How to use SoftEther and be PCI compliant?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Posts: 5
Joined: Sun Aug 09, 2015 5:57 pm

How to use SoftEther and be PCI compliant?

Post by ZackR1 » Wed Jan 16, 2019 5:23 pm

SoftEther is great! I've been using it for years. Now our PCI vendor is complaining about security. :(

When forwarding ports 4500 and 500 to SoftEther, the following fail:

1) Aggressive IKE with PSK Authentication supported on VPN Device
- The remote host is a VPN concentrator that supports Aggressive mode IKE. By creating a series of IKE aggressive mode proposals, and sending those proposals to the VPN concentrator, an acceptable proposal for Aggressive Mode IKE with PSK Authentication was discovered. In Aggressive Mode IKE with PSK authentication, the response from the VPN concentrator includes an authentication hash based on a pre-shared key (PSK). This hash is not encrypted, so if it is captured in transit, a dictionary or brute force attack against the hash can potentially allow for the recovery of the PSK, and the exposure potentially sensitive information from VPN sessions. In rare cases where the PSK is the sole means for authentication to the VPN, attackers can use it to authenticate against the VPN and intrude the network.
- The first option is to disable Aggressive Mode IKE for the VPN Concentrator. Sometimes, the ability to disable Aggressive Mode IKE isn't an option until later versions of the software, so ensure that the VPN Concentrator is using the latest software version. If you are unable to disable Aggressive Mode IKE, then you should ensure that the pre-shared keys are strong. Like any password, be sure to use complex PSK values, and rotate the keys as often as is practical. These are recommended to be an alphanumeric value greater than 16 characters.

2) Weak Encryption Ciphers identified on VPN Device
- Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device. These weak ciphers could make it easier for a context dependent attack to compromise the integrity of IKE sessions established with this device.
- Affected users should consider removing support for DES/3DES encryption ciphers on this VPN device. It's also important to note that if DES or 3DES are in use, there may also be required changes for VPN clients and/or VPN peers depending on usage.

3) Weak Diffie-Hellman groups identified on VPN Device
- Diffie-Hellman Groups 1 to 4 are no longer considered safe for strong encryption. It is estimated that these groups have a security level of 80-90 bits which is no longer adequate to protect the encryption keys used during IKE phase 2. Furthermore, Group 5 (Modp-1536) has a security level of 120 bits which is slightly under to protect AES-128 encryption keys. Stronger groups have been designed for the Diffie-Hellman key exchange in RFC 3526.
- Use Diffie-Hellman Key Exchange Group 5 or higher where possible, or the highest available to the VPN endpoints.

I tried changing to various Encryption Algorithms in Encryption and Network Settings, but none will work.

I have tried excluding ALL IPs the VirtualHub's IP Access Control list, but that doesn't work either (nor preferred).

Thank you for any help.

Posts: 1
Joined: Fri Feb 08, 2019 6:37 pm

Re: How to use SoftEther and be PCI compliant?

Post by datrumole » Fri Feb 08, 2019 6:44 pm

please, i need this too! love this thing and want to be able to get past my security folks. nothing out there supports so many protocols in one bucket

Posts: 4
Joined: Sat Jan 26, 2019 8:26 pm

Re: How to use SoftEther and be PCI compliant?

Post by ditu » Sat Feb 09, 2019 10:03 am

i had the same issue. it fails PCI compliance check. no comments yet from the community.

Posts: 3
Joined: Tue Jan 08, 2019 3:34 pm

Re: How to use SoftEther and be PCI compliant?

Post by the6thbook » Mon Jul 15, 2019 2:48 pm

I haven't found an IKE solution yet. You can use setcipher in vpncmd to set the cipher to restricted.

And these settings in the config file:
bool AcceptOnlyTls true
bool Tls_Disable1_0 true
bool Tls_Disable1_1 true
bool Tls_Disable1_2 false

This will restrict to TLS 1.2 and get rid of des. I'm still getting an rc4, though. I'm on Version 4.29 Build 9680

Post Reply