L2TP over IPSEC parameters for Windows 10 native client

valerio_vanni · December 2022

I have, on a USG Flex 200 (latest firmware version), a L2TP over Ipsec VPN policy.
I've successfully tested with Android 9 and Android 11 native client.

Parameters are:

Phase1: IKEv1 - interface WAN1 - remote dynamic - preshared key - local id type: mail - remote id type: any - lifetime 86400 - mode aggressive - AES128/SHA1 - Pfs DH2 - NAT trav - DPD - no Xauth - no 2FA

Phase2: role: remote access - IP: WAN1 IP - no MODE CONFIG - life time 28800 - ESP/transport - ESP/Transport - AES128/SHA1 Pfs NONE

I try with windows 10 native clients, and it fails. But it doesn't say why, only that "protocol negotiation failed" (not exact words, I don't have here a test machine and anyway it's not in english language).

Windows VPN client doesn't show any option about proposal, pfs etc. Nor I find in help (or I missed right help pages) what it's trying to use so I can set it on firewall to make it happy.

The only entries I find are
-VPN type: L2TP/Ipsec
-Remote GW: OK
-Shared PWD: OK
-User: OK
-Pwd: OK

I found here the advice of trying to check protocols in virtual VPN adapter, but it didn't help.

https://support.zyxel.eu/hc/it/articles/360001390914-Configurazione-L2TP-su-un-USG-Firewall-utilizzando-il-client-integrato-di-Windows#h_01GM8B1RV4NPWJFSGK6CGNWJRN

zyman2008 · December 2022

Hi @valerio_vanni,
First, the configuration on your USG the phase 1 mode should be "Main" mode not "Aggressive mode".

Second, the Windows native L2TP/IPSec client using 3DES/SHA1/DH2 encryption by default.
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/default-encryption-settings-for-l2tp-ipsec-vpn-client

If you want to change the encryption setting.
1. You need to use powershell command to create VPN connection,
Add-VpnConnection -Name "L2TPoverIPSecVPN" -ServerAddress <VPN_WAN_IP> -TunnelType "L2tp"
Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TPoverIPSecVPN" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group2 -PassThru -Force

2. Then, on desktop screen, click on the Network icon in the bottom right hand corner. Right click and select "Open Network & Internet Settings".

3. Under the Advanced network settings section. Click "Change adapter options".

4. Select the VPN connection created. Right click and "select Properties". To edit the pre-share key and authentication method.

zyman2008 · December 2022

valerio_vanni said:

So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.
Right?

I think Android support both aggressive and main mode for L2TP/IPSec PSK.
But depends on the design of phone vendors.

Here my experiences on Samsung phones from Android 9 ~ 11.

The settings of "IPSec identifier" change the L2TP/IPSec IKE mode it used.

Without "IPSec identifier" settings - IKE negotiate via Main mode.
With "IPSec identifier" settings - IKE negotiate via Aggressive mode

mMontana · December 2022

WAN1 ip address is public or private?

Which is the setting for
NAT
DPD
in phase 1?

L2TP protocol is set to be allowed to get to USG200?

valerio_vanni · December 2022

mMontana said:

>WAN1 ip address is public or private?

WAN1 is public

>Which is the setting for NAT DPD in phase 1?

Sorry, I wasn't clear. I meant they are both active.

>L2TP protocol is set to be allowed to get to USG200?

How could it not be allowed? From Android connection is successful.

zyman2008 · December 2022

Hi @valerio_vanni,
First, the configuration on your USG the phase 1 mode should be "Main" mode not "Aggressive mode".

Second, the Windows native L2TP/IPSec client using 3DES/SHA1/DH2 encryption by default.
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/default-encryption-settings-for-l2tp-ipsec-vpn-client

If you want to change the encryption setting.
1. You need to use powershell command to create VPN connection,
Add-VpnConnection -Name "L2TPoverIPSecVPN" -ServerAddress <VPN_WAN_IP> -TunnelType "L2tp"
Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TPoverIPSecVPN" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group2 -PassThru -Force

2. Then, on desktop screen, click on the Network icon in the bottom right hand corner. Right click and select "Open Network & Internet Settings".

3. Under the Advanced network settings section. Click "Change adapter options".

4. Select the VPN connection created. Right click and "select Properties". To edit the pre-share key and authentication method.

