Connecting to VPN Seerver

Paul Aziz 1 Reputation point
2021-07-12T20:06:27.743+00:00

I have windows 2019 standard server configured with following roles and its cofigure with static IP 192.168.0.10

  1. Active Directory Controller Server
  2. DNS Server
  3. DHCP Server
  4. VPN Server

I have added Routing Remote Access to the server's firewall

I am using d-link dwr-960 4G router and implemented port forwarding in the router to forward traffic to the VPN Server.

But anytime I try to connect to the VPN Server I get error:
"The remote connection was not made because the attempted vpn tunnel failed. The VPN sever might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly"

I have been trying to resolve this for the past week using all the online suggestion but I have been successful.

I have included relevant pages of the router settings.

113917-2021-07-12-1.png113992-2021-07-12-2.png113939-2021-07-12-3.png113940-2021-07-12-4.png114021-2021-07-12-5.png113986-2021-07-12-6.png

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,436 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Candy Luo 12,656 Reputation points Microsoft Vendor
    2021-07-13T02:04:16.013+00:00

    Hi ,

    Based on my understanding, you put a VPN server behind a NAT device. Is that right? Please feel free to let me know if I have any misunderstanding.

    If yes, the Windows built-in VPN client doesn’t support by default L2TP/IPsec connections through NAT. This is because IPsec uses ESP (Encapsulating Security Payload) to encrypt packets, and ESP doesn’t support PAT (Port Address Translation).

    As a workaround, you can create a registry key of AssumeUDPEncapsulationContextOnSendRule in the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

    0 – (a default value) suggests that the server is connected to the Internet without NAT;
    1 – the VPN server is behind a NAT device ;
    2 – both VPN server and client are behind a NAT.

    When it's set to 1, Windows can establish security associations with servers that are located behind NAT devices.

    For your reference:

    Configure a L2TP/IPsec server behind a NAT-T device

    Configuring L2TP/IPSec VPN Connection Behind a NAT, VPN Error Code 809

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,
    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Paul Aziz 1 Reputation point
    2021-07-13T16:32:42.133+00:00

    @Candy Luo thanks so much for your suggestion. I did not work, it returned with a new error:

    The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer. The network connection between your and the vpn server was interrupted

    UDP ports 1701, 500 and 4500 are open and the server is listening on them but they seem to blocked on the router even though I have port forwarded them to the server. Do I have to add these ports to the router's firewall whitelist?

    Please find table modified router port forwarding table to be sure if I am doing the right thing

    114306-2021-07-13.png


  3. Paul Aziz 1 Reputation point
    2021-07-15T11:23:36.73+00:00

    @Candy Luo thanks so much your assistance. The event error:

    The user SYSTEM dialed a connection named VPN Connection which has failed. The error code returned on failure is 789.


  4. Candy Luo 12,656 Reputation points Microsoft Vendor
    2021-07-20T01:37:49.627+00:00

    Hi ,

    Let's confirm the following configurations:

    Make registry changes to allow L2TP behind NAT, this registry change needs to be done on the VPN server and all Windows VPN clients:

    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
    Create a new DWORD 32 type value:
    Name: AssumeUDPEncapsulationContextOnSendRule
    Data: 2

    0 - No connection to servers behind NAT (Default).

    1 - Connection where VPN server is behind NAT.

    2 - Connection where VPN server and client are behind NAT.

    Then reboot computer for changes to take effect.

    For your reference:

    Proper NAT and Firewall Rules for L2TP Server behind Mikrotik Router

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    If it still doesn't work, we need to trace network traffic to find the cause. However, analysis of network traffic is beyond our forum support level and due to forum security policy, we have no such channel to collect user log information. So we recommend you open a case with MS Professional tech support service, they will help you open a phone or email case to Microsoft, so that you would get a technical support on a one-to-one basis while ensuring private information.

    Here is the link:

    https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

    Best Regards,
    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.