1
The RAS-based IPSec VPN client in Windows does not seem to respect the IPSec defaults in Windows Firewall (which hosts the IPSec driver), but insists on using 3DES encryption with SHA1 integrity for key exchange (a.k.a. IPSec main mode). Both of these are legacy algorithms now.
So it doesn't matter what encryption is adopted for data transfer (quick mode), which RAS supports up to AES-256-CBC, the whole link is only as weak as 3DES/SHA1.
On the other hand, the IPSec driver in Windows Firewall can handle SHA-384, AES-GCM and ECDH P-384, so is there a way to configure the VPN client to use these or simply respect the defaults set in Windows Firewall?
Thank you very much for posting this!! I will give it a go and report back. – billc.cn – 2018-07-01T18:23:54.803