Zyxel_Jeff · December 2022

Hello @valerio_vanni

zyman2008 already provided a great way and suggestion to deploy the L2TP connection on the Windows 10 native client. Besides, if you worry whether there is any missing config on the USG Flex 200 you could use the wizard to configure L2TP settings as well.

Click Quick Setup Wizard

Choose Remote Access VPN Setup

Choose L2TP over IPsec Client(iOS, Windows, Android) and fill in the server IP address, pre-shared key, L2TP IP pool, domain name server, and grantable users then save this profile.

Go to Configuration > VPN > IPsec VPN > VPN Gateway, click "RemoteAccess_L2TP_Wiz" to check the default wizard phase1 setting is Main mode, 3DES(Encryption)/SHA1(Authentication)/DH2(Key Group), as below:

Go to Configuration > VPN > IPsec VPN > VPN Connection, click "RemoteAccess_L2TP_Wiz" to check the default wizard phase2 setting is 3DES(Encryption)/SHA1(Authentication)/PFS is none, as below:

Configure L2TP information(server IP, pre-shared key, user name, password) on the Win10 native client.

Image: https://us.v-cdn.net/6029482/uploads/editor/86/82ornw0wp3ct.png

Then Win10 native client establishes L2TP connection with USG Flex 200 and you can go to Monitor > Log > View Log to see successful logs, as below:

Image: https://us.v-cdn.net/6029482/uploads/editor/rj/rv08to1a6sdz.png

valerio_vanni · December 2022

zyman2008 said:

Hi @valerio_vanni,
First, the configuration on your USG the phase 1 mode should be "Main" mode not "Aggressive mode".

Second, the Windows native L2TP/IPSec client using 3DES/SHA1/DH2 encryption by default.
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/default-encryption-settings-for-l2tp-ipsec-vpn-client

If you want to change the encryption setting.
1. You need to use powershell command to create VPN connection,
Add-VpnConnection -Name "L2TPoverIPSecVPN" -ServerAddress <VPN_WAN_IP> -TunnelType "L2tp"
Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TPoverIPSecVPN" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group2 -PassThru -Force

Thank you, it works :-)

Here I found parameters for that powershell command (should them be needed by anyone for other configurations):

https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2022-ps

So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.

Right?

mMontana · December 2022

I think that depends on Android version and maybe also the device producer.
Moreover, since Android 12 several producers "require" IKEv2 which throws also "Aggressive" Into puddle.

The page you linked seems related to Windows 2022 only, did you tried on Windows clients recently?

valerio_vanni · December 2022

mMontana said:

I think that depends on Android version and maybe also the device producer.
Moreover, since Android 12 several producers "require" IKEv2 which throws also "Aggressive" Into puddle.

The page you linked seems related to Windows 2022 only, did you tried on Windows clients recently?

I did only some test on Windows 10 and Server 2019. The module guide seems the same.

As I said, for Android I tested on some 9 and 11.

I saw too that 12 has only IKEv2; I didn't test, but this seems less worrying: it has aggressive for all.

Here the issue is that on USG you can have only a L2TP VPN.

zyman2008 · December 2022

valerio_vanni said:

So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.
Right?

I think Android support both aggressive and main mode for L2TP/IPSec PSK.
But depends on the design of phone vendors.

Here my experiences on Samsung phones from Android 9 ~ 11.

The settings of "IPSec identifier" change the L2TP/IPSec IKE mode it used.

Without "IPSec identifier" settings - IKE negotiate via Main mode.
With "IPSec identifier" settings - IKE negotiate via Aggressive mode

valerio_vanni · December 2022

zyman2008 said:

valerio_vanni said:

So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.
Right?

I think Android support both aggressive and main mode for L2TP/IPSec PSK.
But depends on the design of phone vendors.

Here my experiences on Samsung phones from Android 9 ~ 11.

The settings of "IPSec identifier" change the L2TP/IPSec IKE mode it used.
Without "IPSec identifier" settings - IKE negotiate via Main mode.
With "IPSec identifier" settings - IKE negotiate via Aggressive mode

I just tried and can confirm: mine behave the same.

But I don't understand why... if it's to choose mode, it would have been better an option "main | aggressive".

L2TP over IPSEC parameters for Windows 10 native client

Best Answers

All Replies

Categories

Security Highlight

Security Help Center