Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

IPSEC IKEv2 VPN Client Digital Signature configuration

Copper Contributor



How can we configure Windows 11 Pro to avoid '4096-bit PKCS#1 1.5 RSA with SHA1' Digital Signature authentication for an 'IPSEC IKEv2 Certificate' VPN client on a Windows 11 (22H2) Professional Edition.


I configured an IPSEC IKEv2 VPN Client on Windows 11. Authentication is 'Machine Certificate'.


I set parameters with Powershell commands "Set-VpnConnection" and "Set-VpnConnectionIPsecConfiguration".

Name : <A NAme>
ServerAddress : <A FQDN hostname>
AllUserConnection : False
Guid : <a GUID>
TunnelType : Ikev2
AuthenticationMethod : {MachineCertificate}
EncryptionLevel : Custom
L2tpIPsecAuth :
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Disconnected
RememberCredential : False
SplitTunneling : False
DnsSuffix :
IdleDisconnectSeconds : 0

AuthenticationTransformConstants : GCMAES256
CipherTransformConstants : GCMAES256
DHGroup : Group14
IntegrityCheckMethod : SHA256
PfsGroup : PFS2048
EncryptionMethod : AES256


WIndows 11 uses a '4096-bit PKCS#1 1.5 RSA with SHA1' Digital Signature authentication. As mentionned in RFC 8247 Chapter 3.2, Digital Signature authentication method must not use the SHA1 hash function. VPN Server refuses to establish the VPN since SHA1 must not be used.


Messages in VPN server log file are :

responder established IKE SA; authenticated peer '4096-bit PKCS#1 1.5 RSA with SHA1' signature using peer certificate 'CN=a Cient CN, O=An Organization' issued by CA 'CN=A CA CN CA, O=An Organization'


NSS: SGN_Digest(SHA-1) function failed: SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED: Could not create or verify a signature using a signature algorithm that is disabled because it is not secure.


Android :

Using Android as a VPN Client (IPSEC IKEv2 X.509 certificate) uses '4096-bit RSASSA-PSS with SHA2_384', the same VPN server accepts to establish the VPN with the same X.590 client certificate.


Thanks in advance


0 Replies