1002

Notice

Starter service is stopped.

LOGID_RESETIKE

2007

Warning

IKE is asked to reset.

LOGID_VPNCONFSTARTED

2008

Notice

GUI has started from user %s.

LOGID_VPNCONFSTOPPING

2009

Notice

GUI is stopping from user %s.

LOGID_VPNCONFLOADERROR

2010

Error

Configuration couldn’t load (reason: %s).

LOGID_VPNCONFOPENTUNNEL

2011

Info

GUI opens tunnel (source: %s).

LOGID_VPNCONFCLOSETUNNEL

2012

Info

GUI closes tunnel (source: %s).

LOGID_VPNCONFSAVE

2013

Notice

New configuration is saved.

LOGID_VPNCONFIMPORT

2014

Info

%s has been imported.

LOGID_VPNCONFIMPORTERR

2015

Error

%s could not be imported (status %d).

LOGID_VPNCONFEXPORT

2016

Info

%s has been exported.

LOGID_TOKENINSERT

2017

Info

Token %s has been inserted.

LOGID_TOKENEXTRACT

2018

Info

Token %s has been extracted.

LOGID_USBINSERT

2019

Info

USB Key has been inserted.

LOGID_USBEXTRACT

2020

Info

USB Key has been extracted.

LOGID_INSTALLATION

2021

Info

VPN running for the 1st time.

LOGID_UPDATE

2022

Info

VPN software has been updated to version %s.

LOGID_VERSION

2023

Info

VPN Version is %s.

LOGID_GINASTARTED

4001

Notice

GINA has started.

LOGID_GINASTOPPING

4002

Notice

GINA is stopping.

LOGID_GINAOPENTUNNEL

4003

Info

GINA opens tunnel (source: %s).

LOGID_GINACLOSETUNNEL

4004

Info

GINA closes tunnel (source: %s).

LOGID_TUNNELAUTH_OK

3005

Info

Tunnel authentication Ok (%s).

LOGID_TUNNELTRAFIC_OK

3006

Info

Tunnel %s Ok

LOGID_TUNNELAUTH_NOK

3007

Error

Tunnel authentication failed (reason %d).

LOGID_TUNNELTRAFIC_NOK

3008

Error

Tunnel %s failed (reason %d).

LOGID_AUTHREKEYING

3009

Info

Tunnel %s initiated rekey (source %d).

LOGID_AUTHREKEYED

3010

Info

Tunnel %s rekeyed.

LOGID_TUNNELREKEYING

3011

Info

Tunnel %s initiated rekey (source %d).

LOGID_TUNNELREKEYED

3012

Info

Tunnel %s rekeyed.

LOGID_PINCODE

3013

Notice/Error

Pin code is entered (status %d).

LOGID_DRIVERNOK

3014

Critical

Driver could not be loaded (status %d).

LOGID_IKEEXT_STOP

1003

Warning

IKEEXT service is stopped.

LOGID_IKEEXT_RESTART

1004

Notice

IKEEXT service is restarted.

LOGID_IKEEXT_ERROR

1005

Critical

IKEEXT could not be stopped (status %d).

SYSTEMLOGID_VIRTIFOK

3015

Info

Virtual interface created successfully (instance %d).

SYSTEMLOGID_VIRTIFNOK

3016

Error

Virtual interface could not be created (error %d).

LOGID_TUNNELCLOSED

3017

Notice

%s tunnel successfully closed (%d min).

LOGID_TUNNELCLOSED_ERR

3018

Error

%s tunnel closed unexpectedly (%d).

LOGID_CERTERROR

3019

Error

Error %d when handling certificate %s.

TrustedConnect Panel diagnostics

The TrustedConnect Panel informs the user of any issues that may have occurred while establishing the VPN connection by displaying an error code.

These error codes, their diagnosis and possible solutions are detailed below. This list allows administrators to find possible answers to any issues that users may encounter and report.

Code

Diagnosis

Solution

0

VPN configuration issue

VPN connection not found in configuration

  • Make sure that the tgbvpn.conf file is available in the VPN Client installation directory.

1

Issue with a certificate

The VPN configuration uses a certificate whose private key cannot be found.

  • Check the VPN Client’s configuration and any possible associated authentication devices (smart card reader, token, or Windows Certificate Store).

  • Reimport the VPN configuration and then reimport the certificate concerned.

  • Create a ticket and send it to MyStormshield making sure to attach all log files.

