Enable AES and SHA256 algorithms in IPSEC on Windows

Question

I'm setting up IPSec on Windows 2012 R2 using the wizards found at gpedit.msc (Local Computer Policy, Security Settings, IP Security Policies...). When modifying the security method and clicking on custom, I am expecting to see more algorithms than just DES/3DES/Sha1/MD5. Specifically, I'm expected to see AES256, Sha256, etc..

As per the screenshot, I am only seeing the weaker algorithms. I've confirmed on different OS as well (Windows 10). What am I missing..? How do I get the other algorithms to show up, or why are they not needed?

Local security policy IPSec settings

score 2 · Answer 1 · answered May 05 '17 at 22:26

You can customize the IPsec settings by going to the 'Windows Firewall with Advanced Security' MMC, right click on the root and select Properties. Then select the 'IPsec Settings' tab and click 'Customize' next to 'IPsec defaults'. There you can change the Integrity and Encryption algorithms, and even the Key Exchange algorithm if you want. These can also be set via Group Policy as well.

https://technet.microsoft.com/en-us/library/cc730833(v=ws.11).aspx

Enable AES and SHA256 algorithms in IPSEC on Windows

1 Answers1