Windows native VPN not working (MacOS works fine)

DERPeye · March 11, 2025, 12:27pm

Hi,

I’m kind of struggling to get the native VPN (L2TP over IPsec) working for windows. I just set this up using the IPsec wizard and it works fine on a Macbook, when I use the exact same settings on a Windows laptop it doesn’t work. Everything I read when googling suggest everything is set up correctly.

When looking into logs I see that the Macbook goes through PH1 and PH2, then starts the L2TP tunnel, all fine. The Windows goes through PH1, goes through PH2 6 times, never starts L2TP.

Test on Windows

Test on MacOS

Has anyone run into this or has anyone had any issues with native VPN not working in Windows recently?

Thanks!

fredrik_skne_se · March 11, 2025, 12:27pm

Does Windows actually complete the PH2? Windows 11 by default only have DH2 (https://learn.microsoft.com/en-us/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections). It has support for all parameters but they are not available by default.

Set your wanted parameters (SHA256/AES256/DH14) with powershell command: Set-VpnConnectionIPsecConfiguration

https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2022-ps

What does the Event Viewer say?

findwho · March 11, 2025, 12:27pm

There is bug on Windows preventing L2TP on Wndows when the client is behind a NAT device(home router), you can fix it by adding the following to registry(one-time) and rebooting the system.

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

some systems disable IP-Sec encryption, to enable add the following to registry and reboot.

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f

adisor19 · March 11, 2025, 12:27pm

Umm, on macOS, don’t use L2TP/IPSec. Just use regular IPSec v1 as macOS actually has a native built in client for that. (select Cisco IPSec when configuring the VPN connection on macOS)

Much better option than L2TP/IPSec.

Ezzmon · March 11, 2025, 12:27pm

First thought; check the Windows Firewall

HappyVlane · March 11, 2025, 12:27pm

It should work right out of the box with the settings from the FortiGate wizard assuming you didn’t change any settings on the Windows side. It has worked perfectly for me last time I’ve tested this (about two months ago on 6.4.9).

Georg311 · March 11, 2025, 12:27pm

Eventually this is your problem:

Microsoft borked some tls ciphers in the last update

greatplainsinfosec · March 11, 2025, 12:27pm

I know this doesn’t solve the issue at hand but I’ve always had issues with Windows Native VPN even with Cisco Firewalls. Windows will come out with some patch that makes the native VPN go sideways. For stability sake, I can’t possibly stress enough using the FortiClient for remote access VPN. It’ll make your life way better and reduce trouble calls.

DERPeye · March 11, 2025, 12:27pm

I will look into this thank you.

DERPeye · March 11, 2025, 12:27pm

That is not the issue as it is working fine on MacOS.

DERPeye · March 11, 2025, 12:27pm

Even with the windows firewall off it doesn’t work.