Description:
A VPN dial-in initially uses the remote site DEFAULT, at least until the initiating party has been authenticated. The VPN remote site DEFAULT works with the encryption profile DEFAULT. Since LCOS 10.70, the DEFAULT encryption profile additionally includes (among others) the Diffie-Hellman group DH15, although this only applies to new installations with LCOS as of version 10.70. Profiles from LCOS 10.50 and earlier feature DH14 at the most.
For an Advanced VPN Client connection created with LANconfig 10.80 Rel, the exported profiles feature the Diffie-Hellman group DH15 by default and, in the router configuration, a separate encryption profile is created that features DH15 (among others).
For existing installations that were originally set up using LCOS 10.50 or earlier, updating the firmware to LCOS 10.70 or higher will produce a DEFAULT encryption profile that continues to feature DH14 at the most. As a result, newly created Advanced VPN Client connections cannot be established without further intervention.
This article describes how to adjust the VPN configuration so that newly created Advanced VPN Client connections will work again.
This behavior is fixed in LANconfig as of version 10.80 RU2.
If the encryption profile DEFAULT includes DH14, then the exported profile will include DH14 and the profile DEFAULT is also used in the VPN connection.
If the encryption profile DEFAULT already includes DH15, then the exported profile will include DH15 and a separate encryption profile is created, which is used in the VPN connection.
Procedure:
1) Open the configuration of the router in LANconfig and navigate to VPN → IKEv2/IPsec → Encryption.
2) Select the profile DEFAULT and then click Edit.
3) Activate the entry DH15 (MODP-3072).
4) This concludes the changes to the configuration. Write the configuration back to the router.
