Windows Client Configuration with Machine Certificates

  1. Open the Network & internet settings

    Network & Internet

    Select VPN.

  2. The Network & internet > VPN menu opens.

    Network & Internet > VPN

    Click on Add VPN.

  3. The Add a VPN connection menu pops up.

    Add VPN Connection

    Fill in the following fields:

    VPN provider

    Select Windows (built-in).

    Connection name

    Choose a name for your VPN connection.

    Server name or address

    Give the fully qualified hostname of the VPN gateway. The hostname must be contained as a subjectAltName in the gateway certificate.

    VPN type

    Select IKEv2.

    Type of sign-in info

    Select Certificate.

    Click on Save.

  4. The Home connection has been added to the Network & internet > VPN menu.

    Home Connection

    We aren’t finished yet. The Home connection has been configured by default with EAP-TLS and user certificates so that we have to switch to machine certificates next.

  5. Open the Network & internet settings again

    Network & Internet

    Select Advanced network settings.

  6. The Advanced network settings menu opens

    Advanced Network Settings

    Select More network adapter options.

  7. The Network Connections overview has been opened show all network adapters.

    Network Connections

    Right-click on the Home WAN Miniport (IKEv2) adapter and select Properties.

  8. The Home Properties menu pops up.

    Home Properties

    Switch to the Security tab and select Use machine certificates. Additionally change the Data encryption field to Maximum strength encryption. Then click OK. This eliminates the weak single DES and the fatal NULL encryption in the ESP proposal of the Windows client.

    esp = aes256-3des-sha1

The Windows Home VPN connection based on machine certificates has now been successfully completed.