Windows 10 IKEv2 only proposes Diffie-Hellman group 2, 1024 bit - how do I configure it to use group 14, 2048 bit?

Last modified on 16 Sep, 2020. Revision 7
Up to date for
Windows 10.0.18362 (2019)
Status OK

Windows 10 IKEv2 Phase 2 (IPsec) proposals

Windows 10 (2019) has a very limited proposal list for Phase 2:

EncryptHMACDH (PFS)
AES256SHA1-96None
3DESSHA1-96None

Change defaults in the registry

It is possibly to registry-patch Windows to use stronger crypto See e.g. the “NegotiateDH2048_AES256” registry value

Change the settings of a single tunnel via PowerShell “Set-VpnConnectionIPsecConfiguration”

https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps

GUI lets you improve the default ciphers and HMACs, but not DH Groups

Footnotes

Related articles

No related articles found.