none
Mobile Devices (Android and iOS) cannot Connect to WS 2008 RRAS L2TP VPN with Pre-Shared Key

    Question

  • I have my Windows Server 2008 standard installed with RRAS service and configure with L2TP VPN with pre-shared key. Services such as Active Directory, DHCP and DNS are not installed. The Internet connection doesn't pass through a router to my server machine. I have the Verizon fios Internet cable plugged in to the server machine directly.

    PCs running Windows and Mac OS X can connect to the server without problem. When I tried to connect by using android or iOS mobiles and tablets, they cannot connect to the server. If I change the VPN type to PPTP, the mobile devices can connect successfully but I would like to use IPSec/L2TP since it's more secure.

    I tried so hard to look for the solution for this issue on Internet but I had no luck on that. Can anyone please provide me some help, please ?

    Thanks,

    CK

    Friday, August 15, 2014 9:25 AM

All replies

  • Hi,

    Thanks for posting here. However, this forum is for discussing the Remote Desktop App related issues. Regarding the issue, please check that the encryption option for the Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) you use are supported by IOS and Android devices.

    Routing and Remote Access Services encryption options for the L2TP/IPsec protocol on a Windows Server 2008-based Network Policy Server (NPS)

    http://support.microsoft.com/kb/954394

    If issue persists, please collect error logs and post in related forums for help.

    Best Regards.


    Jeremy Wu

    TechNet Community Support

    Monday, August 18, 2014 7:16 AM
    Moderator
  • Hi Jeremy,

    Thanks for the reply. I am sorry to post at the wrong place. Please feel free to move this to where it should be.

    I had tried enable all the encryption on NPS already but it doesn't fix my problem. I am sorry to bother you again. Do you mind to tell me how do I view the error logs for the RRAS L2TP/IPSec ?

    Thanks again.

    Monday, August 18, 2014 9:21 AM
  • Hi CK,

    Since Windows PC can connect to the VPN server, from my point of view, it should be a client issue.

    I think you may post your question on the following forum.

    For iphone

    https://discussions.apple.com/community/iphone/using_iphone

    For android

    https://support.google.com/android/?hl=en

    Best Regards



    Steven Lee

    TechNet Community Support

    Tuesday, August 19, 2014 9:46 AM
    Moderator
  • Hi Steven,

    Thanks for the reply.

    I had tried to connect to VPN service provider's L2TP/IPSec server with pre-shared key with the same devices I used to test on my VPN server. They can be connected successfully.

    In this case, I suppose it's my VPN server configuration problem. Any idea ? :(

    Sincerely,

    CK 

    Tuesday, August 19, 2014 9:51 AM
  • Hi CK,

    Could you post the event of NPS? It logs the detailed information about why NPS denies the access. It's very useful for further troubleshooting.

    Besides, make sure that the right policy can be matched in the first place.

    Best Regards.



    Steven Lee

    TechNet Community Support

    Tuesday, August 19, 2014 12:27 PM
    Moderator
  • Hi Steven,

    Thanks for your patience. When I connect and log in to the VPN server with my username and password, the event viewer of NPS didn't record anything. I am not sure why it's not logged. If I use PC and connect to it, it logged the records.

    This is how I set up the VPN server.

    1. I installed the "Network Policies and Access Services" on server roles.

    2. I selected "VPN + NAT" during the RRAS Setup Wizard.

    3. Set address pool.

    4. Enabled both default policies in NPS and made the changes on encryption setting:

    Did I set up the VPN server wrongly that causes the connection from mobile devices to fail ?

    On the user profile, I enable the remote access too.

    Please let me know if you need more information. Thanks again.


    • Edited by Ck_spec Wednesday, August 20, 2014 6:34 AM
    Wednesday, August 20, 2014 6:31 AM
  • Hi CK,

    I think we may need to create a policy in Network Policies. Please follow the steps below,

    1. Right click Network Policies, Click New.
    2. Enter the policy name, click Next.
    3. Click Add, select the Day and Time Restrictions, click Add.
    4. In the Day and Time Restrictions, choose Permited for all, click OK.
    5. Click Next five times(leave everything default), click Finish.

    Move the policy to top and try to connect with your device.

    If issue persists, please make sure that the Connection Requet Policies have been configured properly.

    For detailed information about how to create a network policy, please refer to the link below,

    Configuring NPS network policies

    http://technet.microsoft.com/en-us/library/dd441006.aspx

    Best Regards.




