Enable PFS for Windows IKEv2

2026-06-24 02:00:24 +07:00 · 2025-01-27 22:39:18 +02:00
parent fbbba648c4
commit b173dcaa17
2 changed files with 6 additions and 6 deletions
@@ -238,7 +238,7 @@ ErrorCode Ikev2Protocol::start()
                                "-CipherTransformConstants GCMAES128 "
                                "-EncryptionMethod AES256 "
                                "-IntegrityCheckMethod SHA256 "
-                                "-PfsGroup None "
+                                "-PfsGroup PFS2048 "
                                "-DHGroup Group14 "
                                "-PassThru -Force\"")
                            .arg(tunnelName());
@@ -33,14 +33,14 @@ conn shared
  right=%any
  encapsulation=yes
  authby=secret
-  pfs=no
+  pfs=yes
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
@@ -244,9 +244,9 @@ conn ikev2-cp
  auto=add
  ikev2=insist
  rekey=no
-  pfs=no
+  pfs=yes
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048
-  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
  encapsulation=yes