From 13db6746453980987067511749be3f37849b3704 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 29 Jan 2018 11:59:08 -0800 Subject: [PATCH 1/9] first draft --- ...man-protocol-over-ikev2-vpn-connections.md | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md diff --git a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md new file mode 100644 index 0000000000..aa39f965db --- /dev/null +++ b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -0,0 +1,48 @@ +--- +title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) +description: tbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, networking +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/27/2017 +--- + +# How to configure Diffie Hellman protocol over IKEv2 VPN connections + +**Applies to** +- Windows 10 +- Windows Server + +In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. +To secure VPN connections, update the VPN configuration by running VPN cmdlets with the CustomPolicy parameter. + +For VPN servers, configure each tunnel type. That is, if you update the IKEv2 tunnel configuration, all IKE exchanges on IKEv2 tunnel use the secure configuration. + +For example, on a VPN server that runs Windows Server 2016, run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps): + +```powershell +Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy +``` + +On a VPN server that runs Windows Server 2012 R2, run [Set-VpnServerIPsecConfiguration](https://technet.microsoft.com/library/hh918373(v=wps.620).aspx): + +```powershell +Set-VpnServerIPsecConfiguration -CustomPolicy +``` + +For VPN clients, configure each VPN connection. + +For example, on a VPN client that runs Windows 10, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps): + +```powershell +Set-VpnConnectionIPsecConfiguration +``` + +On a VPN server that runs Windows Server 2012 R2, run [Set-VpnConnectionIPsecConfiguration (version 3.0)](https://technet.microsoft.com/library/dn262642(v=wps.630).aspx): + +```powershell +Set-VpnConnectionIPsecConfiguration +``` From dde64c7ffdbd19c1eabb5ab8494979fc3a062bec Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 29 Jan 2018 12:06:51 -0800 Subject: [PATCH 2/9] added toc --- windows/access-protection/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/access-protection/TOC.md b/windows/access-protection/TOC.md index acb2519e1d..4eb52d5725 100644 --- a/windows/access-protection/TOC.md +++ b/windows/access-protection/TOC.md @@ -65,6 +65,7 @@ ### [VPN auto-triggered profile options](vpn\vpn-auto-trigger-profile.md) ### [VPN security features](vpn\vpn-security-features.md) ### [VPN profile options](vpn\vpn-profile-options.md) +### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md) ### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) ### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) From 039dee8c1656681de86fd928ff7708a7206f19c5 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 29 Jan 2018 12:18:51 -0800 Subject: [PATCH 3/9] changed metadata --- ...-diffie-hellman-protocol-over-ikev2-vpn-connections.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index aa39f965db..80b3df4da6 100644 --- a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,13 +1,13 @@ --- title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) -description: tbd +description: Explains how to secure VPN connections for Diffie Hellman Group 2 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: jdeckerms -ms.localizationpriority: high -ms.date: 07/27/2017 +author: shortpatti +ms.localizationpriority: medium +ms.date: 01/29/2018 --- # How to configure Diffie Hellman protocol over IKEv2 VPN connections From 2090a58abd83d1047bb2fbaabff31bd7c3ae5282 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 29 Jan 2018 13:32:49 -0800 Subject: [PATCH 4/9] revsied server decsription --- ...ure-diffie-hellman-protocol-over-ikev2-vpn-connections.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 80b3df4da6..aece297230 100644 --- a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -19,7 +19,7 @@ ms.date: 01/29/2018 In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. To secure VPN connections, update the VPN configuration by running VPN cmdlets with the CustomPolicy parameter. -For VPN servers, configure each tunnel type. That is, if you update the IKEv2 tunnel configuration, all IKE exchanges on IKEv2 tunnel use the secure configuration. +For VPN server, you need to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration. For example, on a VPN server that runs Windows Server 2016, run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps): @@ -33,8 +33,7 @@ On a VPN server that runs Windows Server 2012 R2, run [Set-VpnServerIPsecConfigu Set-VpnServerIPsecConfiguration -CustomPolicy ``` -For VPN clients, configure each VPN connection. - +For VPN client, youy need to configure each VPN connection. For example, on a VPN client that runs Windows 10, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps): ```powershell From 90fa997a6565656aa924e89e9bd1585ca4f1ead1 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 2 Feb 2018 12:53:52 -0800 Subject: [PATCH 5/9] revised examples --- ...hellman-protocol-over-ikev2-vpn-connections.