Windows 7 IPSec/L2TP VPN connection problem
-
Tuesday, December 08, 2009 7:22 PMIn windows 7 i have problem with my L2TP vpn connection so i describe the problem
I build the connection and also in the security tab set it to use L2TP and set the Pre-shared key (The VPN server use Preshared for l2tp) then i try to connect to VPN server but nothing is happened and after a moment the Error 789 is appeared but with PPTP the vpn work fine so i curios about it and i see something odd
when i use PPTP during the connecting in the "Control Panel\Network and Internet\Network Connections " I see that the status of connection is Connecting but during the running of L2TP connection the status is constantly Disconnected like there is nothing is happened and i do nothing!!
Microsoft Certified System Engineer 2003
Answers
-
Friday, February 12, 2010 9:50 PM Well I don't now what to say but my problem is weirdly solved !! and I don't have any problem anymore !!
The things that I have done is:
1-in Windows services check that Both "IKE and AuthIP IPSec Keying module" and "IPSec policy agent" is set to Automatic mode and by default is set to start
2-well I do this instruction too!! Link to Microsoft Support
3-Update my Router!!
4-Set two firewall rule which allow 4500 and 500 port trafic
I don't know which one of them solved the problem but I done all of them But to find out which one of them exactly solve the problem I undo some of them which I have doubt about them like the 2nd and 4th (about the 1st I'm completely sure that must be OK and about the 3rd one there is no rollback) then I undo both of them but weirdly the L2TP work fine
The questions is if my last router firmware have trouble with L2TP then why it's work in windows XP!???If the problem is because of the firewall blocking ports then why after disabling those rules it's work again?!! If the problem is because of the registry key then why after deleting that it's work?!!
About this problem I really don't have any exactly true answer! but if these things works for you let the others know
Thanks
Microsoft Certified System Engineer 2003- Marked As Answer by SAYED MOHAMMAD Thursday, March 17, 2011 8:46 PM
All Replies
-
Wednesday, December 09, 2009 1:12 PMAny idea or something else?what should i do?
Microsoft Certified System Engineer 2003 -
Thursday, December 10, 2009 9:52 AMwell i found something new about this problem!!
I setup a VPN server with windows server 2008 R2 (Install Windows Server 2008 R2 in Virtual-box) and use the Pre-shared key for L2TP connection and it is work fine BUT the difference is in the encryption status the encryption is "IPSec: AES 128" and in the past when i use Windows XP I remmeber that the encryption is "IPSec ESP 3DES"
The VPN Server is Windows Server 2003 so what should I do to add ESP 3DES in windows 7 or add AES 128 in windows server 2003?
By the way i think the primary problem is from integrity during IPSec because the problem is before opening session
I completely confused please help me :(
Microsoft Certified System Engineer 2003 -
Thursday, December 10, 2009 10:15 AMModerator
Maybe ISAKMP protocol is blocked. This behavior can be caused by firewall on the computer, in the router or on the ISP side. You may temporary disable the firewall. If the issue persists, temporary bypass the router or disable the firewall on the router. If the issue still occurs, try to connect to the L2TP VPN from another system, if the connection is not established, the most possible cause can be the ISP side.
Meantime please also make sure that the "IPsec Policy Agent" service is enabled.
Arthur Xie - MSFT -
Thursday, December 10, 2009 3:54 PM
Thanks for your reply.Maybe ISAKMP protocol is blocked. This behavior can be caused by firewall on the computer, in the router or on the ISP side. You may temporary disable the firewall. If the issue persists, temporary bypass the router or disable the firewall on the router. If the issue still occurs, try to connect to the L2TP VPN from another system, if the connection is not established, the most possible cause can be the ISP side.
Meantime please also make sure that the "IPsec Policy Agent" service is enabled.
Arthur Xie - MSFT
About the ISAKMP protocol i disable my pc firewall but nothing changed so this is not the answer and also in the past I able to connect when i have windows XP pro so the ISP is not the answer.
about the router my router is "ZyXel ZyWALL 2 Plus " and is disable it's firewall too but no differences and i'm unabel to connect but im my point of view the most suspicious thing is the router but when i think about it I realize that in the windows XP and in windows 7 XP mode i'm able to connect !!
"IPsec Policy Agent" service is enabled and the start up mode is automatic.
and now the new things that i found out !!
I install Windows Server 2003 R2 (Virtual-box) and able to connect it and the ecryption method is IPSec ESP 3DES !! in my last comment i said that i'm unable to connect the VPN Server because of encryption method but after this test well this is not the problem.
