diff --git a/windows/access-protection/TOC.md b/windows/access-protection/TOC.md index acb2519e1d..4eb52d5725 100644 --- a/windows/access-protection/TOC.md +++ b/windows/access-protection/TOC.md @@ -65,6 +65,7 @@ ### [VPN auto-triggered profile options](vpn\vpn-auto-trigger-profile.md) ### [VPN security features](vpn\vpn-security-features.md) ### [VPN profile options](vpn\vpn-profile-options.md) +### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md) ### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) ### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) diff --git a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md new file mode 100644 index 0000000000..99fbbd061a --- /dev/null +++ b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -0,0 +1,47 @@ +--- +title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) +description: Explains how to secure VPN connections for Diffie Hellman Group 2 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, networking +author: shortpatti +ms.localizationpriority: medium +ms.date: 01/29/2018 +--- + +# How to configure Diffie Hellman protocol over IKEv2 VPN connections + +**Applies to** +- Windows 10, Windows 8.1, Windows 8, Windows 7 +- Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008 + +In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. +To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets. + +## VPN server + +For VPN server, you need to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration. + +For example, on a site-to-site VPN server that runs Windows Server 2012 R2 or later, run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps): + +```powershell +Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy +``` + +On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](https://technet.microsoft.com/library/hh918373(v=wps.620).aspx): + +```powershell +Set-VpnServerIPsecConfiguration -CustomPolicy +``` + +## VPN client + +For VPN client, you need to configure each VPN connection. +For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection: + + +```powershell +Set-VpnConnectionIPsecConfiguration -ConnectionName +``` +