Changing parameters of a L2TP over IPSec VPN using Windows 10 native client

Hello community, i am playing around with L2TP over IPSec VPNs. I have found by far a working configuration for both Zywalls and Windows client (10 and 11), in the last few days I decided to go deeper in understanding the protocols and the difference of the various paramethers involved in the 2 phases with two aims:

• raise my knowledge
• test different configuration's speed in upload / download

I started from a configuration which works without the need of editing the client connection with PowerShell:

PHASE 1:

• authentication: PSK
• SA lifetime: 86400 (too long?)
• negotiation: main (compulsory with windows client, is it?)
• proposals: 3DES/SHA1 ; 3DES/MD5 ; DES/SHA1
• keygroup: DH2

PHASE 2:

• SA lifetime: 86400 (bad idea to use the same values for both phases?)
• protocol: ESP
• encapsulation: transport (compulsory with windows client, is it?)
• proposals: same as phase 1
• pfs: none

I decided to modify pfs in phase 2 from none to DH2

My existing connection on Windows doesn't work anymore, in the events i find error 788.

So i suppose I have to change something in Windows and I:

• checked in the registry the value of the key: NegotiateDH2048_AES256 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters the value is 1;
• tried to find a command in PS to query the actual values that one can change with Set-VpnConnectionIPsecConfiguration but with my surprise it seems like you can change them but you cannot read them;
• played with Set-VpnConnectionIPsecConfiguration and I discovered that all paramethers are mandatory (wouldn't it better to let the user enter only the ones he wants to change?) so I entered the following:

Set-VpnConnectionIPsecConfiguration –ConnectionName “Prova 1” –AuthenticationTansformConstants SHA256128 –CipherTransformConstants DES3 –DHGroup Group2 EncryptionMethod DES3 –IntegrityCheckMethod SHA1 –PfsGroup PFS2

That in my humble opinion should be compliant to the zywall configuration (i.e. all as before apart PFS changed from none to DH2.

Unfortunately PS returns an error in red telling me that SHA256128 is not accepted (i took it from Microsoft Learn guide! https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2019-ps#examples ) So I changed it to None (maybe None means "leave it as it is"?)

Obvioulsy it doesn't work and the problem is with phase 2:

Questions:

• in phase 2 can i choose any proposal and/or pfs or the stupid windows native client is limited to few values? Which ones?
• is there a way to query which are the current paramethers of a VPN connection in powershell, in the registry in a file or everywhere else? (DH, proposals etc,?
• Why the Set-VpnConnectionIPsecConfigurationscommand gives an error with SHA256128?
• Is there a 3rd party client that works better than native Windows client and can be used with 2LTP over IPSec?

EDIT I read the post by @zyman2008 of dec 2022 and I tried with SHA196 in –AuthenticationTansformConstantsand it works but i decided to publish this post all the same because:

• it might be useful for others
• most of the question still need an answer
• it took me too long to trash it, man!
• i think that @Peppino and @PeterUK will like this post