--On Friday, May 04, 2018 04:53:29 PM +1200 flyingrhino
<[email protected]> wrote:
Hi,
Just to keep a complete record of this for other people who may
search the list archive for this solution:
The solution was to create a windows registry key:
Path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameter
s Key: NegotiateDH2048_AES256
Type: DWORD 32bit
Value: 1
If you need to roll this out across multiple machines as I did - once
you do the first machine, you can select the new key you just edited
and do: File -> Export , select type reg.
Then on subsequent machines the user simply double clicks the file
and it gets imported automatically.
Hope this helps other people who find this post.
to add to the tip I distribute a powershell script to roadwarriors to
setup the complete VPN-Connection. Maybe someone likes to use parts of
it:
############
echo "activate higher encryption"
reg add HKLM\System\CurrentControlSet\Services\Rasman\Parameters /v
NegotiateDH2048_AES256 /t REG_DWORD /d 2 /f
echo "import CA"
echo "-----BEGIN PKCS7-----
MII.....
....=
-----END PKCS7-----
" > c:\certtmp.p7b
import-certificate -FilePath c:\certtmp.p7b -CertStoreLocation
'Cert:\LocalMachine\Root'
del c:\certtmp.p7b
sleep 1
echo "Make VPN"
^M
Add-VpnConnection -Name "<VPNNAME>" -ServerAddress <SERVERNAME>
-TunnelType "Ikev2" -AllUserConnection -EncryptionLevel Required
echo "added"
Set-VPNConnection -Name "<VPNNAME>" -AllUserConnection -SplitTunneling 0
echo "split out"
Set-VPNConnectionIPsecConfiguration -ConnectionName "<VPNNAME>"
-AuthenticationTransformConstants SHA256128 -CipherTransformConstants
AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup
None -DHGroup Group14 -PassThru-Force
echo "parameter set"
sleep 1
echo "all set"
############
Cheers
Dirk
