L2TP VPN Setup in Windows Server 2008 R2 RRS feed

  • Question

  • Ok, so i've been struggling with this for 2 days so far and nothing i've found on the forum so far has quite answered my question.

    I am currently running a Windows Server 2008 R2 box which requires 5 devices to connect to it.

    I setup prior to now, a PPTP VPN into the server which was working perfectly fine.

    Now with our team recently having acquired Apple and Android based mobile devices for remote working that are notoriously unhappy with PPTP connections I decided to change the config to L2TP which is more secure anyway and the mobile devices are happier with.

    This is where my problems started.

    I had no issues with the setup and changing the RRAS policy to L2TP/IPSEC and defining a pre-shared key.

    I ensured the firewall was setup to allow inbound connections on Ports: 1701, UDP 500 & UDP 4500 (for NAT-T).

    I then setup the same port forwarding on the router for the servers IP address.

    I checked the services for the IKE and AuthIP IPSEC Keyring Module service & IPSEC Policy Agent to ensure they were started then set to automatic.

    I then added the NAT-T registry fix as our server is behind an NAT based router.

    None of this works. When connecting on Windows 7 and Vista Machines I get:

    "Error 789 - The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

    When trying to connect with a Mac, iPhone, iPad or Android phone I get:

    Unsuccessful or Error the L2TP VPN Server did not respond. 

    I am quite fed up with this now as none of the prior suggestions seem to have worked but with the nature of the devices we are using I can't switch back to PPTP. Also to note though is that now PPTP does not work either even though I have not removed any of the settings or closed the ports on the server or router that it uses.

    Can anyone shed some light on this?

    Sunday, April 22, 2012 8:01 PM


All replies

  • Perhaps a simple question... have you restarted the ras service after the changes?

    Do you have any errors in your logs? Also check out this article maybe you missed something...

    MCTS - Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

    Sunday, April 22, 2012 8:48 PM
  • Hi Marius

    Thanks for the swift response.

    I did indeed restart the service to no avail.

    Went through the article, and I didn't add the DCHP pool which specify's IP's outside of my router range. 

    I then added the servers IP address as the hostname and it worked fine on all devices. 

    But obviously this doesn't help as I need access outside my network. When entering my dynamic DNS hostname (Kail.dydns.org) none of the client computers accept it. 

    Sunday, April 22, 2012 10:39 PM
  • Hi,

    Thanks for posting here.

    So it works after we specified the address assignment settings for incoming VPN connection ? will VPN client obtain a private address form the address range we specified on RRAS after the tunnel was been established . Am I correct?

    If so this is basically a routing issue and can be resolved by updating the routing table on client after the tunnel be created.

    IP Address Assignment


    Cannot reach beyond the RRAS server from VPN clients?


    Split Tunneling for Concurrent Access to the Internet and an Intranet



    Tiger Li

    Tiger Li

    TechNet Community Support

    Tuesday, April 24, 2012 8:37 AM
  • What happened then? Did the problem resolved?
    Wednesday, March 20, 2013 6:17 AM
  • hi sir

    i have configured vpn on my windows server 2012 r2 . that was working fine but now its getting error 807.i am trying from two days but nothing works. kindly any body help me to solve my issue

    Wednesday, May 17, 2017 7:25 AM