none
L2TP (W2012 R2) working with LTE connections but not from (any) standard home connections RRS feed

  • Question

  • Hi there,

    I've been struggling for two days now. So I set up a VPN L2TP Server on Windows Server 2012 R2. Everything works fine. I can connect from within the LAN, I can connect with my iPhone after forwarding UDP ports 500 and 4500 to the server's IP address and after allowing port 1701 on Windows Firewall on the server.

    Now, I can't connect when using a standard home internet connection. It'll sit there for a while and eventually return error. I originally thought it was a specific ISP not allowing, then I tried 3 more different home connections and I noticed that the issue was with every one of them. Fun fact: it works when I'm using a phone as a hotspot connected to my Win 10 machine.

    The issue happen on Win 10 (latest release, tried 3 machines with 3 different ISP's) and Win 7 (tried 2 different machines with 2 different ISPs). Why would the host spot allow me to connect whilst the other one doesn't?? I don't get it.

    The VPN server is behind a NAT-T so I did apply the registry fix to all machines (and rebooted, like 300 times) and also applied an hotfix on one of the Win7 machines. Nothing, it just doesn't want to work!

    Forwarding port 1701 at the router level to the internal network also doesn't work. I'm still probably stuck in thinking and trying to understand why LTE connections work.

    This is a test project, so nothing to worry about, but after 2 days of googling like an idiot I'm hoping to get some guidance from you guys. Here's the current configuration for the VPN Server's network:
    ISP Router >> Forwarding all traffic to a Sitecom Router >> Forwarding UDP 500 and 4500 to W2k12R2 Server's IP
    The Server is running off a Windows 10 Pro hypervisor (the v-switch is sharing the only NIC available).

    Thank you!
    S


    vendredi 23 septembre 2016 21:33

Réponses

  • Hi Simone,

    >> The issue happen on Win 10 (latest release, tried 3 machines with 3 different ISP's) and Win 7 (tried 2 different machines with 2 different ISPs

    On VPN server, has there any error message on client and server when win10 did not connect?

    Have you configured NPS server? What is the condition you were configured?

    Please reference the link below to troubleshoot issue:

    How to troubleshoot a Microsoft L2TP/IPSec virtual private network client connection

    https://support.microsoft.com/en-us/kb/325034

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposé comme réponse John Lii mercredi 12 octobre 2016 09:35
    • Marqué comme réponse Leo HanModerator jeudi 13 octobre 2016 08:43
    lundi 26 septembre 2016 08:01

Toutes les réponses

  • Hi Simone,

    >> The issue happen on Win 10 (latest release, tried 3 machines with 3 different ISP's) and Win 7 (tried 2 different machines with 2 different ISPs

    On VPN server, has there any error message on client and server when win10 did not connect?

    Have you configured NPS server? What is the condition you were configured?

    Please reference the link below to troubleshoot issue:

    How to troubleshoot a Microsoft L2TP/IPSec virtual private network client connection

    https://support.microsoft.com/en-us/kb/325034

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposé comme réponse John Lii mercredi 12 octobre 2016 09:35
    • Marqué comme réponse Leo HanModerator jeudi 13 octobre 2016 08:43
    lundi 26 septembre 2016 08:01
  • Hi John,

    thanks for replying. Ok note that this works when all of these machines I tested it with are connected with an iphone functioning as an hotspot.

    HERE's what I've done to configure it.

    NPS wasn't configured, I'm allowing users via the server's local users as this is a test environment. I did configure logging on VPN server but don't see anything besides the clients (like my phone) that are able to connect.

    Cheers

    lundi 26 septembre 2016 14:05
  • I made some progress. Here's the details:

    • Used Wireshark to capture the traffic when in LTE and when connected with an ISP. I can see that when in LTE, protocol 1701 isn't even used, whilst with the ISP it tries and tries to talk to the VPN server with 1701.
    • Used Wireshark on the actual VPN server and I see the same, only a few 1701 connections attempt being made. Since I could see traffic coming in, I went ahead with next step.
    • Enabled advanced logging with:
    auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable 

    • Now I can see two errors that are logged every time I try the connection from the ISP. Error ID 4963 and 5152 (first 4963). The first one says "IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected. This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt (I then see Remote Network Address: Public IP where I'm attempting the connection from - and Inbound SA PI:0). The second one just tells me that the Windows Filtering Platform has blocked a packet. It tells me the destination port (1701) and the protocol (17 so UDP).
    • I double checked and Windows FW is configured to allow port 1701 from ANY connection.
    • I tried allowing more and more just to test, no luck. I even disabled the firewall (but kept the process on) and nothing, 0, niente, nada. Same errors in the Event viewer.

