Changing parameters of a L2TP over IPSec VPN using Windows 10 native client
Hello community, i am playing around with L2TP over IPSec VPNs. I have found by far a working configuration for both Zywalls and Windows client (10 and 11), in the last few days I decided to go deeper in understanding the protocols and the difference of the various paramethers involved in the 2 phases with two aims:
- raise my knowledge
- test different configuration's speed in upload / download
I started from a configuration which works without the need of editing the client connection with PowerShell:
PHASE 1:
- authentication: PSK
- SA lifetime:
86400
(too long?) - negotiation:
main
(compulsory with windows client, is it?) - proposals: 3DES/SHA1 ; 3DES/MD5 ; DES/SHA1
- keygroup:
DH2
PHASE 2:
- SA lifetime:
86400
(bad idea to use the same values for both phases?) - protocol:
ESP
- encapsulation:
transport
(compulsory with windows client, is it?) - proposals: same as phase 1
- pfs:
none
I decided to modify pfs in phase 2 from none
to DH2
My existing connection on Windows doesn't work anymore, in the events i find error 788.
So i suppose I have to change something in Windows and I:
- checked in the registry the value of the key:
NegotiateDH2048_AES256
inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
the value is 1; - tried to find a command in PS to query the actual values that one can change with
Set-VpnConnectionIPsecConfiguration
but with my surprise it seems like you can change them but you cannot read them; - played with
Set-VpnConnectionIPsecConfiguration
and I discovered that all paramethers are mandatory (wouldn't it better to let the user enter only the ones he wants to change?) so I entered the following:
Set-VpnConnectionIPsecConfiguration –ConnectionName “Prova 1” –AuthenticationTansformConstants SHA256128 –CipherTransformConstants DES3 –DHGroup Group2 EncryptionMethod DES3 –IntegrityCheckMethod SHA1 –PfsGroup PFS2
That in my humble opinion should be compliant to the zywall configuration (i.e. all as before apart PFS changed from none to DH2.
Unfortunately PS returns an error in red telling me that SHA256128 is not accepted (i took it from Microsoft Learn guide!
) So I changed it to None (maybe None means "leave it as it is"?)Obvioulsy it doesn't work and the problem is with phase 2:
Questions:
- in phase 2 can i choose any proposal and/or pfs or the stupid windows native client is limited to few values? Which ones?
- is there a way to query which are the current paramethers of a VPN connection in powershell, in the registry in a file or everywhere else? (DH, proposals etc,?
- Why the
Set-VpnConnectionIPsecConfigurations
command gives an error with SHA256128? - Is there a 3rd party client that works better than native Windows client and can be used with 2LTP over IPSec?
EDIT I read the post by @zyman2008 of dec 2022 and I tried with SHA196 in –AuthenticationTansformConstants
and it works but i decided to publish this post all the same because:
All Replies
-
yes nicely posted then how I found out about you can change encryption
0 -
I would like to convert this post to the best practices for L2TP over IPSec…
which combination of phase 1 proposals, DH and phase 2 proposals pfs do you all use? which is the minimum security level that you would use?
what about an aggressive negotiation?
anyone uses tunnel instead of transport with windows client?
0 -
still looking for possibile configuration in Windows I found that to enable DES and MD5 one has to edit a registry key (not reccomanded for security concerns):
from
you can disable weak crypto for L2TP by editing the following registry value:
HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowL2TPWeakCrypto
The default value of this DWORD registry value is 0, and by changing it to 1, you can enable DES encryption and MD5 integrity checking on the computer for both outgoing and incoming L2TP/IPsec-based VPN connections
0 -
Hi @QuiteSmart ,
Greeting Forum, Nice sharing :)
I lookup the KB of microsoft, The tunnel mode is not supported,
So you must use Transport mode instead of Tunnel mode on Firewall.
That's not a problem since Tunnel mode is not mandatory from RFC 3193.
Thank you
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight