Mastering Development System & Network

Windows 10 IKEv2 IPSec VPN client & DH Group15 (modp3072) or higher

Question: Is there any way to configure the Windows 10 VPN client to use DH Group 15 / Group15 (modp3072) or higher for key exchange? I am somewhat distressed that the CNSA specifies use of DH Group 15 (modp3072) or higher, but the Windows 10 VPN client supports only up to DH Group 14 (modp2048), which is still considered secure from my research, but it’s not quite CNSA. I am aware that the Windows 10 VPN client supports ECP384, which is allowed by the CNSA, but I have been unable to get the Windows 10 VPN client to connect to my strongSwan IPSec VPN server using my RSA X.509 certificates because apparently the Windows 10 VPN client is hardcoded to require use of ECDSA certificates to use ECP384 for key exchanges. I have about come to the conclusion that I should just replace my RSA X.509 certificates with ECDSA X.509 certificates so that the Windows 10 clients can connect using ECP384 for key exchange.

Many thanks for any guidance and feedback.
Will Snyder

Leave a Reply

Your email address will not be published. Required fields are marked *