Windows 10 IKEv2 only proposes Diffie-Hellman group 2, 1024 bit - how do I configure it to use group 14, 2048 bit?Last modified on 16 Sep, 2020. Revision 7
Registry-patch Windows to use stronger crypto See e.g. the "NegotiateDH2048_AES256" registry value, or use PowerShell to change the settings of a single tunnel
|Up to date for||
Windows 10.0.18362 (2019)
Windows 10 IKEv2 Phase 2 (IPsec) proposals
Windows 10 (2019) has a very limited proposal list for Phase 2:
Change defaults in the registry
It is possibly to registry-patch Windows to use stronger crypto See e.g. the “NegotiateDH2048_AES256” registry value
Change the settings of a single tunnel via PowerShell “Set-VpnConnectionIPsecConfiguration”
GUI lets you improve the default ciphers and HMACs, but not DH Groups
- Diffie-Hellman group 2 (1024 bit) is no longer considered secure against state-level actors or equivalent. See .
- SHA1 is known to be flawed, but is still fine for use as an HMAC, as the flaws are mitigated by the HMAC construct. Additionally, there is simply no time to mount an attack from one packet to the next
No related articles found.