none
Cannot Connect to L2TP VPN (Preshared Key); Error 20192 on Server

    Question

  • I've been trying to set up a L2TP VPN server using a Preshared Key (PSK) on a Windows Server 2003 workgroup-based server. The router has the appropriate ports forwarded. I can see using the Microsoft Network Monitor utility that both UDP Ports 500 and 4500 are making it through to the server, but my client computer (Windows 7) fails to connect.

    While trying to figure out what's wrong, I noticed the following error in the Event Viewer on the server:

    Event Type: Warning
    Event Source: RemoteAccess
    Event Category: None
    Event ID: 20192
    Date: 6/9/2012
    Time: 2:25:49 PM
    User: N/A
    Computer: [ServerNameHere]
    Description:
    A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted.

    Oddly enough, searching on multiple search engines and forums, I can't seem to find an explanation of what this error means and how to resolve it. This definitely wasn't mentions in the support articles on Microsoft's web site on setting up a L2TP VPN server doesn't mention anything about certificates.

    Just to note, PPTP connections to the server are currently working fine.

    Can anyone provide some insight on this error and how it can be resolved? Thank you.

    (Yes, I know. Certificate-based is better than Preshared Key, but I gotta work within the means I've been given, so Preshared Key it is.)


    - Travis Tubbs travis@travistubbs.net http://travistubbs.net

    Sunday, June 10, 2012 7:10 PM

Answers

All replies

  • Hi,

    In order to troubleshoot, please post the full error message on the Win 7 computer when client trying to establish VPN connection. I know Pre Shared key method is being used. Please make sure the same PSK is configured on the client and the VPN server.

    About the warning message showing up, it indicated that a computer certificate required for IPsec is not available. If you do not use certificate-based L2TP/IPsec, you can ignore this error.

    Event ID 20192 — RRAS IPsec Configuration

    http://technet.microsoft.com/en-us/library/dd349018(v=ws.10).aspx

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Monday, June 11, 2012 7:54 AM
    Moderator
  • Oops. Guess the client-side errors would be a bit of help too, eh? Here are the various messages showing up on the event log on the client. (Computer names, destinations, etc. masked.)

    Log Name:      Application
    Source:        RasClient
    Date:          6/9/2012 2:13:59 PM
    Event ID:      20221
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      [ComputerName]
    Description:
    CoId={AE656CF4-7965-4BE7-A3BB-E9ACB0D2D9D7}: The user [ComputerName]\[Username] has started dialing a VPN connection using a per-user connection profile named [ConnectionName]. The connection settings are: 
    Dial-in User = [RemoteUsername]
    VpnStrategy = L2TP
    DataEncryption = Require
    PrerequisiteEntry = 
    AutoLogon = No
    UseRasCredentials = Yes
    Authentication Type = CHAP/MS-CHAPv2 
    Ipv4DefaultGateway = No
    Ipv4AddressAssignment = By Server
    Ipv4DNSServerAssignment = By Server
    Ipv6DefaultGateway = Yes
    Ipv6AddressAssignment = By Server
    Ipv6DNSServerAssignment = By Server
    IpDnsFlags = 
    IpNBTEnabled = Yes
    UseFlags = Private Connection
    ConnectOnWinlogon = No
    IPsec authentication for L2TP = Pre-shared key.

    -

    Log Name:      Application
    Source:        RasClient
    Date:          6/9/2012 2:13:59 PM
    Event ID:      20222
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      [ComputerName]
    Description:
    CoId={AE656CF4-7965-4BE7-A3BB-E9ACB0D2D9D7}: The user [ComputerName]\[Username] is trying to establish a link to the Remote Access Server for the connection named [ConnectionName] using the following device: 
    Server address/Phone Number = ***.***.***.***
    Device = WAN Miniport (L2TP)
    Port = VPN2-2
    MediaType = VPN

    -

    Log Name:      Application
    Source:        RasClient
    Date:          6/11/2012 9:45:24 AM
    Event ID:      20227
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      [ComputerName]
    Description:
    CoId={55179172-1727-49B8-BA58-C27949158C9A}: The user [ComputerName]\[Username] dialed a connection named [ConnectionName] which has failed. The error code returned on failure is 809.

    -

    Upon reading up on Error 809, there appears to be a change in the Windows Registry I need to make (http://support.microsoft.com/kb/926179/). I turned off the PSK temporarily on the server (since I was testing with a very simple key) and setting it again requires restarting RRAS, I'll follow-up hopefully tonight to let you know if this helped or not.

    • Edited by Travis Allen Tubbs Monday, June 11, 2012 3:20 PM Clean up line breaks between log details
    Monday, June 11, 2012 3:18 PM
  • Hi,

    How are things going? I just want to check the status of the issue. In addition, you may check the following article to troubleshoot this issue.

    Troubleshooting common VPN related errors

    http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    Thursday, June 14, 2012 1:35 AM
    Moderator
  • Sorry about the lack of an update.

    Turns out the registry changes were needed to resolve the problem as both the server and client are behind a router and use NAT. Kind of annoying this isn't noted when setting up the VPN on the server or in the articles telling you how to set it up. Even more annoying since other non-Microsoft OSes have no problem with this.

    Either way, all is good for now as I test everything and make sure it's nice and stable. Thanks for helping me think this out.


    - Travis Tubbs travis@travistubbs.net http://travistubbs.net

    Thursday, June 14, 2012 1:45 AM
  • Could you share with us what registry changes are needed on the server side?

    I found out about the client but didnt know I had to change the server... Still struggling....

    Thursday, June 14, 2012 9:54 PM
  • For some reason (I suspect MS12-034 updates) my UDP encapsulation setting on the registry disappeared and the server was unable to understand the UDP packets that was receiving to establish the connection.

    All working now.

    Thursday, June 14, 2012 10:50 PM
  • I didn't mean to imply I made registry changes on the server. Here's a quick rundown of everything I did.

    1.) On office network, forwarded UDP Ports 500, 1701, and 4500 to the VPN Server on office router.
    2.) Set up Routing and Remote Access on Windows Server 2003. (see http://support.microsoft.com/kb/323441)
    3.) Enabled custom IPSec policy for L2TP connections on VPN server and typed in a pre-shared key. (see http://support.microsoft.com/kb/324258)
    4.) Although possibly not necessary, restarted Routing and Remote Access service.

    At this point, nothing else needs to be done on non-Microsoft operating systems. Windows XP and higher (including Windows 8) need a little more convincing though.

    5. Edit registry on Windows clients to allow access to an L2TP/IPsec server behind NAT-T devices. (see http://support.microsoft.com/kb/926179/)
    6. Restart Windows.

    As both my home computer and server are behind a router that use NAT, I had to set the value of the AssumeUDPEncapsulationContextOnSendRule key to 2.


    - Travis Tubbs travis@travistubbs.net http://travistubbs.net

    Friday, June 15, 2012 1:01 AM