3

Configuration issue

The message No proposal chosen has been received during an IKE exchange: the cryptographic algorithm suite configured for the IKE_SA_INIT sequence does not match the one configured on the gateway.

  • Verify that the cryptographic algorithm suite for THE IKE_SA_INIT sequence of the VPN connection matches that of the gateway (refer to IKE Auth in the Configuration Panel).

4

Configuration issue

The message “No proposal chosen” has been received during an IKE exchange: the cryptographic algorithm suite of the ESP protocol does not match the one configured on the gateway.

  • Verify that the cryptographic algorithm suite of the ESP protocol (refer to the Child SA in the Configuration Panel) matches that of the gateway.

5

Cannot access gateway

The gateway address (“Remote Router Address”) specified in the VPN configuration is not reachable. If it is an IP address, it cannot be found or cannot be reached. If it is a DNS address it may be inaccessible, indefinite, or cannot be resolved.

  • Check the address of the gateway/remote workstation. For example, try “pinging” this address.

6

Configuration issue

The message Remote ID other than expected has been received. This means that the value of the Remote ID does not match the value expected by the remote VPN gateway.

  • Make sure that the Local ID parameter on the VPN client's Protocol tab matches the Remote ID of the remote gateway (or workstation).
    The Remote ID on the router is the Local ID on the VPN Client and vice versa. Caution:

7

Gateway certificate

Checking the certificate chain of the certificate received from the VPN gateway is enabled. The gateway certificate chain could not be validated.

  • Check the gateway certificate expiration date.

  • Check the validity start date of the gateway certificate.

  • Check the signatures of all certificates in the certificate chain (including root certificate, intermediate certificates, and gateway certificate).

  • Check whether the CRLs of all certificate issuers in the certificate chain are up to date.

  • Make sure that none of the certificates concerned have been revoked in the corresponding CRL lists.

  • Make sure that the root certificate and all certificates in the certificate chain (root certification authority and intermediate certification authorities) are available in the Windows Certificate Store on the workstation.

  • Make sure that the CRLs of the various certification authorities are available in the Windows Certificate Store, or that these CRLs can be downloaded when the VPN connection is opened.

9

No response from gateway

The VPN Client has abandoned the connection, most often after several connection attempts.

  • Check whether the gateway is still accessible from the workstation.

10

Authentication issue

The gateway has declined the user’s authentication credentials.

  • Check the user certificate.

  • Check that the Local ID on the Protocol tab of the Configuration Panel matches the value and type defined on the gateway.
    Caution: The Local ID on the VPN Client is the Remote ID on the router and vice versa.

  • Check the logs on the remote gateway to get more information about this issue.

13

Configuration issue

An error occurred while establishing the VPN connection. Establishing the VPN connection has been abandoned.

  • Retrieve the user log files. They must be analyzed.

  • Create a ticket and send it to MyStormshield making sure to attach all log files.

14

Network configuration

An error occurred while creating the virtual interface used for the VPN connection.

  • Retrieve the user log files. They must be analyzed.

  • Create a ticket and send it to MyStormshield making sure to attach all log files.

15

Network configuration

The virtual IP address assigned during the VPN connection already exists on one of the workstation’s interfaces.

  • Change the virtual IP address (VPN Client address parameter) specified in the VPN Client’s configuration.

  • Change the IP address provided by the gateway to the VPN Client.

16

Network configuration

An error occurred while creating the virtual interface used for the VPN connection.

  • Retrieve the user log files. They must be analyzed.

  • Create a ticket and send it to MyStormshield making sure to attach all log files.

24

Configuration issue

The gateway did not accept the cryptographic algorithm suite provided by the VPN Client.

  • Make sure that the VPN Client’s cryptographic algorithm suites match those of the gateway.

  • Check the Local ID and Remote ID.
    Warning: the Local ID on the router is the Remote ID on the VPN Client and vice versa.

25

Configuration issue

The gateway did not accept the remote network configured in the VPN Client or the virtual IP address provided by the VPN Client.

  • Make sure that the virtual IP address (VPN Client address parameter) specified in the VPN Client’s configuration is acceptable at the gateway end.

  • Make sure that the remote network (Remote network address parameter) specified in the VPN Client's configuration is acceptable on the gateway end.

26

Configuration issue

The VPN client provides its own traffic selectors, while the gateway is configured to provide them.

  • Check the Request configuration from the gateway parameter on the Child SA tab.

27

Gateway error

The gateway reported an error not supported by the VPN Client.

  • Analyze the logs on the gateway end.

