4

Our L2TP server (running Windows 2008 RRAS) is behind a NAT firewall. I've already verified that it is passing NAT-T. The firewall rules are all set up correctly to pass GRE, IKE, L2TP and there are no custom IPSEC policies running on the server. L2TP is using a PSK instead of a certificate. Oddly, my Windows 7 and 8 desktops cannot make a successful connection, but my iPhone and iPad devices connect successfully. I can't think of anything else to check.

Also note that we can use PPTP and SSTP just fine.

I have firewall and netmon logs for both the failed and successful connections. I've seen a lot of cases where iOS devices cannot connect where full desktops can, but this is the opposite and I can find no clues on the interwebs.

Update: I've even replaced the server in question with a fresh Windows Server 2012 installation and it still has the same problem.

Eric Falsken
  • 627
  • 2
  • 8
  • 21
  • That's because iThingies use a slightly different permutation of the IPSec protocols than Windows does. And they don't completely overlap. Unfortunately, I don't myself know where the overlap is. – sysadmin1138 Mar 19 '13 at 18:37
  • Are your windows desktops sitting behind their own NATed firewall or do they have public IPs? With L2TP one end of the connection has to have an IP that isn't transformed, both ends cannot use NAT-T. – Snowburnt Apr 10 '13 at 19:29
  • That makes sense, but even my iDevice can connect to the VPN from the same network that my windows computers are on. (from behind a NAT on the client end, and server end) – Eric Falsken Apr 11 '13 at 16:01

3 Answers3

5

Did you make the registry changes to the Windows machines to make it behind NAT?

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

If you prefer to use "REG ADD":

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 2

The registry change is mentioned in this article from Microsoft: https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-l2tp-ipsec-server-behind-nat-t-device

Be aware that this registry value has had a history of being deleted by Windows 10 "Feature Updates". If you are able to enforce the setting through an automated mechanism (like Group Policy Preferences Registry settings) you will have more consistent results.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
shinjijai
  • 416
  • 1
  • 7
  • 16
  • The solution required a change of a default setting on every Windows client machine that wished to connect. This setting (for "security" reasons) is default on Windows, but unenforced on OSx, Linux, Android and iOS. To make matters worse, there is no way to change the setting except by registry changes to every client that wishes to connect. So, yes, this is an answer, but there is no way to change the settings on the server so that an unmodified client can connect with L2TP to a server behind a NAT. – Eric Falsken Oct 09 '13 at 19:03
  • But thanks for posting the link. I had lost it long ago. Have a badge as your reward! – Eric Falsken Oct 09 '13 at 19:03
  • 1
    This solved a problem of mine as well. Im pushing it via Group Policy as we speak. – riahc3 Aug 17 '15 at 09:54
  • +1 Also solved my issue within the excatly same description (works on iOS 9.2.1, fails with Windows 10 Pro. Also: in Win 10 set Authentication Type explicitly instead of EAP. For me mchap v2). – JanW Feb 03 '16 at 15:22
1

I've had this same problem, and it turned out that the local Windows firewall was blocking the connection. This guide helped me add the correct ports.

Basically you need to open UDP Ports '50, 500, 4500'

https://www.magnumvpn.com/setup-windows-10-firewall-l2tp.html

privacychair
  • 17
  • 2
0

I had this same problem. "PCs not connecting with L2TP but all portable devices connecting"

  • Hilarious (laugh at myself for missing this)...
  • If you have two plus ADS/domains on your LAN, you have to 'regedit' (for the AssumeUDPEncapsulationContextOnSendRule entry) and 'mmc' (for the IP Security Policies on Local Computer entry) all of those ADS/domains not just one. VPN svr might default to any of them at any random time to match the needed IPsec and key information.
  • (Side Note: The PC L2TP worked perfectly at first and stopped working I guess during a VPN Svr reboot during some additional configuring. VPN Svr began to check the other domain Svr and would not work anymore. After the adding of the regedit and mmc it worked.)

This is an old post but posting, that was the solution to my problem.

Mnixon
  • 1
  • If you don't know about the regedit and mmc config of the L2TP setup for windows servers. This is a good video to help. Setup is pretty much the same from about Svr 2008R2 to 2016. https://www.youtube.com/watch?v=Xl3BhwLFgB4 – Mnixon Jun 08 '17 at 18:23