The only way to manually configure what encryption proposals windows provides for an IPSec VPN connection seems to be through the PowerShell command Set-VPNConnectionIPSecConfiguration. However, the documentation by Microsoft is vague and confusing. Specifically, it doesn't distinguish which parameters are for phase 1 or phase 2, and it refers to transform constants (AuthenticationTransformConstants and EncryptionTransformConstants), which don't have a clear analog in 3rd party VPN software. What are these parameters referred to by in most VPN servers?
Asked
Active
Viewed 517 times
1 Answers
0
The parameters generally are associated with the following settings in most VPN servers:
| Parameter | Example Value | Associated VPN Server Setting |
|---|---|---|
| -AuthenticationTransformConstants | 'GCMAES128' | Phase 2 Authentication |
| -CipherTransformConstants | 'GCMAES128' | Phase 2 Encryption |
| -DHGroup | 'ECP384' | Phase 1 Key Group |
| -EncryptionMethod | 'AES256' | Phase 1 Encryption |
| -IntegrityCheckMethod | 'SHA256' | Phase 1 Authentication |
| -PfsGroup | 'None' | Perfect Forward Secrecy Group |
Source: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bopASAQ
As ecdsa pointed out, the source above has phase 1 and phase 2 swapped for some reason. The above table is correct.
Natecat
- 103
- 4
-
That's not correct. They have the encryption and integrity settings for the two phases reversed. – ecdsa Jul 21 '22 at 07:43
-
Ahh that is infuriating. I will test this and update if you're correct – Natecat Jul 21 '22 at 20:49
-
Useful info, but it would be a more appropriate Q&A for [su] – miken32 Jul 21 '23 at 15:12