Windows 10 IKEv2 only proposes Diffie-Hellman group 2, 1024 bit - how do I configure it to use group 14, 2048 bit?

Last modified on 16 Sep, 2020. Revision 7
Up to date for
Windows 10.0.18362 (2019)
Status OK

Windows 10 IKEv2 Phase 2 (IPsec) proposals

Windows 10 (2019) has a very limited proposal list for Phase 2:


Change defaults in the registry

It is possibly to registry-patch Windows to use stronger crypto See e.g. the “NegotiateDH2048_AES256” registry value

Change the settings of a single tunnel via PowerShell “Set-VpnConnectionIPsecConfiguration”

GUI lets you improve the default ciphers and HMACs, but not DH Groups


Related articles

Roaming Windows IKEv2 setup with NetWall as CA server
2 Dec, 2022 netwall ikev2 windows certificate vpn core