none
Windows 7 IPSec/L2TP VPN connection problem

    Question

  • In windows 7 i have problem with my L2TP vpn connection so i describe the problem

    I build the connection and also in the security tab set it to use L2TP and set the Pre-shared key (The VPN server use Preshared for l2tp) then i try to connect to VPN server but nothing is happened and after a moment the Error 789 is appeared but with PPTP the vpn work fine so i curios about it and i see something odd
    when i use PPTP during the connecting in the "Control Panel\Network and Internet\Network Connections " I see that the status of connection is Connecting but during the running of L2TP connection the status is constantly Disconnected like there is nothing is happened and i do nothing!!


    Microsoft Certified System Engineer 2003
    Tuesday, December 08, 2009 7:22 PM

Answers

  • Well I don't now what to say but my problem is weirdly solved !! and I don't have any problem anymore !!

    The things that I have done is:

    1-in Windows services check that Both "IKE and AuthIP IPSec Keying module" and "IPSec policy agent" is set to Automatic mode and by default is set to start

    2-well I do this instruction too!! Link to Microsoft Support

    3-Update my Router!!

    4-Set two firewall rule which allow 4500 and 500 port trafic

    I don't know which one of them solved the problem but  I done all of them But to find out which one of them exactly solve the problem I undo some of them which I have doubt about them like the 2nd and 4th (about the 1st I'm completely sure that must be OK and about the 3rd one there is no rollback) then I undo both of them but weirdly the L2TP work fine

    The questions is if my last router firmware have trouble with L2TP then why it's work in windows XP!???If the problem is because of the firewall blocking ports then why after disabling those rules it's work again?!! If the problem is because of the registry key then why after deleting that it's work?!!

    About this problem I really don't have any exactly true answer! but if these things works for you let the others know

    Thanks
    Microsoft Certified System Engineer 2003
    Friday, February 12, 2010 9:50 PM

All replies

  • Any idea or something else?what should i do?
    Microsoft Certified System Engineer 2003
    Wednesday, December 09, 2009 1:12 PM
  • well i found something new about this problem!!

    I setup a VPN server with windows server 2008 R2 (Install Windows Server 2008 R2 in Virtual-box) and use the Pre-shared key for L2TP connection and it is work fine BUT the difference is in the encryption status the encryption is "IPSec: AES 128" and in the past when i use Windows XP I remmeber that the encryption is "IPSec ESP 3DES"
    The VPN Server is Windows Server 2003 so what should I do to add ESP 3DES in windows 7 or add AES 128 in windows server 2003?

    By the way i think the primary problem is from integrity during IPSec because the problem is before opening session

    I completely confused please help me :(
    Microsoft Certified System Engineer 2003
    Thursday, December 10, 2009 9:52 AM
  • Maybe ISAKMP protocol is blocked. This behavior can be caused by firewall on the computer, in the router or on the ISP side. You may temporary disable the firewall. If the issue persists, temporary bypass the router or disable the firewall on the router. If the issue still occurs, try to connect to the L2TP VPN from another system, if the connection is not established, the most possible cause can be the ISP side.

    Meantime please also make sure that the "IPsec Policy Agent" service is enabled.


    Arthur Xie - MSFT
    • Proposed as answer by Mike Bellia Tuesday, January 28, 2014 6:09 PM
    Thursday, December 10, 2009 10:15 AM
    Moderator
  • Maybe ISAKMP protocol is blocked. This behavior can be caused by firewall on the computer, in the router or on the ISP side. You may temporary disable the firewall. If the issue persists, temporary bypass the router or disable the firewall on the router. If the issue still occurs, try to connect to the L2TP VPN from another system, if the connection is not established, the most possible cause can be the ISP side.

    Meantime please also make sure that the "IPsec Policy Agent" service is enabled.


    Arthur Xie - MSFT
    Thanks for your reply.

    About the ISAKMP protocol i disable my pc firewall but nothing changed so this is not the answer and also in the past I able to connect when i have windows XP pro so the ISP is not the answer.

    about the router my router is "ZyXel ZyWALL 2 Plus " and is disable it's firewall too but no differences and i'm unabel to connect but im my point of view the most suspicious thing is the router but when i think about it I realize that in the windows XP and in windows 7 XP mode i'm able to connect !!

    "IPsec Policy Agent" service is enabled and the start up mode is automatic.

    and now the new things that i found out !!

    I install Windows Server 2003 R2 (Virtual-box) and able to connect it and the ecryption method is IPSec ESP 3DES !! in my last comment i said that i'm unable to connect the VPN Server because of encryption method but after this test well this is not the problem.

    Please Help me



    Microsoft Certified System Engineer 2003
    Thursday, December 10, 2009 3:54 PM
  • well thanks to all Technet forum moderator for helping me !!

    anyway I think i found the cause of the problem but i don't know how to fix it.

    when I connect to internet with my broadband connection VPN work fine but when my router connect to internet and I connect to internet trough it the problem is coming ...

