On 2021-01-13, Ian Timothy <i...@thrivedata.it> wrote: > Looking at some of the other information provided, I tried this along with > the registry edit below: > > PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" > -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection > -Force
"-AuthenticationMethod MachineCertificate" - I thought you were using MSCHAP not machine certs? FWIW I'm adding the connection manually and then doing this: Set-VpnConnection -ConnectionName "vpn" -EncryptionLevel Maximum -SplitTunneling $false -passthru Set-VpnConnectionIPsecConfiguration -ConnectionName "vpn" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup ECP256 -PfsGroup ECP256 -passthru iked.conf (using the same config for Windows/Android/iOS cloents, and for ease of client setup allowing the default Windows crypto as well as better ones): ikev2 "vpn" passive esp from 0.0.0.0/0 to 0.0.0.0 \ local xxx \ peer any \ ikesa enc aes-128 enc aes-256 prf hmac-sha2-256 prf hmac-sha1 auth hmac-sha2-256 group curve25519 group ecp521 group ecp256 group modp2048 group modp1024 \ childsa enc aes-128-gcm enc aes-256-gcm group curve25519 group ecp521 group ecp256 group modp2048 \ childsa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 \ childsa enc aes-128-gcm enc aes-256-gcm \ srcid "xxx" \ eap "mschap-v2" \ config address xxx/25 \ config name-server xxx \ tag "$name-$id" (plus the user config).
