Default IPsec Phase1 Dial-out Proposal Encryption with Firmware 3.9.2.

Vigor routers using Firmware version 3.9.2. such as the Vigor 3910 have modified encryption orders for the Dial-Out Auto IKE Proposal. This change may cause VPN compatibility issues if a VPN server doesn’t accept the newer proposals.

When customers report the IPsec VPN connection can not dial-up after the firmware upgrade, we advise them to:

• Manually configure the Dial-Out IKE phase 1 proposal on the IKE Advance Setup page of the Vigor router
• Modify the VPN profile on the VPN server for accepting the more secure proposals.

The orders sequence has been changed as follows:

Previous

• DES-MD5 G1 (768-bit)
• DES-SHA1 G1 (768-bit)
• 3DES-MD5 G1 (768-bit)
• 3DES-MD5 G5 (1536-bit)
• 3DES-SHA1 G5 (1536-bit)
• 3DES-MD5 G2 (1024-bit)
• AES128-MD5 G2 (1024-bit)
• AES256-SHA1 G2 (1024-bit)
• AES128-MD5 G5 (1536-bit)
• AES256-SHA1 G5 (1536-bit)
• AES256-SHA1 G14 (2048-bit)

New

• AES256-SHA1 G14 (2048-bit)
• AES256-MD5 G14 (2048-bit)
• AES256-SHA1 G5 (1536-bit)
• AES256-MD5 G5 (1536-bit)
• AES192-SHA1 G14 (2048-bit)
• AES192-MD5 G14 (2048-bit)
• AES128-SHA1 G5 (1536-bit)
• AES128-MD5 G5 (1536-bit)
• 3DES-MD5 G5 (1536-bit)
• 3DES-SHA1 G5 (1536-bit)

For further information or questions, please contact us.