HX-Technology-LLC
commented
1 month ago This is also mentioned in this page (https://serverfault.com/questions/1019072/windows-10-ikev2-ipsec-vpn-client-dh-group15-modp3072-or-higher)
Closed HX-Technology-LLC closed 1 month ago
HX-Technology-LLC
commented
1 month ago This is also mentioned in this page (https://serverfault.com/questions/1019072/windows-10-ikev2-ipsec-vpn-client-dh-group15-modp3072-or-higher)
hwdsl2
commented
1 month ago @HX-Technology-LLC Hello! First, thank you for your suggestions, they'll be considered for future improvements in this project.
Currently, the Docker image defaults to generating RSA certificates with 3072-bit keys. While currently there is no plan to changing the certificate generation algorithms in this project, you are welcome to customize the Docker image for your use case by building from source code: https://github.com/hwdsl2/docker-ipsec-vpn-server/blob/master/docs/advanced-usage.md#build-from-source-code
Checklist
Describe the enhancement request A clear and concise description of your enhancement request.
Supports generating longer RSA bit certificates, elliptic curve certificates, and hash algorithms used for custom certificate generation
Is your enhancement request related to a problem? Please describe. (If applicable) A clear and concise description of what the problem is.
Improved use of certificates
Additional context Add any other context about the enhancement request here.
First, on Windows, if you use the system's built-in VPN client, the most secure dhgroup is dh14, which is only 2048 bits long. Although this is secure enough for now, we also need to prepare for the future. Second, RSA and DH are not as efficient as elliptic curves. If you want to use dhgroup of ecp256 or ecp384 on Windows, you must use an elliptic curve certificate. If you use an RSA server certificate and require dhgroup of ecp256 on Windows, Windows will complain that it cannot find a valid certificate.