    Steven Lee

    TechNet Community Support


    Wednesday, August 20, 2014 12:54 PM
    Moderator
  • Hi Steven,

    Thanks for the reply again. There is a default network policy created which permit the users to connect to the server any time. This will be duplicated if I create another one.

    However, I did disable the default one and created a new one as you suggested. It doesn't help.

    Today, I just checked the firewall filter and encryption. The UDP ports 500,1701 and 4500 are all opened and all the required encryption has been enabled.

    This is really weird, the PCs can connect without problem but the mobiles and tablets just cannot connect. Is there any other reason that can cause this to happen ?

    Best regards,

    CK

    Wednesday, August 20, 2014 2:22 PM
  • Hi CK,

    Since you have mentioned that NPS doesn't log anything when the mobile device connects. We need to implement some tests.

    Could you enable the NPS Accounting in the server? It will log every request which server receives.

    To enable NPS Accounting, please follow the steps below,

    1. Open the NPS console or the NPS Microsoft Management Console (MMC) snap-in.
    2. In the console tree, click Accounting.
    3. In the details pane, in Accounting, click Configure Accounting.
    4. Follow the wizard

    If NPS logs the information when mobile device connects, please post here.

    If nothing is logged, please disable the firewall and try again.

    If after disabling the firewall and still nothing is logged, it may be a networking issue. Please try to ping the mobile device from RRAS server.

    Besides, what message appears on the mobile device when connection fails? It may give some hints.

    Best Regards.



    Steven Lee

    TechNet Community Support

    Thursday, August 21, 2014 2:15 PM
    Moderator
  • Hi Steven,

    The NPS Accounting had been enabled earlier. I checked the recent logs. The NPS accounting doesn't log the mobile device connection but only PCs. I tried to turn off the firewall, I got the same result.

    On Android devices, I didn't get any error message. When I connect to the server, the status showed are "Connecting" and become "Disconnected" within a 30 seconds. The status "Connected" didn't even show up.

    In this case, I think my connection is disconnected even before it can reach to the server for authentication. Therefore, there is no way I can ping the mobile device.Please allow me to update the error message I got from Apple mobile devices later.

    Thanks,

    CK

    Friday, August 22, 2014 4:26 AM
  • Hi CK,

    I am trying to involve someone familiar with this topic to further look at this issue.

    There might be some time delay. Appreciate your patience.

    Best Regards.



    Steven Lee

    TechNet Community Support

    Monday, August 25, 2014 7:33 AM
    Moderator
  • Hi CK,

    Would you like to confirm these following questions on your side?

    1.Is the VPN server's WAN interface using a private IP, and do you have appropriate NAT rules set up on the router for the VPN ports?

    2.L2TP is problematic when the VPN server endpoint is a NAT'd private IP.

    3.Does the router have protocol GRE enabled?

    4.Does RRAS support Perfect Forward Secrecy?  Try disabling it.

    For more information, you may refer to this article.

    Is it possible to enable outgoing PPTP and GRE for VPN?

    http://forum1.netgear.com/showthread.php?t=15854

    Hope this hopes.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, August 26, 2014 9:56 AM
  • Hi CK,

    Would you like to confirm these following questions on your side?

    1.Is the VPN server's WAN interface using a private IP, and do you have appropriate NAT rules set up on the router for the VPN ports?

    2.L2TP is problematic when the VPN server endpoint is a NAT'd private IP.

    3.Does the router have protocol GRE enabled?

    4.Does RRAS support Perfect Forward Secrecy?  Try disabling it.

    For more information, you may refer to this article.

    Is it possible to enable outgoing PPTP and GRE for VPN?

    http://forum1.netgear.com/showthread.php?t=15854

    Hope this hopes.

    If you have any questions, please feel free to let us know. Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, August 27, 2014 7:32 AM
  • Hi Song,

    Thanks for the tips. I am currently working in China. My business trip will end tomorrow and I will try your suggestions after that. Let me try that and keep you posted soon.

    Wednesday, August 27, 2014 7:41 AM
  • Hi CK,

    Glad to hear from you. Please feel free to let me know what's the results after you trying these. Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, August 28, 2014 6:33 AM
  • Hi CK,

    May I know if you have returned.

    Just looking forward to hear from you.

    Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, September 04, 2014 7:02 AM
  • Hi Steven,

    I'm sorry for the late reply.

    1. No, my WAN interface is using a public static IP from the ISP. It's not connected to any router.

    2. Server machine is set up as a router.

    3. Server machine is set up as a router.

    4. RRAS doesn't support Perfect Forward Secrecy.

    I found that even I set it up as a L2TP VPN server, but I am still able to connect through PPTP VPN tunnel. I am not sure if this is set by default by Windows server RRAS. In this case, I assume the VPN client can choose either L2TP or PPTP but still I hope my clients will use L2TP only.

