This guide covers the process for further increasing the encryption security of a native L2TP connection for Windows.
Changing the Diffie-Hellman (DH) Group
Diffie-Hellman (DH) groups are used during IPsec “Phase 1” to securely exchange key material between the VPN client and the FortiGate endpoint.
In plain English, they determine the mathematical strength of the process used to establish the tunnel.
The DH Groups supported by Windows are as follows:
DH Group 1
DH Group 2
DH Group 14
DH Group 19
DH Group 20
DH Group 24
In this guide, we’ll be focusing on DH Groups 14 and 19.
DH Group 14 uses a 2048-bit MODP key exchange. It is widely supported and is considered a solid baseline for compatibility and security.
DH Group 19 uses 256-bit elliptic curve cryptography (ECP256). It provides stronger modern cryptography with better efficiency, which can improve performance while maintaining a high security standard.
In general, Group 19 is preferred where supported, as it is newer and more efficient.
Group 14 remains a viable fallback when compatibility is more important or when older systems do not support elliptic curve groups.
FortiGate
To modify the DH Group on the FortiGate tunnel, follow the provided steps:
Select the relevant tunnel, and click “Edit”.
Locate “Phase 1 Proposal”, and click on the attached “Edit” button.
You should see the following menu:
We’re going to move away from DH Group 2 (the default), as it is considered very insecure when compared with later Groups. While here, we’ll also change the permitted encryption/authentication types.
Change your encryption/authentication types to match the screenshot below.
Make sure to also untick the “Diffie-Hellman Group” ‘2’ checkbox.You can remove additional encryption types by clicking on the associated “X” box, as demonstrated below:
To change the Group in use by the tunnel, tick EITHER DH Group 14 or 19.
OR
Once you have selected a single DH Group, save the Phase 1 section by clicking on the circled checkmark in the top-right of the menu.
Next, move to the “Phase 2 Selectors” section:
With the “Phase 2 Selectors” menu open, click on the “Advanced” drop-down.
You should be greeted with this expanded menu:
Action the changes on this page:
Set the “Local Address” and “Remote Address” to
0.0.0.0/0Set an encryption/authentication pair to
AES128andSHA256, and remove all other pairs.
Afterwards, click the circled checkmark to save and close this section.
Lastly, click “OK” to save all changes to the tunnel.
Windows
Windows does not expose the Diffie-Hellman Group in the normal VPN GUI, so the easiest way to check or change it is with PowerShell.
Once the Native L2TP tunnel has been added to Windows, you can view the current DH Group by running the following PowerShell command as administrator.
Make sure to replace<YOUR VPN NAME>with the real name chosen for the tunnel on Windows:Get-VpnConnection -Name "<YOUR VPN NAME>" | Select-Object -ExpandProperty IPSecCustomPolicy
If PowerShell outputs nothing (and no errors appear), it means the tunnel is using the default DH Group of 2.To change the Group in use by the tunnel, use ONE of the following commands, depending on whether you want DH Group 14 or 19.
Once again, make sure to replace<YOUR VPN NAME>with the real name chosen for the tunnel.NOTE: THIS MUST MATCH THE GROUP CHOSEN ON THE FORTIGATE FIREWALL!
DH Group 14
Set-VpnConnectionIPsecConfiguration ` -ConnectionName "<YOUR VPN NAME>" ` -AuthenticationTransformConstants None ` -CipherTransformConstants AES128 ` -EncryptionMethod AES128 ` -IntegrityCheckMethod SHA256 ` -PfsGroup None ` -DHGroup Group14 ` -PassThru ` -ForceDH Group 19
Set-VpnConnectionIPsecConfiguration ` -ConnectionName "<YOUR VPN NAME>" ` -AuthenticationTransformConstants None ` -CipherTransformConstants AES128 ` -EncryptionMethod AES128 ` -IntegrityCheckMethod SHA256 ` -PfsGroup None ` -DHGroup ECP256 ` -PassThru ` -Force
After selecting one of the above options, you can view the changes by running the following command again:
Get-VpnConnection -Name "<YOUR VPN NAME>" | Select-Object -ExpandProperty IPSecCustomPolicy