L2TP over IPSEC parameters for Windows 10 native client

Options
valerio_vanni
valerio_vanni Posts: 64  Ally Member
First Anniversary 10 Comments Friend Collector First Answer
edited December 2022 in Security
I have, on a USG Flex 200 (latest firmware version), a L2TP over Ipsec VPN policy.
I've successfully tested with Android 9 and Android 11 native client.

Parameters are:

Phase1: IKEv1 - interface WAN1 - remote dynamic - preshared key - local id type: mail - remote id type: any - lifetime 86400 - mode aggressive - AES128/SHA1 - Pfs DH2 - NAT trav - DPD - no Xauth - no 2FA

Phase2: role: remote access - IP: WAN1 IP - no MODE CONFIG - life time 28800 - ESP/transport - ESP/Transport - AES128/SHA1 Pfs NONE

I try with windows 10 native clients, and it fails. But it doesn't say why, only that "protocol negotiation failed" (not exact words, I don't have here a test machine and anyway it's not in english language).

Windows VPN client doesn't show any option about proposal, pfs etc. Nor I find in help (or I missed right help pages) what it's trying to use so I can set it on firewall to make it happy.

The only entries I find are
-VPN type: L2TP/Ipsec
-Remote GW: OK
-Shared PWD: OK
-User: OK
-Pwd: OK

I found here the advice of trying to check protocols in virtual VPN adapter, but it didn't help.

https://support.zyxel.eu/hc/it/articles/360001390914-Configurazione-L2TP-su-un-USG-Firewall-utilizzando-il-client-integrato-di-Windows#h_01GM8B1RV4NPWJFSGK6CGNWJRN

Best Answers

  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2022 Answer ✓
    Options
    Hi @valerio_vanni,
    First, the configuration on your USG the phase 1 mode should be "Main" mode not "Aggressive mode".

    Second, the Windows native L2TP/IPSec client using 3DES/SHA1/DH2 encryption by default.
    https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/default-encryption-settings-for-l2tp-ipsec-vpn-client

    If you want to change the encryption setting. 
    1. You need to use powershell command to create VPN connection,
    Add-VpnConnection -Name "L2TPoverIPSecVPN" -ServerAddress <VPN_WAN_IP> -TunnelType "L2tp"
    Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TPoverIPSecVPN" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group2 -PassThru -Force

    2. Then, on desktop screen, click on the Network icon in the bottom right hand corner. Right click and select "Open Network & Internet Settings".

    3. Under the Advanced network settings section. Click "Change adapter options".

    4. Select the VPN connection created. Right click and "select Properties". To edit the pre-share key and authentication method.

  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.
    Right?
    I think Android support both aggressive and main mode for L2TP/IPSec PSK.
    But depends on the design of phone vendors.

    Here my experiences on Samsung phones from Android 9 ~ 11.

    The settings of "IPSec identifier" change the L2TP/IPSec IKE mode it used.
    • Without "IPSec identifier" settings - IKE negotiate via Main mode.
    • With "IPSec identifier" settings - IKE negotiate via Aggressive mode


All Replies

  • mMontana
    mMontana Posts: 1,342  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2022
    Options
    WAN1 ip address is public or private?
    Which is the setting for
    NAT
    DPD
    in phase 1?
    L2TP protocol is set to be allowed to get to USG200?
  • valerio_vanni
    valerio_vanni Posts: 64  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    mMontana said:
    >WAN1 ip address is public or private?

    WAN1 is public

    >Which is the setting for NAT DPD in phase 1?

    Sorry, I wasn't clear. I meant they are both active.

    >L2TP protocol is set to be allowed to get to USG200?

    How could it not be allowed? From Android connection is successful.




  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2022 Answer ✓
    Options
    Hi @valerio_vanni,
    First, the configuration on your USG the phase 1 mode should be "Main" mode not "Aggressive mode".

    Second, the Windows native L2TP/IPSec client using 3DES/SHA1/DH2 encryption by default.
    https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/default-encryption-settings-for-l2tp-ipsec-vpn-client

    If you want to change the encryption setting. 
    1. You need to use powershell command to create VPN connection,
    Add-VpnConnection -Name "L2TPoverIPSecVPN" -ServerAddress <VPN_WAN_IP> -TunnelType "L2tp"
    Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TPoverIPSecVPN" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group2 -PassThru -Force

    2. Then, on desktop screen, click on the Network icon in the bottom right hand corner. Right click and select "Open Network & Internet Settings".

