Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dwickramasinghe1
Staff
Staff

Created on ‎02-23-2025 04:37 AM Edited on ‎02-26-2025 05:56 AM By Community Manager

Article Id 378019

Technical Tip: Changing default IPsec methods on L2TP Windows Native Client with FortiGate

Description This article describes how to change IPsec methods on FortiGate L2TP connections with Windows Client.
Scope FortiGate, L2TP, IPsec.
Solution

The Native Windows VPN client can be used to create a L2TP Dial-up IPsec connection with FortiGate. By default, Windows and FortiGate will use a pre-defined set of phase 1 and phase 2 methods for this connection. In some cases, it's required to change these methods for better security/compatibility.

This article assumes that the L2TP connection is already working but needs to be modified for better security.
Or, some adjustments need to be made for the connection to work between the Windows Client and the FortiGate.

By default, the IPsec wizard for the Native Client will use the following Phase1 and Phase2 methods on the FortiGate:

Phase 1:

 

Screenshot 2025-02-25 211307.jpg

 

Phase 2:

 

Screenshot 2025-02-25 211628.jpg

 

The example below will showcase how to restrict the Windows Native Client to use the following settings:

Phase 1
Encryption 3DES Authentication MD5
DH group 19


Phase 2:  
Encryption 3DES Authentication SHA256

  1. On the Windows Client, open power shell and run the following command to add a new L2TP connection:


PS C:\> Add-VpnConnection -Name "FGTIPSEC" -ServerAddress x.x.x.x -TunnelType "L2tp"

 

  1. Rrun the following command and adjust the L2TP connection settings to the desired methods:

 

PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "FGTIPSEC" -AuthenticationTransformConstants SHA256128-CipherTransformConstants DES3 -EncryptionMethod DES3 -IntegrityCheckMethod MD5 -PfsGroup None -DHGroup ECP256 -PassThru -Force

 

  1. Adjust the VPN settings to use the preshared key method and enter the preshared key under: Windows Settings -> Network and Internet -> VPN -> *Select the desired connection and select advance options* -> Change the VPN type to L2TP/IPsec with pre-shared key and enter the matching IPsec preshared key.

L2TPSettings.jpg
  1. On the FortiGate, adjust the IPsec Phase 1 and Phase 2 settings to match with the Windows Client under: FortiGate GUI -> VPN -> VPN Tunnels -> *Select the desired tunnel and adjust the Phase1 and Phase2 settings*.

Phase2Adjusted.jpg
  1. Test the connection on the Windows Native Client and confirm that the connection works.


The following FortiOS CLI commands can be used to debug the IKE traffic.

diagnose vpn ike log-filter src-addr4 <Source address of the remote host machine>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

 

For v7.4.0 and above, there is a slight change in command as below:

 

diagnose vpn ike log filter rem-addr4 <IPv4 remote gateway address range to filter by>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

 

Related articles:

Troubleshooting Tip: IPsec Tunnel (debugging IKE)

Troubleshooting Tip: IPsec Tunnel (debugging IKE)

Technical Tip: Increasing the stability of L2TP

Technical Tip: Certificate Based Authentication Not Working for L2TP Tunnel

Technical Tip: Increase the L2TP IP Pool

Technical Tip: FortiGate IPsec VPN resource list
229
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.