Setting Up IKEv2 VPN Client on Windows 11
Adding NegotiateDH2048_AES256 into Windows registry
By default Windows 7 up to Windows 11 propose only the weak modp1024 Diffie-Hellman key exchange algorithm that has been deprecated by NIST Special Publication 800-57 Part 3 Revision 1 since 2015:
ike = 3des-aes128-aes192-aes256-sha1-sha256-sha384-modp1024
Therefore, any attempt connect to IKEv2 VPN server, you will gettingPolicy match errormessage.
You will need to enable the modp2048 Diffie-Hellman group by adding the NegotiateDH2048_AES256 DWORD into the Windows registry using regedit.
Download following zip file:
NOTE: You do not need to import this file again if you have already imported it, or if you have already upgraded your Diffie-Hellman group to 2048 bits.
If already upgraded to 2048 bits or already imported this file, do skip this and proceed to Setting IKEv2 VPN client section.
ADMINISTRATOR NOTE:
Merging NegotiateDH2048_AES256 into Windows registry will require administrator access privilege. If encounter following message, then you will need switch from current Windows user and login as administrator. Once merged into registry, you may switch back to your own Windows user.
Once downloaded, proceed to extract or decompress it. You should see one (1) NegotiateDH2048_AES256.reg file.
Double click on it to automatically merge NegotiateDH2048_AES256 into Windows registry.
Setting IKEv2 VPN client
Once NegotiateDH2048_AES256 added into your Windows registry, you are now ready to create a new IKEv2 VPN connection.
VPN information as stated below will be located within activation form email:
- VPN Server hostname
- User name
- Password
Create VPN connection
1. Select Network Settings. The network icon will depend on how your PC/notebook connected to the network.
PC/monitor icon if connected using network cable CAT5/CAT5e