none
Not able to connect L2TP/Ipsec connection- Need support RRS feed

  • Question

  • Hello Team

    I am trying to connect to my office VPN via using L2TP/IPsec WAN mini adaptor, but I am not able to connect, getting error 789.

    I done debug on my office VPN router, but unable to identify ISAKMP and IPsec parameters generated from my laptop. due to which my VPN is not working

    kindly requesting you to provide me exact parameter or values for ISAKMP profile and IPsec policy on my Windows 8.1 system.

    if you need any additional details, please reach to me on my mail

    Tuesday, March 12, 2019 7:46 PM

All replies

  • Hi,

    Is your VPN client behind NAT?

    Please refer to the link below:

    https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows

    http://woshub.com/l2tp-ipsec-vpn-server-behind/  

     Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by ShyamHarne Wednesday, March 13, 2019 8:39 AM
    • Unmarked as answer by ShyamHarne Wednesday, March 13, 2019 8:39 AM
    Wednesday, March 13, 2019 3:26 AM
    Moderator
  • Hello Team

    Yes.

    Basically my net connection is 4G Airtel dongle, so my outgoing public IP is NATed IP.

    On my remote end router I am receiving the ISAKMP/IPsec requests from my NATed public IP, but it is not matching and due to which my tunnel is not getting established.

    I need your help to provide me ISAKMP/IPsec policy / profile values generated from my Window 8.1 OS on my laptop, I will match those values on my router and it will help to fix the issue.

    Please refer few logs from my router.

    Mar 12 18:49:03.213 UTC: ISAKMP-PAK: (0):received packet from 106.220.187.61 dport 500 sport 19158 Global (N) NEW SA
    Mar 12 18:49:03.213 UTC: ISAKMP: (0):Created a peer struct for 106.220.187.61, peer port 19158
    Mar 12 18:49:03.213 UTC: ISAKMP: (0):New peer created peer = 0x7FE84CD94050 peer_handle = 0x80034E41
    Mar 12 18:49:03.213 UTC: ISAKMP: (0):Locking peer struct 0x7FE84CD94050, refcount 1 for crypto_isakmp_process_block
    Mar 12 18:49:03.213 UTC: ISAKMP: (0):local port 500, remote port 19158
    Mar 12 18:49:03.213 UTC: ISAKMP: (0):insert sa successfully sa = 7FE85547C7D8
    Mar 12 18:49:03.213 UTC: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Mar 12 18:49:03.213 UTC: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):found peer pre-shared key matching 106.220.187.61
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):local preshared key found
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 106.220.187.61)
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 106.220.187.61)
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):      encryption AES-CBC
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):      keylength of 256
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):      hash SHA
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):      default group 20
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):      auth pre-share
    Mar 12 18:49:03.214 UTC: ISAKMP: (0):      life type in seconds
    Mar 12 18:49:03.214 UTC: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
    Mar 12 18:49:03.214 UTC: ISAKMP-ERROR: (0):Authentication method offered does not match policy!

    • Marked as answer by ShyamHarne Wednesday, March 13, 2019 8:39 AM
    • Unmarked as answer by ShyamHarne Wednesday, March 13, 2019 8:40 AM
    Wednesday, March 13, 2019 8:39 AM
  • Hi,

    Mar 12 18:49:03.214 UTC: ISAKMP-ERROR: (0):Authentication method offered does not match policy!

    From the logs above, we can see the first step pre-shared key is completed, but the authentication method is not match.

    So, please check the authentication method on client an server.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 14, 2019 9:32 AM
    Moderator
  • Thanks Travis

    Actually I tried all Microsoft authentication protocols, but nothing is working. It will be good if you share me exact values for ISAKMP and IPsec profiles generated from my system. I will match them on my remote end router. This will help to fix the issue.

    -----Example----

    ISAKMP policy
    crypto isakmp policy 23
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400

    IPsec profile
    ESP-3DES-SHA1 or ESP-AES256-SHA1 or ESP-AES128-SHA1

    Thursday, March 14, 2019 10:39 AM
  • Hi,

    Sorry, I don't have a VPN router, and my VPN server is RRAS.

    RRAS server by default adds the IPSec policy to accept connection for all encryption algorithm (i.e. AES 256, AES 128, 3DES) 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 15, 2019 8:31 AM
    Moderator
  • Hi,

    Make sure that these 2 service are started.

    IKE and AuthIP IPsec Keying Modules” and “IPsec Policy Agent

    Please refer to the link below:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee922683(v=ws.10)

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733289(v=ws.10)

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 21, 2019 6:28 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 27, 2019 6:34 AM
    Moderator