Share via

Error VPN IPSec L2TP on Windows 11.

Erminio Di Marco 20 Reputation points
2023-12-13T09:59:22.1466667+00:00

Sorry for my bad English.

I have an error when trying to make an IPSec L2TP VNP connection.
I have the same error using Windows 11, iPhone and Android as Client:
IPsec ERROR IPsec INFO INFO: NAT detected: PEER
IPsec ERROR IPsec INFO INFO: NAT-D payload #1 doesn't match
IPsec ERROR [217.171.76.137] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
IPsec ERROR ERROR: failed to get proposal for responder.
IPsec ERROR ERROR: no policy found: 10.46.215.59/32[0] MY DDNS/32[1701] proto=udp dir=in
What am I doing wrong?
Why does it indicate 2 different IP addresses (10.46.215.59/32 and 217.171.76.137) in the Client connection?
Thank you.

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments
Accepted answer
  1. Anonymous
    2023-12-15T03:35:02.65+00:00

    Hi,

    Check the confirmation and make sure that the certificate and pre-shared key are not misconfigured or missing. Also, please make sure the Network Address Translation (NAT) is not used (router device etc.).

    If the problem persists, log collection and analyzing may be necessary for further troubleshooting.

    How to troubleshoot a Microsoft L2TP/IPSec virtual private network client connection:

    Troubleshoot L2TP/IPSec VPN client connection - Windows Client | Microsoft Learn

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Erminio Di Marco 20 Reputation points
    2023-12-15T10:36:54.3733333+00:00

    Thanks very much for the reply.

    I tried using this VPN on my D-Link IPsec XAuth Aggressive and Main modem and it works.

    I can't get the IPsec L2TP VPN to work, neither Aggressive nor Main.

    I use a pre-shared key, the D-Link modem cannot use certificates.

    Maybe I misunderstood, if I try to disable the NAT of the D-Link modem, I can't navigate.

    I'll show you the entire D-Link modem log.

    I don't know if this is correct, if you read the D-Link log it says, "NAT not detected"

    INFO: respond new phase 1 negotiation: MY DDNS[500]<=>192.168.1.100[500]

    INFO: begin Identity Protection mode.

    INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY

    INFO: received Vendor ID: RFC 3947

    INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

    INFO: received Vendor ID: FRAGMENTATION

    [192.168.1.100] INFO: Selected NAT-T version: RFC 3947

    [MY DDNS] INFO: Hashing MY DDNS[500] with algo #2

    INFO: NAT-D payload #0 verified

    [192.168.1.100] INFO: Hashing 192.168.1.100[500] with algo #2

    INFO: NAT-D payload #1 verified

    INFO: NAT not detected

    INFO: ISAKMP-SA established MY DDNS[500]-192.168.1.100[500] spi:7f6144d8978eeace:1772a095e9a5805b

    INFO: respond new phase 2 negotiation: MY DDNS[500]<=>192.168.1.100[500]

    ERROR: no policy found: 192.168.1.100/32[1701] MY DDNS/32[1701] proto=udp dir=in

    ERROR: failed to get proposal for responder.

    [192.168.1.100] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).

    INFO: respond new phase 2 negotiation: MY DDNS[500]<=>192.168.1.100[500]

    ERROR: no policy found: 192.168.1.100/32[1701] MY DDNS/32[1701] proto=udp dir=in

    ERROR: failed to get proposal for responder.

    [192.168.1.100] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).

    INFO: respond new phase 2 negotiation: MY DDNS[500]<=>192.168.1.100[500]

    ERROR: no policy found: 192.168.1.100/32[1701] MY DDNS/32[1701] proto=udp dir=in

    ERROR: failed to get proposal for responder.

    [192.168.1.100] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).

    INFO: respond new phase 2 negotiation: MY DDNS[500]<=>192.168.1.100[500]

    ERROR: no policy found: 192.168.1.100/32[1701] MY DDNS/32[1701] proto=udp dir=in

    ERROR: failed to get proposal for responder.

    [192.168.1.100] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).

    INFO: respond new phase 2 negotiation: MY DDNS[500]<=>192.168.1.100[500]

    ERROR: no policy found: 192.168.1.100/32[1701] MY DDNS/32[1701] proto=udp dir=in

    ERROR: failed to get proposal for responder.

    [192.168.1.100] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).

    INFO: respond new phase 2 negotiation: MY DDNS[500]<=>192.168.1.100[500]

    ERROR: no policy found: 192.168.1.100/32[1701] MY DDNS/32[1701] proto=udp dir=in

    ERROR: failed to get proposal for responder.

    [192.168.1.100] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).

    INFO: purging ISAKMP-SA spi=7f6144d8978eeace:1772a095e9a5805b.

    INFO: purged ISAKMP-SA spi=7f6144d8978eeace:1772a095e9a5805b.

    INFO: ISAKMP-SA deleted MY DDNS[500]-192.168.1.100[500] spi:7f6144d8978eeace:1772a095e9a5805b

    WARNING: Empty internal address.

    WARNING: Empty internal address.

    INFO: respond new phase 1 negotiation: MY DDNS[500]<=>192.168.1.100[500]

    INFO: begin Identity Protection mode.

    INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY

    INFO: received Vendor ID: RFC 3947

    INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

    INFO: received Vendor ID: FRAGMENTATION

    [192.168.1.100] INFO: Selected NAT-T version: RFC 3947

    INFO: unsupported PF_KEY message REGISTER

    ERROR	ARS 002 - Phase I negotiation failed for peer 192.168.1.100[500] due to time up. 5e2bf15aef5516aa:d42ac86286a83fc8
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.