Windows 10 IKEv2 only proposes Diffie-Hellman group 2, 1024 bit - how do I configure it to use group 14, 2048 bit?

Last modified on 16 Sep, 2020. Revision 7
Up to date for
Windows 10.0.18362 (2019)
Status OK

Windows 10 IKEv2 Phase 2 (IPsec) proposals

Windows 10 (2019) has a very limited proposal list for Phase 2:

EncryptHMACDH (PFS)
AES256SHA1-96None
3DESSHA1-96None

Change defaults in the registry

It is possibly to registry-patch Windows to use stronger crypto See e.g. the “NegotiateDH2048_AES256” registry value

Change the settings of a single tunnel via PowerShell “Set-VpnConnectionIPsecConfiguration”

https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps

GUI lets you improve the default ciphers and HMACs, but not DH Groups

Footnotes

  • Diffie-Hellman group 2 (1024 bit) is no longer considered secure against state-level actors or equivalent. See LogJam.
  • SHA1 is known to be flawed, but is still fine for use as an HMAC, as the flaws are mitigated by the HMAC construct. Additionally, there is simply no time to mount an attack from one packet to the next

Related articles

Roaming IKEv2 tunnel setup in cOS Core with XCA CA and FreeRADIUS
10 Mar, 2023 core vpn ikev2 windows radius certificate
cOS Core IKEv2 split tunneling with Windows and local user database.
28 Mar, 2023 ikev2 windows vpn routing splittunneling
Roaming Windows IKEv2 setup with NetWall as CA server
22 May, 2024 netwall ikev2 windows certificate vpn core