    The VPN Server is Microsoft Windows Server 2003 and I'm the administrator of it.

    Please help me to solve this problem .... this error isn't just for me.

    Thanks a lot
    Microsoft Certified System Engineer 2003
    Sunday, December 13, 2009 5:52 AM
  • Does your router have a firewall? You need to change the settings for the router to allow ISAKMP protocol UDP port 500. Please refer the instruction from the router manufacturer. Or you can contact the technical support of the manufacturer.
    Arthur Xie - MSFT
    Monday, December 14, 2009 6:38 AM
    Moderator
  • Does your router have a firewall? You need to change the settings for the router to allow ISAKMP protocol UDP port 500. Please refer the instruction from the router manufacturer. Or you can contact the technical support of the manufacturer.
    Arthur Xie - MSFT

    Thank

    well my router have a firewall and I add a rule which is permit Lan to Wan traffic over UDP:500 but nothing changed then I compeletly disabled my router firewall and nothing happened again even i disable my windows firewall and nothing happend again.

    the wierd part is the VPN work fine in the windows XP but since I install windows 7 this problem is comming and even in the windows 7 , XP mode the vpn work fine ...
    Microsoft Certified System Engineer 2003
    • Proposed as answer by Routerman Thursday, January 28, 2010 3:54 PM
    Monday, December 14, 2009 4:21 PM
  • I am having the exact same issue, were you able to find the solution
    Thursday, January 28, 2010 3:56 PM
  • When you working with Microsoft XP, Vista, 7, 2003 or 2008 and IPSEC/L2TP behind NAT then you need to create an registrykey. You can find this by a Google search on NAT-Traversal with IPSEC.
    And when you using NAT at the server site then you have to make an extra port-forwading to your server UDP 4500.
    Friday, January 29, 2010 8:33 AM
  • The problem that you are describing is way old and was solved since Windows XP SP2.  Noticed how Sayed and myself don’t have this issue in XP, its on Windows 7.

    From taking a  sniff I can see that the first IKE packet now includes both the Draft rfc for NAT-T as well as the RFC 3947, I am pretty sure that is the problem. There has to be some windows registry to change that packet so the process can continue. 

    So has anyone else encountered this issue?
    • Marked as answer by SAYED MOHAMMAD Friday, February 12, 2010 9:24 PM
    • Unmarked as answer by SAYED MOHAMMAD Friday, February 12, 2010 9:24 PM
    Saturday, January 30, 2010 9:47 PM
  • I have same problem too. When I want to connect on l2tp/ipsec VPN ( 3Com 3CR870-95) with Windows7 then I receive Error 789. I have tried on 3 PC with Windows7 with same result. But on same Win7 i have XP in Virtualbox. When I connect with this WindowsXP everything  works OK.
    Has anyone found solution for windows7?
    Monday, February 08, 2010 2:31 PM
  • Did you have any luck HR-Damir? I am having the same problem, XP works fine, Windows 7 doesn't.
    Wednesday, February 10, 2010 3:44 AM
  • NKumarnz, I didn't have success... I just found that if I use internal ISDN card to access internet then I can connect to VPN with Windows 7 too. But if I  use adsl router then works only XP. So when I have public IP then w7 works, when I have private IP then not.. Maybe somebody have some idea?
    Thursday, February 11, 2010 7:39 AM
  • I open a ticket with Microsoft because I could not find anything. They have been working on it for more than a week and its does not look like they are finding much on it.

    I did compare the IKE packets from windows 7 and windows XP and windows 7 is using the RFC for NAT-T as well as the draft version, but XP only uses the draft version. I am pretty sure that is has to do with that extra information in the IKE packet.

    Hope some one can figure this out
    Thursday, February 11, 2010 9:25 PM
  • Well I don't now what to say but my problem is weirdly solved !! and I don't have any problem anymore !!

    The things that I have done is:

    1-in Windows services check that Both "IKE and AuthIP IPSec Keying module" and "IPSec policy agent" is set to Automatic mode and by default is set to start

    2-well I do this instruction too!! Link to Microsoft Support

    3-Update my Router!!

    4-Set two firewall rule which allow 4500 and 500 port trafic

    I don't know which one of them solved the problem but  I done all of them But to find out which one of them exactly solve the problem I undo some of them which I have doubt about them like the 2nd and 4th (about the 1st I'm completely sure that must be OK and about the 3rd one there is no rollback) then I undo both of them but weirdly the L2TP work fine

    The questions is if my last router firmware have trouble with L2TP then why it's work in windows XP!???If the problem is because of the firewall blocking ports then why after disabling those rules it's work again?!! If the problem is because of the registry key then why after deleting that it's work?!!

    About this problem I really don't have any exactly true answer! but if these things works for you let the others know

    Thanks
    Microsoft Certified System Engineer 2003
    Friday, February 12, 2010 9:50 PM
  • Sayed and everyone,

    I had the same problem, it used to work in XP and Vista but not now in Win7 (with the AssumeUDPEncapsulationContextOnSendRule set to 2).
    The solution to getting it to work in Win7 is to start the "IKE and AuthIP IPsec Keying Modules" service (which makes perfect sense since we're doing IPSec). Oddly enough, the IPSec Policy Agent service itself does not need to be started, on my system it is set at manual start and it does not even start when connecting over L2TP.