  • Retrieve the user log files. They must be analyzed.

  • Create a ticket and send it to MyStormshield making sure to attach all log files.

28

Login/password error

The gateway has rejected the EAP authentication while establishing the VPN connection.

  • Check the EAP authentication parameters in the VPN Client's configuration.

  • Make sure that the user knows his or her credentials, should he or she need them while establishing the connection.

30

Smart card or token error

Cannot access the certificate stored the on the smart card or token.

  • Check that the smart card reader or token is correctly configured on the workstation, and that the VPN Client can access it.

31

Captive portal authentication timeout expired

No session has been opened on the captive portal. The workstation therefore has no internet connectivity.

  • Click the Connect button in order to authenticate on the captive portal.

100

Cannot load the VPN configuration

No VPN connection has been found in the configuration file.

  • Make sure that at least one tunnel is configured in the Connection Panel. Go to Tools > Connections Configuration, then add a tunnel and save the configuration.

101

GINA configuration error

A tunnel is active before logon, but has not been configured to be used by the TrustedConnect Panel.

  • Make sure that the tunnel which is active before logon is also configured in the Connection Panel. Go to Tools > Connections Configuration, then add a tunnel and save the configuration.

102

IKE initialization error

An error occurred while initializing the IKE daemon.

  • Retrieve the user log files.

  • Create a ticket and send it to MyStormshield making sure to attach all log files.

103

DNS error

A DNS name could not be resolved in the set of rules for the Filtering Mode.

  • Make sure that the workstation can access the internet.

  • Make sure that the Filtering Mode does not itself block access to DNS queries.

  • Replace DNS names with IP addresses.

200

Software activation

The software is not activated and the trial period has expired.

  • Retrieve the user log files.

  • Check software activation.

Basic cryptography concepts

SHA, RSA, ECDSA and ECSDSA algorithms

Digital signatures generally involve two different types of algorithms:

  • A hash algorithm (SHA: Secure Hash Algorithm)

  • A signature algorithm (RSA: initials of the three inventors, ECDSA: Elliptic Curve Digital Signature Algorithm or ECSDSA: Elliptic Curve Schnorr Digital Signature Algorithm)

The strength of RSA encryption depends on the size of the key used. With every doubling of the key length, decryption is six to seven times slower.

According to the NIST and the ANSSI, the recommended minimum key size is 2048 bits.

Hash algorithms can be attacked in either of the following two ways:

  • Hash collision

  • Preimage

A collision occurs when two distinct files produce the same hash value, and it thus becomes possible to substitute one for the other.

Preimage consists in determining the value of a file from its hash value. A second preimage consists in starting out from the hash value to produce a value that is different from the one originally used with the hash function.

According to the ANSSI, the family of SHA-1 hash functions no longer complies with its general security reference system (RGS) and the SHA-2 family should therefore be used. The NIST similarly encourages US federal agencies to switch from SHA-1 to SHA-2.

The rules applied by the SN VPN Client Exclusive follow NIST and ANSSI recommendations. However, if the implemented PKI does not meet these requirements, some of these restrictions can be removed from the software using dynamic parameters.

NOTE
There are several notations in use for the SHA-2 family of algorithms. For example, SHA-2 (256 bits) is also written SHA-256, SHA-2 (384 bits) is also written SHA-384, and so on.
The same applies to elliptic curves. For example, secp256r1 is also referred to as the “P-256 curve”, secp384r1 as the “P-384 curve”, and secp521r1 as the “P-521 curve”.

Accessing certificates

CSP, CNG and PKCS#11: what are the differences?

Certificate management in Windows involves a variety of software and standards regardless of whether certificates are stored in a certificate store, on a token, or on a smart card.

NOTE
Certificates stored on smart cards or tokens are usually copied to the current user's certificate store when the card is inserted into the reader or when the token is connected to the computer.

CSP, CNG, and PKCS#11 are related concepts that all use application programming interfaces (APIs) for certificate management, but the technology implemented is different in each case.

CSP and KSP

In Windows, certificate management traditionally used independent software modules called Cryptographic Service Providers (CSPs). CSPs actually perform algorithms for authentication, encoding, and encryption.

Today, there is a new generation of independent software modules called Key Storage Providers (KSPs). A KSP is used to create, manage, store, and retrieve private keys.

CAPI and CNG

Changing security standards have led Microsoft to deprecate the API associated with CSPs, called Cryptography API (CryptoAPI or CAPI). It has now been replaced with Cryptography API: Next Generation (CNG), which separates cryptographic service providers from key storage providers.