    3. Under the Advanced network settings section. Click "Change adapter options".

    4. Select the VPN connection created. Right click and "select Properties". To edit the pre-share key and authentication method.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2022
    Options
    Hello @valerio_vanni

    zyman2008 already provided a great way and suggestion to deploy the L2TP connection on the Windows 10 native client. Besides, if you worry whether there is any missing config on the USG Flex 200 you could use the wizard to configure L2TP settings as well.

    Click Quick Setup Wizard


    Choose Remote Access VPN Setup 
     
    Choose L2TP over IPsec Client(iOS, Windows, Android) and fill in the server IP address, pre-shared key, L2TP IP pool, domain name server, and grantable users then save this profile.    


    Go to Configuration > VPN > IPsec VPN > VPN Gateway, click "RemoteAccess_L2TP_Wiz" to check the default wizard phase1 setting is Main mode, 3DES(Encryption)/SHA1(Authentication)/DH2(Key Group), as below:


    Go to Configuration > VPN > IPsec VPN > VPN Connection, click "RemoteAccess_L2TP_Wiz" to check the default wizard phase2 setting is 3DES(Encryption)/SHA1(Authentication)/PFS is none, as below:


    Configure L2TP information(server IP, pre-shared key, user name, password) on the Win10 native client.


    Then Win10 native client establishes L2TP connection with USG Flex 200 and you can go to Monitor > Log > View Log to see successful logs, as below: 




  • valerio_vanni
    valerio_vanni Posts: 64  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2022
    Options
    zyman2008 said:
    Hi @valerio_vanni,
    First, the configuration on your USG the phase 1 mode should be "Main" mode not "Aggressive mode".

    Second, the Windows native L2TP/IPSec client using 3DES/SHA1/DH2 encryption by default.
    https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/default-encryption-settings-for-l2tp-ipsec-vpn-client

    If you want to change the encryption setting. 
    1. You need to use powershell command to create VPN connection,
    Add-VpnConnection -Name "L2TPoverIPSecVPN" -ServerAddress <VPN_WAN_IP> -TunnelType "L2tp"
    Set-VpnConnectionIPsecConfiguration -ConnectionName "L2TPoverIPSecVPN" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup None -DHGroup Group2 -PassThru -Force
    Thank you, it works :-)

    Here I found parameters for that powershell command (should them be needed by anyone for other configurations):

    So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.
    Right?
  • mMontana
    mMontana Posts: 1,342  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2022
    Options
    I think that depends on Android version and maybe also the device producer.
    Moreover, since Android 12 several producers "require" IKEv2 which throws also "Aggressive" Into puddle.

    The page you linked seems related to Windows 2022 only, did you tried on Windows clients recently?
  • valerio_vanni
    valerio_vanni Posts: 64  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    mMontana said:
    I think that depends on Android version and maybe also the device producer.
    Moreover, since Android 12 several producers "require" IKEv2 which throws also "Aggressive" Into puddle.

    The page you linked seems related to Windows 2022 only, did you tried on Windows clients recently?
    I did only some test on Windows 10 and Server 2019. The module guide seems the same.

    As I said, for Android I tested on some 9 and 11.
    I saw too that 12 has only IKEv2; I didn't test, but this seems less worrying: it has aggressive for all.

    Here the issue is that on USG you can have only a L2TP VPN.

  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.
    Right?
    I think Android support both aggressive and main mode for L2TP/IPSec PSK.
    But depends on the design of phone vendors.

    Here my experiences on Samsung phones from Android 9 ~ 11.

    The settings of "IPSec identifier" change the L2TP/IPSec IKE mode it used.
    • Without "IPSec identifier" settings - IKE negotiate via Main mode.
    • With "IPSec identifier" settings - IKE negotiate via Aggressive mode


  • valerio_vanni
    valerio_vanni Posts: 64  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    zyman2008 said:

    So for L2TP/IPSEC I have to choose between Windows 10 and Android clients: Windows needs Main mode, while Android needs aggressive.
    Right?
    I think Android support both aggressive and main mode for L2TP/IPSec PSK.
    But depends on the design of phone vendors.

    Here my experiences on Samsung phones from Android 9 ~ 11.

    The settings of "IPSec identifier" change the L2TP/IPSec IKE mode it used.
    • Without "IPSec identifier" settings - IKE negotiate via Main mode.
    • With "IPSec identifier" settings - IKE negotiate via Aggressive mode

    I just tried and can confirm: mine behave the same.

    But I don't understand why... if it's to choose mode, it would have been better an option "main | aggressive".

Security Highlight