none
VPN Encryption RRS feed

  • Pergunta

  • Hi,

     Our 2012 R2 Windows Server is setup to accept VPN connection via the "Routing and Remote Access" Tool.
     We currently only accept L2TP and IKEv2 VPN Connections with a Preshared Key Setting.
     Since our business accepted credit cards, we are required to run a PCI scan via trustwave.com.
     
    The PCI scans are failing due to:
       Weak Encryption Ciphers identified on VPN Device on port 500 UDP Protocol
       Weak Diffie-Hellman groups identified on VPN Device on port 500 UDP Protocol

     The remediation recommended are:
      Removing support for DES/3DES encryption ciphers on this VPN device. 
      Use Diffie-Hellman Key Exchange Group 5 or higher where possible, or the highest available to the VPN endpoints.

     How can I apply the above remediations to our Server? I have been looking all over the web without much success.

     Thanks in Advance for all your help.
    quarta-feira, 6 de maio de 2020 16:12

Todas as Respostas

  • Hi,
    The following list contains the default encryption settings for the Microsoft L2TP/IPSec virtual private network (VPN) client for earlier version clients:
    •Data Encryption Standard
    •Secure Hash Algorithm
    •Diffie-hellman Medium
    •Transport Mode
    •Encapsulating Security Payload
    You can see more information about encryption settings for the Microsoft L2TP/IPSec VPN from the following link:

    Default Encryption Settings for the Microsoft L2TP/IPSec Virtual Private Network Client

    About how to configure Diffie Hellman protocol over IKEv2 VPN connections, you can refer to the following link:

    How to configure Diffie Hellman protocol over IKEv2 VPN connections

    Hope this can help you.

    Best regards,

    Phoebe Wu


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    quinta-feira, 7 de maio de 2020 10:07
  • Hi,

    Just want to confirm the current situations. Was your issue resolved?

    If the information provided is helpful, please mark my previous replies as answered.

    Please feel free to let us know if you need further assistance.

    Best regards, 

    Phoebe Wu


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    segunda-feira, 11 de maio de 2020 01:53
  • Hi Phoebe,

      I read the knowledge base you provided and did the following command:

        Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy

        Set-VpnServerConfiguration -CustomPolicy -DHGroup Group14

     Unfortunately it did not resolve the issue. Any other recommendation ?

    Thanks

    segunda-feira, 11 de maio de 2020 14:25