For this reason, version 7.2 and higher of the SN VPN Client Exclusive do not support CSPs and only support the CNG API. You therefore need to ensure that the certificate is imported into the Windows Certificate Store with the correct library (see section Determining a certificate’s container type below).

Machine store and user store

It should also be noted that there are two certificate stores in Windows:

  • The machine store that is available to all users of a machine

  • The user store that is only available to the current user of a machine

NOTE
In command lines, the -user option of the certutil command is used to specify the user store. When it is omitted, the machine store will be used by default.

PKCS#11

In cryptography, PKCS stands for Public Key Cryptography Standards. They are a set of specifications developed by RSA Security.

The PKCS#11 standard provides applications with a method of accessing hardware peripherals (smart cards or tokens), regardless of the type of device. It therefore includes an API serving as a generic interface for a device driver that supports the PKCS#11 standard. This API is supported by version 7.x of the SN VPN Client Exclusive if a corresponding middleware is installed.

Summary

In summary, there are several types of middleware used to access certificates stored on tokens, on smart cards, and in certificate stores (certmgr.msc):

  • CSP stands for Cryptographic Service Provider (deprecated and replaced with CNG): supported up to 7.x versions.

  • CNG stands for Cryptography API: Next Generation: only API supported in 7.x versions. In this case, you must import the certificate into the Windows store using the right library.

  • PKCS#11 stands for Public Key Cryptography Standards: supported by 7.x versions.

Determining a certificate’s container type

CSP and CNG are Microsoft middleware. In Windows, certificates are stored in containers of CNG or CSP type.

To find out the container used for certificates stored in the certificate store, on a token, or on a smart card, you can list the certificates contained in the (user or machine) store. The information returned specifies the type of supplier based on which you can infer the container type (CSP or CNG). The latter will then allow you to determine whether the certificate is compatible with version 7.2 or higher of the SN VPN Client Exclusive

  • To list the certificates contained in the user store, run the following command:

certutil -verifystore -user My

  • To list the certificates contained in the machine store, run the following command:

certutil -verifystore My

Based on the information returned, you can determine the container type as follows. If the supplier is:

  • Microsoft Smart Card Key Storage Provider, the container is of CNG type (compatible with versions 7.2 and higher)

  • Microsoft Base Smart Card Crypto Provider, the container is of CSP type (not compatible with versions 7.2 and higher)

Certificate format

As of version 7 of the SN VPN Client Exclusive, certificates must be in a format that conforms to a specific key size and hash algorithm.

Mandatory

  • Key length: must be at least 2048 bits for RSA certificates

  • Digest algorithm: must be SHA 256, SHA-384, or SHA-512

Optional

CRL checking for user certificates

As of SN VPN Client Exclusive version 7.5, you can check the revocation of the gateway certificate using Online Certificate Status Protocol Stapling (OCSP Stapling). To do this, you must add the dynamic parameter enable_OCSP set to the value true (see section Displaying more parameters).

Gateway certificate

Key Usage extension part

  • Must be present,

  • Must be marked as critical, and

  • Must not contain only the values digitalSignature and/or nonRepudiation

If this is not the case, refer to the dynamic parameter allow_server_extra_keyusage described in section Constraints on the Key Usage extension.

NOTE
In accordance with security requirements, the keyEncipherment value of the Key Usage extension has been deprecated and replaced with the nonRepudiation value, which is now accepted by default. However, SN VPN Client Exclusive version 7.5 continues to accept the keyEncipherment value without needing to use dynamic parameter allow_extra_keyusage.

TIP
We recommend that you give preference to the nonRepudiation value over the keyEncipherment value of the Key Usage extension.

Extended Key Usage extension part

  • Can be present or not,

  • If it is present, it must:

    • Be marked as non-critical, and

    • Only contain either one of the following values

      id-kp-serverAuth or

      id-kp-serverAuth and id-kp-ipsecIKE

If this is not the case, refer to the dynamic parameter allow_server_and_client_auth described in section Constraints on the Extended Key Usage extension

Example of a certificate in Windows

In a Windows PKI, the following is the relationship between a certificate and its extensions:

  • Extended Key Usage:

  • Key Usage:

Example of a certificate log

The extensions are included in a certificate log (file named tgbikeng.log) :