Please Help me
Microsoft Certified System Engineer 2003 -
Sunday, December 13, 2009 5:52 AMwell thanks to all Technet forum moderator for helping me !!
anyway I think i found the cause of the problem but i don't know how to fix it.
when I connect to internet with my broadband connection VPN work fine but when my router connect to internet and I connect to internet trough it the problem is coming ...
The VPN Server is Microsoft Windows Server 2003 and I'm the administrator of it.
Please help me to solve this problem .... this error isn't just for me.
Thanks a lot
Microsoft Certified System Engineer 2003 -
Monday, December 14, 2009 6:38 AMModeratorDoes your router have a firewall? You need to change the settings for the router to allow ISAKMP protocol UDP port 500. Please refer the instruction from the router manufacturer. Or you can contact the technical support of the manufacturer.
Arthur Xie - MSFT -
Monday, December 14, 2009 4:21 PM
Does your router have a firewall? You need to change the settings for the router to allow ISAKMP protocol UDP port 500. Please refer the instruction from the router manufacturer. Or you can contact the technical support of the manufacturer.
Arthur Xie - MSFT
Thank
well my router have a firewall and I add a rule which is permit Lan to Wan traffic over UDP:500 but nothing changed then I compeletly disabled my router firewall and nothing happened again even i disable my windows firewall and nothing happend again.
the wierd part is the VPN work fine in the windows XP but since I install windows 7 this problem is comming and even in the windows 7 , XP mode the vpn work fine ...
Microsoft Certified System Engineer 2003- Proposed As Answer by Routerman Thursday, January 28, 2010 3:54 PM
-
Thursday, January 28, 2010 3:56 PMI am having the exact same issue, were you able to find the solution
-
Friday, January 29, 2010 8:33 AMWhen you working with Microsoft XP, Vista, 7, 2003 or 2008 and IPSEC/L2TP behind NAT then you need to create an registrykey. You can find this by a Google search on NAT-Traversal with IPSEC.
And when you using NAT at the server site then you have to make an extra port-forwading to your server UDP 4500. -
Saturday, January 30, 2010 9:47 PM
The problem that you are describing is way old and was solved since Windows XP SP2. Noticed how Sayed and myself don’t have this issue in XP, its on Windows 7.
From taking a sniff I can see that the first IKE packet now includes both the Draft rfc for NAT-T as well as the RFC 3947, I am pretty sure that is the problem. There has to be some windows registry to change that packet so the process can continue.
So has anyone else encountered this issue?- Marked As Answer by SAYED MOHAMMAD Friday, February 12, 2010 9:24 PM
- Unmarked As Answer by SAYED MOHAMMAD Friday, February 12, 2010 9:24 PM
-
Monday, February 08, 2010 2:31 PMI have same problem too. When I want to connect on l2tp/ipsec VPN ( 3Com 3CR870-95) with Windows7 then I receive Error 789. I have tried on 3 PC with Windows7 with same result. But on same Win7 i have XP in Virtualbox. When I connect with this WindowsXP everything works OK.
Has anyone found solution for windows7? -
Wednesday, February 10, 2010 3:44 AMDid you have any luck HR-Damir? I am having the same problem, XP works fine, Windows 7 doesn't.
-
Thursday, February 11, 2010 7:39 AMNKumarnz, I didn't have success... I just found that if I use internal ISDN card to access internet then I can connect to VPN with Windows 7 too. But if I use adsl router then works only XP. So when I have public IP then w7 works, when I have private IP then not.. Maybe somebody have some idea?
-
Thursday, February 11, 2010 9:25 PMI open a ticket with Microsoft because I could not find anything. They have been working on it for more than a week and its does not look like they are finding much on it.
I did compare the IKE packets from windows 7 and windows XP and windows 7 is using the RFC for NAT-T as well as the draft version, but XP only uses the draft version. I am pretty sure that is has to do with that extra information in the IKE packet.
Hope some one can figure this out -
Friday, February 12, 2010 9:50 PM Well I don't now what to say but my problem is weirdly solved !! and I don't have any problem anymore !!
The things that I have done is:
1-in Windows services check that Both "IKE and AuthIP IPSec Keying module" and "IPSec policy agent" is set to Automatic mode and by default is set to start
2-well I do this instruction too!! Link to Microsoft Support
3-Update my Router!!
4-Set two firewall rule which allow 4500 and 500 port trafic
I don't know which one of them solved the problem but I done all of them But to find out which one of them exactly solve the problem I undo some of them which I have doubt about them like the 2nd and 4th (about the 1st I'm completely sure that must be OK and about the 3rd one there is no rollback) then I undo both of them but weirdly the L2TP work fine
The questions is if my last router firmware have trouble with L2TP then why it's work in windows XP!???If the problem is because of the firewall blocking ports then why after disabling those rules it's work again?!! If the problem is because of the registry key then why after deleting that it's work?!!
About this problem I really don't have any exactly true answer! but if these things works for you let the others know
Thanks
Microsoft Certified System Engineer 2003- Marked As Answer by SAYED MOHAMMAD Thursday, March 17, 2011 8:46 PM
-
Friday, February 19, 2010 3:48 PM Sayed and everyone,
I had the same problem, it used to work in XP and Vista but not now in Win7 (with the AssumeUDPEncapsulationContextOnSendRule set to 2).
The solution to getting it to work in Win7 is to start the "IKE and AuthIP IPsec Keying Modules" service (which makes perfect sense since we're doing IPSec). Oddly enough, the IPSec Policy Agent service itself does not need to be started, on my system it is set at manual start and it does not even start when connecting over L2TP.
So bottom line; for L2TP to work when both client & server (Windows 2003) are behind NAT:
1. Set AssumeUDPEncap... to 2 on both client & server
2. Start IKE... service on client
3. Make sure UDP port 500 and 4500 are natted from the firewall to the server
4. On client create the L2TP connection, use the proper Preshared key defined on the server
Works like a charm.- Proposed As Answer by msaumatsmi Monday, May 16, 2011 12:53 PM
-
Tuesday, January 11, 2011 7:38 AMThanks for posting this. I was having the same issue and your Step 1 fixed my problem. I had installed the NCP VPN client which disabled "IKE and AuthIP IPSec Keying module" and "IPSec policy agent". Once I set the mode to "Automatic", it worked!
-
Friday, January 21, 2011 8:19 PM
Gelfer,
I noticed that adding the registry setting as described in step 1 is "Not Recommended" on Windows 2003 RRAS, so I am hesitant to try it on a RRAS server that works for PPTP connections. Will this affect them? Do I have to restart the server or RRAS service?
My story is simple. I have users who are using the 3G Aircards from Verizon and connecting fine to my PPTP ports. One day, we recieved 4G Verizon cards and all was well in late November and December of last year, until just recently someone couldn't connect to our VPN anymore. Two days ago, I called Verizon. There apparently is a known issue with their 4G environment that is causing this PPTP VPNs to fail. They are "working on it" In the meantime, I thought I would try to use the available L2TP ports. They didn't say L2TP was NOT working. I have tried many things to make this work with no luck...
-
Friday, January 21, 2011 9:21 PM
Did you apply step one to the server as well? 2003 RRAS?
-
Thursday, March 17, 2011 9:57 PM
My story is simple. I have users who are using the 3G Aircards from Verizon and connecting fine to my PPTP ports. One day, we recieved 4G Verizon cards and all was well in late November and December of last year, until just recently someone couldn't connect to our VPN anymore. Two days ago, I called Verizon. There apparently is a known issue with their 4G environment that is causing this PPTP VPNs to fail. They are "working on it" In the meantime, I thought I would try to use the available L2TP ports. They didn't say L2TP was NOT working. I have tried many things to make this work with no luck...
If it was your problem try to use OpenVPN (It's not Microsoft Based VPN server and Client and both is free) I think that will work for you (I'm not so sure) worth a shot!
BTW both me and my VPN server (2008 R2) is behind separate NAT and I try to plan this:
Me(Home) <<----->> NAT <<----->> Internet <<----->> NAT <<----->> VPN Server(Work)
but for me it didn't work
Things that i do is:
- Do this on both client and server Link to Microsoft Support
- Allow UDP:500 and UDP:4500 port in both NAT(Router with firewall)
- Port Forwarding L2TP port which is 1701 on both NAT
- My home NAT device dose not have L2TP pass-through but the work has so I allowed it only on work NAT device
It did not work for me but i must tell you PPTP is still working
Microsoft Certified System Engineer 2003- Proposed As Answer by Peter True Friday, May 13, 2011 10:37 PM
- Unproposed As Answer by Peter True Friday, May 13, 2011 10:38 PM
- Proposed As Answer by msaumatsmi Monday, May 16, 2011 12:53 PM
-
Tuesday, August 09, 2011 10:40 PMChange your IPSec (phase 2) hash to use SHA instead of MD5.
-
Friday, December 23, 2011 10:01 AM
By enabling the IKE and AuthIPsec Keying Moudules and IPSec Policy Agent Services , you can successfully login to vpn server without any
L2TP and PPTP error.
- Edited by mikehudson5123 Friday, December 23, 2011 10:01 AM
.png){kind=spacer}