    I can barely see help online from this so I'm not too sure what to do more than disable the FW completely (which I did) or to try to set up an inbound/outbout rule ANY/ANY (which I also did)! I mean it works from LTE.. :(


    EDIT: I have V2P this VM and now running it on a physical laptop just to check if it would have changed its behavious (as it was behind Hyper-V before) and nope same issue.
    lundi 26 septembre 2016 18:42
  • Hi Simone,

    >> NPS wasn't configured,

    Client will not connect to VPN server if VPN server did not configure NPS.

    Please right-click Remote Access Logging at VPN manager, click Launch NPS.

    On network Policy Server windows, please right-click Network Policies and then click new.

    Please reference pictures below to configure NPS policy.

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    mardi 27 septembre 2016 05:58
  • Hi John,

    It doesn't work either, same error. Note that also without NPS with an iphone as an hotspot or the iphone itself or on the LAN I'm able to access based on who's got Dial-In permissions. Error is the same  unfortunately.

    Thanks

    mardi 27 septembre 2016 12:00
  • Hi Simone,

    On client, has there any error code?

    >>it works when I'm using a phone as a hotspot connected to my Win 10 machine.

    Windows client did not connect to VPN server that was behind NAT device by default.

    Have you created new registry key that is AssumeUDPEncapsulationContextOnSendRule under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec?

    Please reference the link below for troubleshooting:

    How to troubleshoot a Microsoft L2TP/IPSec virtual private network client connection

    https://support.microsoft.com/en-sg/kb/325034

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    jeudi 29 septembre 2016 02:43
  • No John. If you read above, I stated that the same Windows client can connect to the L2TP VPN when using an iPhone as an hotspot.
    I also mentioned the registry change (btw, the key you posted applies to XP).

    So, I rebuilt it, this time with 2k8r2 and I've got the same issue. However I tried configuring it in PPTP just to make sure it worked and it did.

    The rest is the same, works on iPhone or Hotspot from iPhone and nothing more. When using a standard internet connection to connect to it I get just an error on the Application Log which is:

    CoId={1D946F12-BE43-48E5-919B-D080D946F671}: The user XXX\yyyy dialed a connection named VPN Connection which has failed. The error code returned on failure is 809.

    Before failing I see this:

    CoId={B14510FD-8001-430E-815E-32353894EF63}: The user machinename\username is trying to establish a link to the Remote Access Server for the connection named VPN Connection using the following device: 
    Server address/Phone Number = VPN_PUBLIC_IP
    Device = WAN Miniport (L2TP)
    Port = VPN2-1
    MediaType = VPN.

    On the server side I get ID 4963:

    IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected.  This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

    Remote Network Address: PUBLIC_IP_OF_REMOTE_CLIENT
    Inbound SA SPI: 0

    And right after ID 5152:

    The Windows Filtering Platform has blocked a packet.

    Application Information:
    Process ID: 0
    Application Name: -

    Network Information:
    Direction: Inbound
    Source Address: PUBLIC_IP_CLIENT
    Source Port: 1701
    Destination Address: 192.168.0.7
    Destination Port: 1701
    Protocol: 17

    Filter Information:
    Filter Run-Time ID: 67006
    Layer Name: Transport
    Layer Run-Time ID: 12

    Furthermore, if I run WireShark and filter only as source or destination the public IP of the remote client I get just a few L2TP tentatives:

    Extra credit: when an iPhone is connected to a standard internet connection (wirelessy obviously) which is the same as the one used for the above examples, it doesn't even get through, nothing in wireshark nor on the server's event viewer.

    jeudi 29 septembre 2016 12:41
  • Hi Simone,

    I am sorry for my misunderstanding.

    Is the ISP of LTE same with ISP of wired network?

    According to your description, the issue is more related with ISP, I suggest that you could contact ISP to get effect support.

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    vendredi 30 septembre 2016 03:12
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    mardi 11 octobre 2016 08:48
  • I see this thread is a few years old, but did you (Simone) manage to solve the issue?
    samedi 5 octobre 2019 19:29