The original post: /r/vpn by /u/Nando03 on 2024-12-03 11:30:57.
I’m setting up a VPN server using Windows Server (Routing and Remote Access), and I want to enforce specific security protocols for clients connecting via IKEv2. The goal is to ensure that the server dictates the following cryptographic settings during the connection handshake, so that clients don’t need to run any PowerShell commands or configure these settings manually:
- Encryption Algorithm: AES-256
- Hash Algorithm: SHA-256
- Diffie-Hellman Group: Group 14 (2048-bit)
- PFS Group: PFS2048
I’ve already configured the server’s registry (IKEv2CustomPolicy) and applied these settings. However, when clients attempt to connect, they default to their own settings unless explicitly configured using Set-VpnConnectionIPsecConfiguration on the client.
My questions are:
- Can the Windows VPN server enforce these protocols on clients so they automatically use the correct cryptographic settings during negotiation?
- Is there a way to achieve this without requiring any manual configuration or scripting on the client side?
For example:
- If a user connects to the VPN with just the server address, username, and password, the server would force the client to use AES-256, SHA-256, and DH14.
- Clients that don’t support these protocols would simply fail to connect.
Any guidance or suggestions would be greatly appreciated. Thank you!
You must log in or register to comment.