Hello,
I've managed to configure and connect to my RUT955 using L2TP/IPsec Windows client. I'll share some details from my end, perhaps it'll be enough to get you connected to your IPsec server. Please note, however, that encryption is hard-coded on the Windows client and it cannot be changed easily (requires some registry modification on Windows machine as far as I am aware). I'd highly recommend choosing another VPN protocol if you want or must use only specific encryption/hash and PFS methods.
Starting on the router, IPsec instance is configured as follows:
Instance settings
- Remote endpoint - empty
- Authentication method - Pre-shared key
- Local identifier - %any
- Remote identifier - %any
- Multiple secrets - ON
Global secrets settings [add new]
- ID selector - %any
- Type - psk
- Secret - YourIPsecPassphrase
Connection settings
- Mode - Start
- Type - Transport
- Bind to - Select L2TP interface
- Key exchange - IKEv1
Proposal settings
Any setting should work here, make sure to leave the "Force crypto proposal" unchecked unless you know specifically which encryption algorithm, authentication and DH group is used by the Windows client. If you want to force the crypto proposal on the server side, select the following settings:
PHASE 1
- Encryption algorithm - AES 256
- Authentication - SHA1
- DH group - ECP384
PHASE 2
- Encryption algorithm - AES 256
- Hash algorithm - SHA1
- PFS group - No PFS
I'm sure there are some other possible combinations but this is what both of my devices (server and client) negotiated automatically and, whenever I tried forcing proposal, the tunnel would establish successfully every time.
When configuring settings on Windows, you don't have to change any settings by default - all that needs to be done is:
- Configure connection name (any string)
- Configure IPsec server IP address (must be public or reachable by Windows client)
- Select appropriate VPN type (L2TP/IPsec with pre-shared key for this configuration example)
- Enter pre-shared key (passphrase)
- Type of sign-in info - username and password (enter them in appropriate fields below)
That should be it. Save & apply the settings on Windows workstation and try connecting to the IPsec server. The connection should be established shortly.
If this solves your issue or if you're still having difficulties, please let me know.
Best regards,
Tomas.