1.9 KiB
title, description, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author, ms.author, ms.localizationpriority, ms.date, ms.reviewer, manager
| title | description | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | author | ms.author | ms.localizationpriority | ms.date | ms.reviewer | manager |
|---|---|---|---|---|---|---|---|---|---|---|---|
| How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) | Explains how to secure VPN connections for Diffie Hellman Group 2 | w10 | deploy | library | security, networking | dulcemontemayor | dansimp | medium | 02/08/2018 | dansimp |
How to configure Diffie Hellman protocol over IKEv2 VPN connections
Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10
In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
VPN server
For VPN servers that run Windows Server 2012 R2 or later, you need to run Set-VpnServerConfiguration to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
On an earlier versions of Windows Server, run Set-VpnServerIPsecConfiguration. Since Set-VpnServerIPsecConfiguration doesn’t have -TunnelType, the configuration applies to all tunnel types on the server.
Set-VpnServerIPsecConfiguration -CustomPolicy
VPN client
For VPN client, you need to configure each VPN connection. For example, run Set-VpnConnectionIPsecConfiguration (version 4.0) and specify the name of the connection:
Set-VpnConnectionIPsecConfiguration -ConnectionName <String>