Downgrade the IPsec RA VPN server algorithm strength (Windows 10 client)

An example that shows how to downgrade the strength of the algorithms that the RA VPN server uses, to align with the default algorithms that Windows 10 clients use.

Configure the RA VPN server to use additional, weaker algorithms.

# Add IKE and IPsec profiles for weak algorithms
set security vpn ipsec ike-group IKE2 dead-peer-detection action clear
set security vpn ipsec ike-group IKE2 dead-peer-detection interval 11
set security vpn ipsec ike-group IKE2 ike-version 2
set security vpn ipsec ike-group IKE2 lifetime 14400  # 4 hour Phase 2
set security vpn ipsec ike-group IKE2 proposal 1 dh-group 2
set security vpn ipsec ike-group IKE2 proposal 1 encryption aes256
set security vpn ipsec ike-group IKE2 proposal 1 hash sha1
set security vpn ipsec esp-group ESP2 lifetime 3600   # 1 hour Phase 1
set security vpn ipsec esp-group ESP2 pfs disable
set security vpn ipsec esp-group ESP2 proposal 1 encryption aes256
set security vpn ipsec esp-group ESP2 proposal 1 hash sha1
# Change the RA VPN Server profile for ROADWARRRIOR to use these algorithms
set security vpn ipsec remote-access-server profile ROADWARRIOR esp-group ESP2
set security vpn ipsec remote-access-server profile ROADWARRIOR ike-group IKE2

The RA VPN server will now negotiate to use the weaker algorithms that Windows 10 clients use by default.

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Downgrade the IPsec RA VPN server algorithm strength (Windows 10 client)

Helpful Links

Key Resources