    So bottom line; for L2TP to work when both client & server (Windows 2003) are behind NAT:
    1. Set AssumeUDPEncap... to 2 on both client & server
    2. Start IKE... service on client
    3. Make sure UDP port 500 and 4500 are natted from the firewall to the server
    4. On client create the L2TP connection, use the proper Preshared key defined on the server

    Works like a charm.
    • Proposed as answer by msaumatsmi Monday, May 16, 2011 12:53 PM
    Friday, February 19, 2010 3:48 PM
  • Thanks for posting this.  I was having the same issue and your Step 1 fixed my problem.  I had installed the NCP VPN client which disabled "IKE and AuthIP IPSec Keying module" and "IPSec policy agent".  Once I set the mode to "Automatic", it worked!
    Tuesday, January 11, 2011 7:38 AM
  • Gelfer,

    I noticed that adding the registry setting as described in step 1 is "Not Recommended" on Windows 2003 RRAS, so I am hesitant to try it on a RRAS server that works for PPTP connections.  Will this affect them? Do I have to restart the server or RRAS service?

    My story is simple.  I have users who are using the 3G Aircards from Verizon and connecting fine to my PPTP ports.  One day, we recieved 4G Verizon cards and all was well in late November and December of last year, until just recently someone couldn't connect to our VPN anymore.  Two days ago, I called Verizon. There apparently is a known issue with their 4G environment that is causing this PPTP VPNs to fail. They are "working on it"  In the meantime, I thought I would try to use the available L2TP ports.  They didn't say L2TP was NOT working.  I have tried many things to make this work with no luck...

    Friday, January 21, 2011 8:19 PM
  • Did you apply step one to the server as well?  2003 RRAS?

    Friday, January 21, 2011 9:21 PM
  • My story is simple.  I have users who are using the 3G Aircards from Verizon and connecting fine to my PPTP ports.  One day, we recieved 4G Verizon cards and all was well in late November and December of last year, until just recently someone couldn't connect to our VPN anymore.  Two days ago, I called Verizon. There apparently is a known issue with their 4G environment that is causing this PPTP VPNs to fail. They are "working on it"  In the meantime, I thought I would try to use the available L2TP ports.  They didn't say L2TP was NOT working.  I have tried many things to make this work with no luck...


    If it was your problem try to use OpenVPN (It's not Microsoft Based VPN server and Client and both is free) I think that will work for you (I'm not so sure) worth a shot!

    BTW both me and my VPN server (2008 R2) is behind separate NAT and I try to plan this:

    Me(Home) <<----->> NAT <<----->> Internet <<----->> NAT <<----->> VPN Server(Work)

    but for me it didn't work

    Things that i do is:

    1. Do this on both client and server Link to Microsoft Support
    2. Allow UDP:500 and UDP:4500 port in both NAT(Router with firewall)
    3. Port Forwarding L2TP port which is 1701 on both NAT
    4. My home NAT device dose not have L2TP pass-through but the work has so I allowed it only on work NAT device

    It did not work for me but i must tell you PPTP is still working


    Microsoft Certified System Engineer 2003
    • Proposed as answer by Peter True Friday, May 13, 2011 10:37 PM
    • Unproposed as answer by Peter True Friday, May 13, 2011 10:38 PM
    • Proposed as answer by msaumatsmi Monday, May 16, 2011 12:53 PM
    Thursday, March 17, 2011 9:57 PM
  • Change your IPSec (phase 2) hash to use SHA instead of MD5.
    Tuesday, August 09, 2011 10:40 PM
  • By enabling the IKE and AuthIPsec Keying Moudules and IPSec Policy Agent Services , you can successfully login to vpn server without any

    L2TP and PPTP error.


    Friday, December 23, 2011 10:01 AM
  • If you did all of the above mentioned and still encounter error 789, check if your VPN-Server has keylife configured in time and KBs. Windows 7 defaults to 3600sec/250000KB. Try specifying both.
    • Proposed as answer by marksu22 Saturday, August 17, 2013 6:50 PM
    Monday, August 13, 2012 12:52 PM
  • I got this error too, im sure its something to do with certificates, i revoked some duplications on CA and create new VPN certificate that i copied to client and its working.
    Thursday, March 14, 2013 8:11 PM
  • I had a similar problem on Windows 7 ultimate.  I even bought a new hard disk and did a fresh install (4 times!).

    Then I noticed the only similarity between the old configuration and the fresh install was my internal network IP address (in this case 10.0.0.14).  I changed this to 10.0.0.55 and everything sprang back to life.

    Worth a shot if like me you've spent 5 days pulling your hair out.

    Thursday, July 18, 2013 2:20 PM