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index aece297230..c5e91f4974 100644 --- a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -13,11 +13,11 @@ ms.date: 01/29/2018 # How to configure Diffie Hellman protocol over IKEv2 VPN connections **Applies to** -- Windows 10 +- Windows 10, Windows 8.1, Windows 8, Windows 7 - Windows Server In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. -To secure VPN connections, update the VPN configuration by running VPN cmdlets with the CustomPolicy parameter. +To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets. For VPN server, you need to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration. @@ -33,15 +33,10 @@ On a VPN server that runs Windows Server 2012 R2, run [Set-VpnServerIPsecConfigu Set-VpnServerIPsecConfiguration -CustomPolicy ``` -For VPN client, youy need to configure each VPN connection. -For example, on a VPN client that runs Windows 10, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps): +For VPN client, you need to configure each VPN connection. +For example, on a VPN client that runs Windows 10, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection: ```powershell -Set-VpnConnectionIPsecConfiguration +Set-VpnConnectionIPsecConfiguration -ConnectionName ``` -On a VPN server that runs Windows Server 2012 R2, run [Set-VpnConnectionIPsecConfiguration (version 3.0)](https://technet.microsoft.com/library/dn262642(v=wps.630).aspx): - -```powershell -Set-VpnConnectionIPsecConfiguration -``` From 98f632d1e6250ee079b231aad7f7ef1fafec59c8 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 2 Feb 2018 13:01:21 -0800 Subject: [PATCH 6/9] revised per Satya --- ...figure-diffie-hellman-protocol-over-ikev2-vpn-connections.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index c5e91f4974..7bb443505a 100644 --- a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -14,7 +14,7 @@ ms.date: 01/29/2018 **Applies to** - Windows 10, Windows 8.1, Windows 8, Windows 7 -- Windows Server +- Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008 In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets. From c82d22c6f56790dba20f5291abeaace39177bda6 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 2 Feb 2018 13:04:57 -0800 Subject: [PATCH 7/9] revised per Satya --- ...figure-diffie-hellman-protocol-over-ikev2-vpn-connections.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 7bb443505a..e89326d91c 100644 --- a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -21,7 +21,7 @@ To secure the connections, update the configuration of VPN servers and clients b For VPN server, you need to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration. -For example, on a VPN server that runs Windows Server 2016, run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps): +For example, on a site-to-site VPN server that runs Windows Server 2016, run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps): ```powershell Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy From 39c6d7cf9c5f6c401019e3e1b4b7a1938b212345 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 2 Feb 2018 13:21:01 -0800 Subject: [PATCH 8/9] edits --- ...ure-diffie-hellman-protocol-over-ikev2-vpn-connections.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index e89326d91c..24ef78f2b8 100644 --- a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -19,6 +19,8 @@ ms.date: 01/29/2018 In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets. +## VPN server + For VPN server, you need to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration. For example, on a site-to-site VPN server that runs Windows Server 2016, run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps): @@ -27,11 +29,12 @@ For example, on a site-to-site VPN server that runs Windows Server 2016, run [Se Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy ``` -On a VPN server that runs Windows Server 2012 R2, run [Set-VpnServerIPsecConfiguration](https://technet.microsoft.com/library/hh918373(v=wps.620).aspx): +On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](https://technet.microsoft.com/library/hh918373(v=wps.620).aspx): ```powershell Set-VpnServerIPsecConfiguration -CustomPolicy ``` +## VPN client For VPN client, you need to configure each VPN connection. For example, on a VPN client that runs Windows 10, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection: From 4c3bd8707050fb83a8e627bf3f18548ed9307beb Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 2 Feb 2018 14:08:39 -0800 Subject: [PATCH 9/9] edits --- ...re-diffie-hellman-protocol-over-ikev2-vpn-connections.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 24ef78f2b8..99fbbd061a 100644 --- a/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/access-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -23,7 +23,7 @@ To secure the connections, update the configuration of VPN servers and clients b For VPN server, you need to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration. -For example, on a site-to-site VPN server that runs Windows Server 2016, run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps): +For example, on a site-to-site VPN server that runs Windows Server 2012 R2 or later, run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps): ```powershell Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy @@ -34,10 +34,12 @@ On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](h ```powershell Set-VpnServerIPsecConfiguration -CustomPolicy ``` + ## VPN client For VPN client, you need to configure each VPN connection. -For example, on a VPN client that runs Windows 10, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection: +For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection: + ```powershell Set-VpnConnectionIPsecConfiguration -ConnectionName