When deploying Windows 10 Always On VPN, many administrators choose the Internet Key Exchange version 2 (IKEv2) protocol to provide the highest level of security and protection for remote connections. However, many do not realize the default security parameters for IKEv2 negotiated between a Windows Server running the Routing and Remote Access Service (RRAS) and a Windows 10 VPN client are far less than ideal from a security perspective. Additional configuration on both the server and the client will be required to ensure adequate security and protection for IKEv2 VPN connections.
Windows 10 and RRAS IKEv2 Defaults
In their default configuration, a Windows 10 client connecting to a Windows Server running RRAS will negotiate an IKEv2 VPN connection using the following IPsec security parameters.
- Encryption: 3DES
- Authentication/Integrity: SHA-1
- Key Size: DH Group 2 (1024 bit)
This information can be obtained by opening an elevated PowerShell command window and running the following command.
Get-NetIPsecMainModeSA | Select-Object -First 1
This can also be confirmed by viewing a network trace as shown here.
These IPsec security parameters might have been acceptable in the 90’s, but they certainly are not today. 🙂
Improving IKEv2 Security
To provide a baseline level of protection to meet today’s requirements for security and privacy for IKEv2 VPN connections, the following are the minimum recommended IPsec security parameters.
- Encryption: AES128
- Authentication/Integrity: SHA-256
- Key Size: DH Group 14 (2048 bit)
RRAS Custom IPsec Policy
To implement these recommended security baselines for IKEv2 on a Windows Server running RRAS it will be necessary to define a custom IPsec security policy. To do this, open an elevated PowerShell command window and run the following commands on each RRAS server.
Set-VpnServerConfiguration -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000
Restart the Remote Access Management service for the changes to take effect.
Restart-Service RemoteAccess -PassThru
Note: A PowerShell script to implement the custom IPsec security policy settings shown above can be downloaded here.
Root Certificate
It is essential to define the root certification authority for which to accept IPsec security associations (SAs) for IKEv2 VPN connections. Without this setting configured, the VPN server will accept IPsec SAs using any certificate issued by a CA defined in its Trusted Root Certification Authorities certificate store. To configure this setting, open an elevated PowerShell window and run the following commands.
$Thumbprint = ‘Root CA Certificate Thumbprint’
$RootCACert = (Get-ChildItem -Path cert:\LocalMachine\root | Where-Object {$_.Thumbprint -eq $Thumbprint})
Set-VpnAuthProtocol -RootCertificateNameToAccept $RootCACert -PassThru
Restart-Service RemoteAccess -PassThru
Note: A PowerShell script to implement the root certificate name to accept can be found here.
CRL Checking
By default, RRAS does not enforce CRL checks for IKEv2 VPN connections. Additional configuration is required to enable support for CRL checking. Microsoft published guidance for configuring CRL revocation checks for IKEv2 VPN connections using machine certificate authentication here. Specifically, administrators must enable the RootCertificateNameToAccept parameter (guidance above) and set the following registry key to enable this functionality.
New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\’ -Name CertAuthFlags -PropertyTYpe DWORD -Value ‘4’ -Force
Restart-Service RemoteAccess -PassThru
Note: A PowerShell script to configure root certificate settings and enforce CRL checking can be downloaded here.
Windows 10 Client Settings
The IPsec policy must match on both the server and the client for an IKEv2 VPN connection to be successful. Unfortunately, none of the IKEv2 IPsec security association parameters proposed by default on Windows 10 clients use 2048-bit keys (DH Group 14), so it will be necessary to define a custom IPsec security policy on the client to match the settings configured on the server.
To configure a matching IPsec security policy on an individual Windows 10 VPN client, open an elevated PowerShell command window and run the following command.
$connection = “[connection name]”
Set-VpnConnectionIPsecConfiguration -ConnectionName $connection -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force
Restore Defaults
In the process of testing it may be necessary to restore the default IKEv2 configuration on both the client and the server. This can be accomplished by running the following PowerShell commands.
Server – Set-VpnServerConfiguration -RevertToDefault
Client – Set-VpnConnectionIPsecConfiguration -ConnectionName [connection_name] -RevertToDefault -Force
Always On VPN XML Settings
To implement a custom IPsec policy using the minimum recommended security settings for an Always On VPN connection using IKEv2, add the following settings to your ProfileXML.
<VPNProfile> <NativeProfile> <CryptographySuite> <AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants> <CipherTransformConstants>AES128</CipherTransformConstants> <EncryptionMethod>AES128</EncryptionMethod> <IntegrityCheckMethod>SHA256</IntegrityCheckMethod> <DHGroup>Group14</DHGroup> <PfsGroup>PFS2048</PfsGroup> </CryptographySuite> </NativeProfile> </VPNProfile>
Why Not AES 256?
In the examples above you’ll notice that I’ve chosen to use AES128 and not AES256. This is by design, as AES256 does not provide any practical additional security in most use cases. Details here.
Enhanced Security and Performance
To further improve security and performance for IKEv2, consider implementing Elliptic Curve Cryptography (EC) certificates and using Galois Counter Mode (GCM) cipher suites such as GCMAES128 for authentication and encryption.
Additional Information
Always On VPN Certificate Requirements for IKEv2
Always On VPN IKEv2 Connection Failure Error Code 800
Always On VPN IKEv2 Load Balancing with the KEMP LoadMaster Load Balancer