I am trying to setup Windows built in VPN with an asa 5505 using IPsec/L2TP with IKEv1. Remote access vpn using a psk.
I got a mismatch error during phase 1, and I cannot figure out what IPsec proposal windows 10 is using, so I can match on the Asa5505 side!? I.e Auth method, hash algorithm, encryption algorithm, DH group and lifetime.
So, what IPsec proposal is Windows 10 using with builtin VPN client, and is it possible to change this?
Any tips n tricks out there?
Regards.
This question is a bit old but I decided to share my experiences with L2TP/IPSec using PSK in Windows 10, somebody might find it useful.
I was experimenting with L2TP/IPsec connections between a Windows 10 PC and a Mikrotik router on the other day. Analyzing the debug level log of the Mikrotik I figured out that Windows 10 (version 1511) is offering the following authentication and encryption settings during the key exchange (in this priority order):
For Phase2 negotiation Windows 10 has the following proposal only:
It seems all of these settings are hardcoded in the system as the L2TP/IPsec client ignored any changes I made in "IPSec Settings" in the Advanced Windows Firewall MMC.
I even tried this registry hack but I didn't manage to force AES256 for phase2: https://superuser.com/questions/1296210/force-windows-ipsec-l2tp-vpn-to-use-aes-in-ipsec-main-mode
I know the 1511 is an outdated version of Win10 but that was available on my work laptop. A newer version might has some improvements (for example the more efficient AES-GCM encryption), but for me the combination of SHA1 and 256bit AES-CBC with Diffie-Hellman Elliptic Curve P-384 offers a reasonably strong and quick security at this time. For traffic SHA1+AES128 is not the most secure option to have but it needs not much resource.
Update: I've checked out Win10 version 1803. Phase 1 proposals are the same but for Phase 2 Windows now proposes SHA1+AES-CBC-256 too (besides SHA1+AES-CBC-128). CTR or GCM suites are still not supported. Neither SHA256 hashing for auth.
I also found how to edit these settings: Windows firewall with advanced security --> (right panel) Properties --> IPsec Settings --> Customize IPsec defaults --> Key Exchange (advanced)
You should be able to set the parameters in the VPN settings (Right click, properties on the VPN connection in network and sharing) then adjust how Windows deals with the PSK for L2TP in there. I believe it defaults to certificates rather than PSK (since it doesn't know that). It will try several different VPN types until it finds one that works (or spends ages on the SSL one...) but you can explicitly tell it to use L2TP.
Take a look in the Security tab, type of VPN and advanced settings to set how Windows tries to authenticate. Underneath that is the protocols and whatnot.
The defaults are listed by Microsoft here http://support.microsoft.com/en-us/kb/325158
I've had some success with powershell for changing phase1 and 2 settings
Set-VpnConnectionIPsecConfiguration -ConnectionName test -EncryptionMethod AES128 -DHGroup ECP256 -IntegrityCheckMethod SHA256 -PfsGroup None –AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128