L2TP over IPSEC parameters for Windows 10 native client
valerio_vanni
Posts: 116 Ally Member
I have, on a USG Flex 200 (latest firmware version), a L2TP over Ipsec VPN policy.
I've successfully tested with Android 9 and Android 11 native client.
Parameters are:
Phase1: IKEv1 - interface WAN1 - remote dynamic - preshared key - local id type: mail - remote id type: any - lifetime 86400 - mode aggressive - AES128/SHA1 - Pfs DH2 - NAT trav - DPD - no Xauth - no 2FA
Phase2: role: remote access - IP: WAN1 IP - no MODE CONFIG - life time 28800 - ESP/transport - ESP/Transport - AES128/SHA1 Pfs NONE
I try with windows 10 native clients, and it fails. But it doesn't say why, only that "protocol negotiation failed" (not exact words, I don't have here a test machine and anyway it's not in english language).
Windows VPN client doesn't show any option about proposal, pfs etc. Nor I find in help (or I missed right help pages) what it's trying to use so I can set it on firewall to make it happy.
The only entries I find are
-VPN type: L2TP/Ipsec
-Remote GW: OK
-Shared PWD: OK
-User: OK
-Pwd: OK
I found here the advice of trying to check protocols in virtual VPN adapter, but it didn't help.
https://support.zyxel.eu/hc/it/articles/360001390914-Configurazione-L2TP-su-un-USG-Firewall-utilizzando-il-client-integrato-di-Windows#h_01GM8B1RV4NPWJFSGK6CGNWJRN
I've successfully tested with Android 9 and Android 11 native client.
Parameters are:
Phase1: IKEv1 - interface WAN1 - remote dynamic - preshared key - local id type: mail - remote id type: any - lifetime 86400 - mode aggressive - AES128/SHA1 - Pfs DH2 - NAT trav - DPD - no Xauth - no 2FA
Phase2: role: remote access - IP: WAN1 IP - no MODE CONFIG - life time 28800 - ESP/transport - ESP/Transport - AES128/SHA1 Pfs NONE
I try with windows 10 native clients, and it fails. But it doesn't say why, only that "protocol negotiation failed" (not exact words, I don't have here a test machine and anyway it's not in english language).
Windows VPN client doesn't show any option about proposal, pfs etc. Nor I find in help (or I missed right help pages) what it's trying to use so I can set it on firewall to make it happy.
The only entries I find are
-VPN type: L2TP/Ipsec
-Remote GW: OK
-Shared PWD: OK
-User: OK
-Pwd: OK
I found here the advice of trying to check protocols in virtual VPN adapter, but it didn't help.
https://support.zyxel.eu/hc/it/articles/360001390914-Configurazione-L2TP-su-un-USG-Firewall-utilizzando-il-client-integrato-di-Windows#h_01GM8B1RV4NPWJFSGK6CGNWJRN
0
Best Answers
-
Hi @valerio_vanni,
First, the configuration on your USG the phase 1 mode should be "Main" mode not "Aggressive mode".
Second, the Windows native L2TP/IPSec client using 3DES/SHA1/DH2 encryption by default.
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/default-encryption-settings-for-l2tp-ipsec-vpn-client
If you want to change the encryption setting.
1. You need to use powershell command to create VPN connection,
Add-VpnConnection -Name "L2TPoverIPSecVPN" -ServerAddress <VPN_WAN_IP> -TunnelType "L2tp"
Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TPoverIPSecVPN" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group2 -PassThru -Force
2. Then, on desktop screen, click on the Network icon in the bottom right hand corner. Right click and select "Open Network & Internet Settings".
3. Under the Advanced network settings section. Click "Change adapter options".
4. Select the VPN connection created. Right click and "select Properties". To edit the pre-share key and authentication method.2 -
valerio_vanni said:So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.Right?
But depends on the design of phone vendors.
Here my experiences on Samsung phones from Android 9 ~ 11.
The settings of "IPSec identifier" change the L2TP/IPSec IKE mode it used.- Without "IPSec identifier" settings - IKE negotiate via Main mode.
- With "IPSec identifier" settings - IKE negotiate via Aggressive mode
1
All Replies
-
WAN1 ip address is public or private?Which is the setting for
NAT
DPD
in phase 1?L2TP protocol is set to be allowed to get to USG200?0 -
mMontana said:
WAN1 is public
>Which is the setting for NAT DPD in phase 1?
Sorry, I wasn't clear. I meant they are both active.
>L2TP protocol is set to be allowed to get to USG200?
How could it not be allowed? From Android connection is successful.
0 -
Hi @valerio_vanni,
First, the configuration on your USG the phase 1 mode should be "Main" mode not "Aggressive mode".
Second, the Windows native L2TP/IPSec client using 3DES/SHA1/DH2 encryption by default.
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/default-encryption-settings-for-l2tp-ipsec-vpn-client
If you want to change the encryption setting.
1. You need to use powershell command to create VPN connection,
Add-VpnConnection -Name "L2TPoverIPSecVPN" -ServerAddress <VPN_WAN_IP> -TunnelType "L2tp"
Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TPoverIPSecVPN" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group2 -PassThru -Force
2. Then, on desktop screen, click on the Network icon in the bottom right hand corner. Right click and select "Open Network & Internet Settings".
3. Under the Advanced network settings section. Click "Change adapter options".
4. Select the VPN connection created. Right click and "select Properties". To edit the pre-share key and authentication method.2 -
Hello @valerio_vanni
zyman2008 already provided a great way and suggestion to deploy the L2TP connection on the Windows 10 native client. Besides, if you worry whether there is any missing config on the USG Flex 200 you could use the wizard to configure L2TP settings as well.
Click Quick Setup Wizard
Choose Remote Access VPN Setup
Choose L2TP over IPsec Client(iOS, Windows, Android) and fill in the server IP address, pre-shared key, L2TP IP pool, domain name server, and grantable users then save this profile.
Go to Configuration > VPN > IPsec VPN > VPN Gateway, click "RemoteAccess_L2TP_Wiz" to check the default wizard phase1 setting is Main mode, 3DES(Encryption)/SHA1(Authentication)/DH2(Key Group), as below:
Go to Configuration > VPN > IPsec VPN > VPN Connection, click "RemoteAccess_L2TP_Wiz" to check the default wizard phase2 setting is 3DES(Encryption)/SHA1(Authentication)/PFS is none, as below:
Configure L2TP information(server IP, pre-shared key, user name, password) on the Win10 native client.
Then Win10 native client establishes L2TP connection with USG Flex 200 and you can go to Monitor > Log > View Log to see successful logs, as below:
See how you've made an impact in Zyxel Community this year!
0 -
zyman2008 said:Hi @valerio_vanni,
First, the configuration on your USG the phase 1 mode should be "Main" mode not "Aggressive mode".
Second, the Windows native L2TP/IPSec client using 3DES/SHA1/DH2 encryption by default.
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/default-encryption-settings-for-l2tp-ipsec-vpn-client
If you want to change the encryption setting.
1. You need to use powershell command to create VPN connection,
Add-VpnConnection -Name "L2TPoverIPSecVPN" -ServerAddress <VPN_WAN_IP> -TunnelType "L2tp"
Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TPoverIPSecVPN" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group2 -PassThru -ForceThank you, it works :-)Here I found parameters for that powershell command (should them be needed by anyone for other configurations):So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.Right?0 -
I think that depends on Android version and maybe also the device producer.
Moreover, since Android 12 several producers "require" IKEv2 which throws also "Aggressive" Into puddle.The page you linked seems related to Windows 2022 only, did you tried on Windows clients recently?0 -
mMontana said:I think that depends on Android version and maybe also the device producer.
Moreover, since Android 12 several producers "require" IKEv2 which throws also "Aggressive" Into puddle.The page you linked seems related to Windows 2022 only, did you tried on Windows clients recently?I did only some test on Windows 10 and Server 2019. The module guide seems the same.As I said, for Android I tested on some 9 and 11.I saw too that 12 has only IKEv2; I didn't test, but this seems less worrying: it has aggressive for all.Here the issue is that on USG you can have only a L2TP VPN.
0 -
valerio_vanni said:So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.Right?
But depends on the design of phone vendors.
Here my experiences on Samsung phones from Android 9 ~ 11.
The settings of "IPSec identifier" change the L2TP/IPSec IKE mode it used.- Without "IPSec identifier" settings - IKE negotiate via Main mode.
- With "IPSec identifier" settings - IKE negotiate via Aggressive mode
1 -
zyman2008 said:valerio_vanni said:So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.Right?
But depends on the design of phone vendors.
Here my experiences on Samsung phones from Android 9 ~ 11.
The settings of "IPSec identifier" change the L2TP/IPSec IKE mode it used.- Without "IPSec identifier" settings - IKE negotiate via Main mode.
- With "IPSec identifier" settings - IKE negotiate via Aggressive mode
I just tried and can confirm: mine behave the same.But I don't understand why... if it's to choose mode, it would have been better an option "main | aggressive".
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight