diff --git a/client/protocols/ikev2_vpn_protocol_windows.cpp b/client/protocols/ikev2_vpn_protocol_windows.cpp
index e2e4ca902..b4110f034 100644
--- a/client/protocols/ikev2_vpn_protocol_windows.cpp
+++ b/client/protocols/ikev2_vpn_protocol_windows.cpp
@@ -238,7 +238,7 @@ ErrorCode Ikev2Protocol::start()
                                 "-CipherTransformConstants GCMAES128 "
                                 "-EncryptionMethod AES256 "
                                 "-IntegrityCheckMethod SHA256 "
-                                "-PfsGroup None "
+                                "-PfsGroup PFS2048 "
                                 "-DHGroup Group14 "
                                 "-PassThru -Force\"")
                             .arg(tunnelName());
diff --git a/client/server_scripts/ipsec/configure_container.sh b/client/server_scripts/ipsec/configure_container.sh
index 76c4dfafc..1f0a45cb3 100644
--- a/client/server_scripts/ipsec/configure_container.sh
+++ b/client/server_scripts/ipsec/configure_container.sh
@@ -33,14 +33,14 @@ conn shared
   right=%any
   encapsulation=yes
   authby=secret
-  pfs=no
+  pfs=yes
   rekey=no
   keyingtries=5
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
   ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h
@@ -244,9 +244,9 @@ conn ikev2-cp
   auto=add
   ikev2=insist
   rekey=no
-  pfs=no
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
-  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+  pfs=yes
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048
+  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   ikelifetime=24h
   salifetime=24h
   encapsulation=yes