2.0 KiB
title, description, ms.prod, author, ms.author, ms.localizationpriority, ms.date, manager, ms.reviewer, appliesto, ms.technology, ms.topic
| title | description | ms.prod | author | ms.author | ms.localizationpriority | ms.date | manager | ms.reviewer | appliesto | ms.technology | ms.topic | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11) | Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections. | windows-client | paolomatarazzo | paoloma | medium | 09/23/2021 | aaroncz | pesmith |
|
itpro-security | how-to |
How to configure Diffie Hellman protocol over IKEv2 VPN connections
Applies To: Windows Server (General Availability Channel), Windows Server 2016, Windows 10, Windows 11
In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
VPN server
For VPN servers that run Windows Server 2012 R2 or later, you need to run Set-VpnServerConfiguration to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
On an earlier version of Windows Server, run Set-VpnServerIPsecConfiguration. Since Set-VpnServerIPsecConfiguration doesn’t have -TunnelType, the configuration applies to all tunnel types on the server.
Set-VpnServerIPsecConfiguration -CustomPolicy
VPN client
For VPN client, you need to configure each VPN connection. For example, run Set-VpnConnectionIPsecConfiguration (version 4.0) and specify the name of the connection:
Set-VpnConnectionIPsecConfiguration -ConnectionName <String>