6
Votes

ER605v1: need of sha2 and dh14 options in IKev2 VPN settings

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
 
6
Votes

ER605v1: need of sha2 and dh14 options in IKev2 VPN settings

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605v1: need of sha2 and dh14 options in IKev2 VPN settings
ER605v1: need of sha2 and dh14 options in IKev2 VPN settings
2023-02-05 08:59:25 - last edited 2023-04-25 03:56:37
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.2.2 Build 20230118 Rel.42381

Hi all,

 

I own a v1 of ER605, and I don't have access to sha2 neither dh14 when setting an IKev2 VPN connection. Unfortunately it seems I need it to make an IKev2 VPN access to my local network from my iPhone (for example): sha1 seems to have been abandoned in the last years by a lot of actors, including apple.

 

The following help page (sorry it's in french) indicates that it is available on ER605v2, but not on v1, and that it will be implemented in next firmware updates, but it's not yet the case:

 

https://www.tp-link.com/fr/support/faq/3447/

 

"actuellement seuls ER8411 et ER605 v2 prennent en charge sha2 et dh14 ou supérieur, ER605v1 et ER7206 seront pris en charge dans les mises à jour ultérieures du micrologiciel."

 

So if it could be included in the next firmware it would be great news !

@Fae : Do you know if there's a chance it is included in next ER605v1 firmware ?

 

For now I use Openvpn instead, which works well, but it requires using a dedicated application, which I would like to avoid.

 

Many thanks in advance,

 

Benjamin

 

  

 

#1
Options
2 Accepted Solutions
Re:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings-Solution
2023-04-15 11:42:38 - last edited 2023-04-25 03:56:28

Hi all,

 

for information the new beta firmware issued 2 days ago proposes sha2 and dh14, so that I could connect to my router with IKev2 method from my iPhone, applying method described in the following link :

 

https://www.tp-link.com/us/support/faq/3447/

 

So good job Tp-Link, thanks a lot !

 

My next challenge is to manage to connect also to my router via IKev2 with my PC running Windows 11, but at this time I don't succeed, because the only authentification methods offered with the built-in vpn client in Windows 11 for IKev2 are either a dedicated chip, user/password, or a certificate. And unfortunately ER605 only proposes the pres-hared key, not considered by Windows :-(

 

Anyway thanks to Tp-Link for the impementation of sha2 & dh14 (and more, by the way).

 

Benjamin  

 

Recommended Solution
#7
Options
Re:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings-Solution
2023-04-25 03:59:44 - last edited 2023-04-25 03:59:47

Hello @Ben-91 and other community members,

 

For ER605 V1, the following Beta firmware has added the sha2 and dh14 options in IKEv2 VPN settings. 

ER605 V1_1.2.3_Build 20230413 Beta Firmware For Trial (Released on Apr 14th, 2023)

 

Please take your time to update the Beta firmware to experience the new features in advance.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
#8
Options
9 Reply
Re:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings
2023-02-06 03:50:02

Dear @Ben-91,

 

Ben-91 wrote

@Fae : Do you know if there's a chance it is included in next ER605v1 firmware ?

 

As far as I know, the next ER605 v1 firmware will support IKEv2 VPN.

 

Note: the information provided here is based on the current information I have, it's provided for informational purposes only, not a guarantee or a promise. Any plans are subject to change, the final firmware releases shall prevail.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
#2
Options
Re:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings
2023-02-06 20:03:53

  @Fae thanks for your quick feedback, as usual !

 

But to be more precise, current ER605v1 firmware already includes IKev2, however options such as sha2 and dh14 are missing. Did you mean you think these options will be included in next firmware ?

 

Thanks in advance,

 

Benjamin

#3
Options
Re:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings
2023-02-23 16:55:51

  @Ben-91 @Fae 

 

I think in general TPlink needs to phase out the SHA1 family.  The internet is moving away from these to the point where RFC9142 states "Use of the SHA-2 family of hashes found in (RFC6234) rather than the SHA-1 hash is strongly advised."  The same RFC also says if this must be supported for compatibility, that it be provided last in the list of KEX (key exchange) options

 

I just ran across this today SSH's my SG2210P with the latest firmware, the OSX native ssh client had a hissy fit about the diffie-helman-group1-sha1 having no matching KEX (presumably because it's too insecure) and after installing PuTTY even this app states this is below the minimum standard and asks if it should proceed.

 

You have my up-Vote!

<< Paying it forward, one juicy problem at a time... >>
#4
Options
RE:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings
2023-02-23 16:56:38
default options currently available are being deprecated due to security vulnerabilities.
<< Paying it forward, one juicy problem at a time... >>
#5
Options
Re:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings
2023-03-12 18:57:43

@Fae  Hi Fae, I installed the last Beta firmware, but still no sha2 neither dh14 options, which is a pity knowing sha1 is deprecated, and sha2 is available on ER605v2.

 

Is there a chance that next official firmware for ER605v1 proposes sha2 and dh14 ?

 

Thanks in advance,

 

Benjamin  

#6
Options
Re:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings-Solution
2023-04-15 11:42:38 - last edited 2023-04-25 03:56:28

Hi all,

 

for information the new beta firmware issued 2 days ago proposes sha2 and dh14, so that I could connect to my router with IKev2 method from my iPhone, applying method described in the following link :

 

https://www.tp-link.com/us/support/faq/3447/

 

So good job Tp-Link, thanks a lot !

 

My next challenge is to manage to connect also to my router via IKev2 with my PC running Windows 11, but at this time I don't succeed, because the only authentification methods offered with the built-in vpn client in Windows 11 for IKev2 are either a dedicated chip, user/password, or a certificate. And unfortunately ER605 only proposes the pres-hared key, not considered by Windows :-(

 

Anyway thanks to Tp-Link for the impementation of sha2 & dh14 (and more, by the way).

 

Benjamin  

 

Recommended Solution
#7
Options
Re:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings-Solution
2023-04-25 03:59:44 - last edited 2023-04-25 03:59:47

Hello @Ben-91 and other community members,

 

For ER605 V1, the following Beta firmware has added the sha2 and dh14 options in IKEv2 VPN settings. 

ER605 V1_1.2.3_Build 20230413 Beta Firmware For Trial (Released on Apr 14th, 2023)

 

Please take your time to update the Beta firmware to experience the new features in advance.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
#8
Options
Re:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings
2023-04-25 04:36:43

  @Fae hi, many thanks, I confirm it works perfectly for connection with an iPhone, for example. Thanks !

#9
Options
Re:ER605v1: need of sha2 and dh14 options in IKev2 VPN settings
2023-04-25 05:54:04

Hello @Ben-91 

 

Thank you for taking the time to write the feedback, we appreciate it. Have a great day!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
#10
Options