Re: [strongSwan] configuring android StrongSwan VPN Client 2.2.1

Hello David, Do the following: Build the ike and esp cipher list with the more secure ciphers occuring first, then the weaker ones. The first match will be preferred. Then you can migrate your clients one by one - or not bother doing it. Your choice. Kind regards Noel Am 07.01.20 um 19:51

Re: [strongSwan] configuring android StrongSwan VPN Client 2.2.1

Ok, if I understand you correctly I would need to take two actions: 1) create the Windows registry entry you linked to with a value of 1 or 2 to enable or require modp2048 on Windows. 2) modify my ipsec.conf on the linux server replacing all "modp1024" with "modp2048" as the recipe is out of

Re: [strongSwan] configuring android StrongSwan VPN Client 2.2.1

Hi Dave, the Diffie-Hellman group modp1024 is totally weak and is therefore deprecated by NIST. Please add modp2048 to your server's configuration. Actually Windows Clients be made secure by enabling modp2048 via the Windows registry:

[strongSwan] configuring android StrongSwan VPN Client 2.2.1

I followed this recipe to install StrongSwan on my linux server: How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 16.04 This is working fine with a Windows client, so I