Tem um problema semelhante com o IPSec / IKE. Parece que o serviço RasMan desrespeita completamente as políticas IPSec configuradas através do Firewall do Windows. E o melhor que consegui foi o AES-SHA1-DH2048 através do mangling do registro. Eu armazenei como arquivo .reg, há comentários para que as coisas fiquem bem claras.
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\IKEv2]
"CustomParams"=dword:00000001
"CustomProposalsCount"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\IKEv2\Proposals]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\IKEv2\ProposalsREGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\IKEv2]
"CustomParams"=dword:00000001
"CustomProposalsCount"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\IKEv2\Proposals]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\IKEv2\Proposals%pre%]
; for "Quick Mode", all keys optional
; DES, 3DES, AES_128, AES_256
"esp_encr"="AES_128"
; MD5, SHA1
"esp_auth"="SHA1"
; MD5, SHA1
;"AH"="SHA1"
; NONE, 1, 2, 2048, ECP_256, ECP_384, MM
;"PFS"="MM"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
"AllowL2TPWeakCrypto"=dword:00000000
"AllowPPTPWeakCrypto"=dword:00000000
; for "Main Mode"
; 0 - disable, 1 - enable, 2 - force /// WARNING! "force" disables stronger DH groups!
"NegotiateDH2048_AES256"=dword:00000001
]
; for "Quick Mode", all keys optional
; DES, 3DES, AES_128, AES_256
"esp_encr"="AES_128"
; MD5, SHA1
"esp_auth"="SHA1"
; MD5, SHA1
;"AH"="SHA1"
; NONE, 1, 2, 2048, ECP_256, ECP_384, MM
;"PFS"="MM"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
"AllowL2TPWeakCrypto"=dword:00000000
"AllowPPTPWeakCrypto"=dword:00000000
; for "Main Mode"
; 0 - disable, 1 - enable, 2 - force /// WARNING! "force" disables stronger DH groups!
"NegotiateDH2048_AES256"=dword:00000001