20220826 17:20:23:953 Local0.Info [11204] X509v3 extensions
20220826 17:20:23:956 Local0.Info [11204] Basic constraints :
20220826 17:20:23:960 Local0.Info [11204] CA:FALSE
20220826 17:20:23:965 Local0.Info [11204] Netscape Certificate comment :
20220826 17:20:23:968 Local0.Info [11204] TheGreenBow PKI generated server certificate
20220826 17:20:23:971 Local0.Info [11204] Subject key identifier :
20220826 17:20:23:974 Local0.Info [11204] FB:D6:5A:EF:FE:1B:DC:68:90:66:B9:D7:47:45:EA:B5:86:97:4A:B3
20220826 17:20:23:978 Local0.Info [11204] Authority key identifier :
20220826 17:20:23:981 Local0.Info [11204] keyIdentifier: 6F:6D:B8:A5:0B:EA:64:82:2E:B4:5F:0A:35:53:8B:80:05:4C:7B:0E
20220826 17:20:23:984 Local0.Info [11204] authorityCertIssuer: C = FR, ST = Ile-de-France, L = Paris, O = TheGreenBow, OU = QA40, CN = Root CA
20220826 17:20:23:988 Local0.Info [11204] authorityCertSerialNumber: 10:00
20220826 17:20:23:990 Local0.Info [11204] Key usage : critical
20220826 17:20:23:995 Local0.Info [11204] Digital signature
20220826 17:20:24:000 Local0.Info [11204] Extended key usage :
20220826 17:20:24:003 Local0.Info [11204] Server authentication

User certificate

Warning messages may be displayed in the Console for a user certificate, but you do not need to remove any restrictions from the VPN Client.

Certificate authentication methods

SN VPN Client Exclusive supports the following certificate authentication methods:

  • Method 1: RSA Digital Signature with SHA-2 [RFC 7296]

  • Method 9: ECDSA “secp256r1” with SHA-2 (256 bits) on the P-256 curve [RFC 4754]

  • Method 10: ECDSA “secp384r1” with SHA-2 (384 bits) on the P-384 curve [RFC 4754]

  • Method 11: ECDSA “secp521r1” with SHA-2 (512 bits) on the P-521 curve [RFC 4754]

  • Method 14: Digital Signature RSASSA-PSS, RSASSA PKCS1 v1_5, and Brainpool with SHA-2 (256/384/512 bits) [RFC 7427]

  • Method 214: ECDSA “BrainpoolP256r1” with SHA-2 (256 bits) on the BrainpoolP256r1 curve (only available with gateways that support this method)

The default authentication method used for RSA certificates (RSASSA-PSS or RSASSA-PKCS1-v1_5) is method 14 with an RSASSA-PSS signature. If the gateway/firewall uses method 14 with an RSASSA-PKCS1-v1.5 signature, the VPN Client will reject the certificate and the following message will be displayed in the Console:

RSASSA-PKCS1-v1_5 signature scheme not supported with authentication method 14

In the event that the gateway does not support method 14 with an RSASSA PSS signature, you can configure the VPN Client to use method 14 with an RSASSA-PKCS1-v1_5 signature, by adding the dynamic parameter Method14_RSASSA_PKCS1 with a value set to true or yes (see section Displaying more parameters).

In the event that the gateway does not support method 14 with an RSASSA-PKCS1-v1_5 signature, you can configure the VPN Client to use method 1 with an RSA and SHA-2 digital signature, by adding the dynamic parameter Method1_PKCS1v15_Scheme with a value set to 04 (SHA-256), 05 (SHA-384) or 06 (SHA-512) (see section Displaying more parameters). The VPN Client will reject any other value entered.

The authentication method used for ECDSA certificates (elliptical curves) depends on the elliptical curve used in the certificate: ECDSA with SHA-256 on the P-256 curve, ECDSA with SHA-384 on the P-384 curve, ECDSA with SHA-512 on the P-521 curve or ECDSA with SHA-256 on the BrainpoolP256r1 curve.

When the VPN Client needs to create a signature for a Brainpool user certificate, authentication method 14 is used by default, which is appropriate for a gateway that is not running in Restricted mode. If this type of certificate is to be used with a gateway running in Restricted mode, the dynamic parameter use_method_214 must be added and set to the value true (see section Displaying more parameters). The NID_sha256, NID_sha384, or NID_sha512 message digest algorithm is used for signature depending on the key size.

NOTES
  • The SHA-1 algorithm cannot be used in digital signatures.

  • SN VPN Client Exclusive will reject RSA certificates with a key size lower than 2048 bits.