    Thanks for your patience.

    Sincerely,

    CK

    Friday, September 05, 2014 11:57 AM
  • Hi Ck,

    About VPN client, do you mean they are MOBILE device or Windows Client?

    If this is Windows Client, we may configure the relevant setting under setting of network adapter.

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, September 06, 2014 7:18 AM
  • Hi Ck,

    Would you pleaet let me know the update from you side?

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, September 09, 2014 9:26 AM
  • Hi Steven,

    Windows clients have no problem connect to my VPN server. They can connect by PPTP or L2TP. Some of the Mac OS X clients cannot connect through L2TP but PPTP. Mobile clients with Android or iOS cannot connect at all.

    Sincerely,

    CK

    Tuesday, September 09, 2014 9:44 AM
  • Hi Ck,

    Thank you for your information.

    Would you please consulted with MAC or Android support about this issue? Since we are not familier with their underlying mechanism?

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, September 09, 2014 11:17 AM
  • Hi Steven,

    I tried to ask this question on ServerExchange and Mac Support but no luck. I cannot find a solution there.

    I am not sure. I tried to Google for solution but some of the users they cannot just connect any way they want, Android, Windows or Mac but not me.

    Anyway, thanks a lot for your effort to help me.

    Sincerely,

    CK

    Tuesday, September 09, 2014 11:39 AM
  • I had identical issue, and solved it by removing EAP from "Authentication methods" /Security tab/ RRAS server properties,  and also from  policy Network Policies and Access Services 

    It fixed the issue and now I'm able to connect from all devices and operating systems, including Android

    • Proposed as answer by o__ Tuesday, January 31, 2017 6:45 PM
    Tuesday, January 31, 2017 6:45 PM
  • I had identical issue, and solved it by removing EAP from "Authentication methods" /Security tab/ RRAS server properties,  and also from  policy Network Policies and Access Services 

    It fixed the issue and now I'm able to connect from all devices and operating systems, including Android

    Hi o_

    I follow your instructions and disabled EAP in auth methods & policy but for me, it's doesn't work.

    I can connect with XP, Win7 devices but iOS and Android does'nt connect.

    I'm with a windows 2008 server (not R2).

    Could you leave me some details please?



    • Edited by Jehan31 Thursday, April 13, 2017 9:22 PM
    Thursday, April 13, 2017 5:14 PM
  • I'm having same issue, if you found solution let me know please.

    It's not my Android phone becuase it connects to other servers , but this one w2k8 server is failing to connect...

    Thursday, June 01, 2017 11:02 AM
  • Hi all,

    I had a similar issue where by L2TP/IPSEC with pre shared key worked from windows and macOS clients but not from the android mobile device.

    After much tinkering with various configurations and changes, I have changed the pre shared key from a 32 character random generated key to a short 8 character super simple (secret12) key, and that worked. So I have played around with the various length of pre shared keys and found that it is not just the length but the complexity that causes the android client to not work with it. I am sure this must be a bug somewhere in the android platform.

    I ended up using a shorter pre-shared key (16 characters) for now.

    Hope this helps.

    Tuesday, June 13, 2017 11:42 AM
  • Hi all,

    I had a similar issue where by L2TP/IPSEC with pre shared key worked from windows and macOS clients but not from the android mobile device.

    After much tinkering with various configurations and changes, I have changed the pre shared key from a 32 character random generated key to a short 8 character super simple (secret12) key, and that worked. So I have played around with the various length of pre shared keys and found that it is not just the length but the complexity that causes the android client to not work with it. I am sure this must be a bug somewhere in the android platform.

    I ended up using a shorter pre-shared key (16 characters) for now.

    Hope this helps.

    Reply to my self: my pre-shared key got messed up by the MDM server (meraki) and had to manualy enter the key on the vpn configuration on the device in order to make it work. So it is not the actual length of the pre shared key that have caused my problems but the MDM server.
    Tuesday, June 13, 2017 12:28 PM
  • I had identical issue, and solved it by removing EAP from "Authentication methods" /Security tab/ RRAS server properties,  and also from  policy Network Policies and Access Services 

    It fixed the issue and now I'm able to connect from all devices and operating systems, including Android

    This worked for me on Windows Server 2003 and Android 6.0. Thank you for the tip, o_!
    Tuesday, September 26, 2017 12:33 PM