  • SN VPN Client Exclusive will reject ECDSA certificates with a key size lower than 256 bits.

SN VPN Client Exclusive technical data

General

Windows version

Windows 11 64-bit
Windows 10 64-bit

Languages

Arabic, Chinese (simplified), Czech, Danish, Dutch, English, Farsi, Finnish, French, German, Greek, Hindi, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Russian, Serbian, Slovenian, Spanish, Thai, Turkish

Operating mode

Invisible mode

Automatically open tunnel when traffic is detected

Control access to VPN configurations

Hide part or all the interfaces

Gina

Open a tunnel before Windows logon using:

GINA/Credential providers on Windows 10

Scripts

Run configurable scripts when opening or closing a VPN tunnel

Remote Desktop Sharing

Open a remote computer with a single click via RDP and VPN tunnel

TrustedConnect Panel

Automatically open tunnel with Always-On and trusted network detection (TND)

Connection/Tunnel

Connection mode

Peer-to-gateway

Networks

IPv4 and IPv6

Protocols

IPsec/IKEv2

SSL/OpenVPN

CP mode

Automatically retrieve network parameters from the VPN gateway

Cryptography and authentication

Encryption, Key groups and Hashing (IKEv2)

Symmetric: AES CBC/CTR/GCM 128/192/256 bits

Diffie-Hellman: DH 14 (MODP 2048), DH 15 (MODP 3072), DH 16 (MODP 4096), DH 17 (MODP 6144), DH 18 (MODP 8192), DH 19 (ECP 256), DH 20 (ECP 384), DH 21 (ECP 521), DH 28 (BrainpoolP256r1)

Hashing: SHA-2 (256/384/512 bits)

TLS security suites (OpenVPN)

TLS 1.2—Medium

TLS 1.2—High

TLS 1.3:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_128_CCM_SHA256

  • TLS_AES_128_CCM_8_SHA256

Encryption and Hashing (OpenVPN)

Symmetric: AES-128-CBC, AES-192-CBC and AES-256-CBC

Hashing: SHA-2 (224/256/384/512 bits)

Authentication

  • Preshared key

  • EAP-MSCHAPv2

  • X.509 certificates

  • Multiple Auth

Certificate authentication methods

  • Method 1: RSA digital signature with SHA-2 [RFC 7296]

  • Method 9: ECDSA "secp256r1" with SHA-2 (256 bits) on the P 256 curve [RFC 4754]

  • Method 10: ECDSA "secp384r1" with SHA-2 (384 bits) on the P-384 curve [RFC 4754]

  • Method 11: ECDSA "secp521r1" with SHA-2 (512 bits) on the P-521 curve [RFC 4754]

  • Method 14: Digital Signature RSASSA-PSS, RSASSA PKCS1 v1_5, and Brainpool with SHA-2 (256/384/512 bits)[RFC 7427]

  • Method 214: ECDSA “BrainpoolP256r1” with SHA-2 (256 bits) on the BrainpoolP256r1 curve (only available with gateways that support this method)

PKI

  • Support for certificates in X.509 format

  • Importing PKCS#12, PEM/PFX certificates

  • Multiple media: Windows Certificate Store, smart card, token, configuration file

  • Support for Certificate Revocation List (CRL) and OCSP stapling

  • Automatically detect a smart card reader or token according to criteria

  • PKCS#11 and CNG access to tokens and smart cards

  • Complete check of the “user” and “gateway” certificate chain

Miscellaneous

NAT/NAT-Traversal

NAT-Traversal Draft 1 (enhanced), Draft 2, Draft 3 and RFC 3947, IP address emulation, includes support for: NAT_OA, NAT keepalive, NAT-T aggressive mode, NAT-T in forced, automatic or disabled mode

DPD

RFC 3706. Detection of inactive IKE endpoints.

Redundant gateway

Redundant gateway management, automatically selected when DPD is triggered (inactive gateway)

Administration

Deployment

Silent installation using Microsoft Installer (MSI)

VPN configuration management

Import and export options for VPN configurations

Secure import/export using passwords, encryption, and integrity control

Automation

Ability to open, close, and monitor a tunnel using command lines (batch and scripts)

Ability to start and quit the software using batches

Logs and traces

IKE/IPsec and SSL/OpenVPN log Console and trace mode can be enabled

Administrator logs: local file, Windows Event Log, syslog server

Upgrades

Check for available updates from within the software

License and activation

Licenses available on a subscription basis, manual/automatic/silent activation