RasClient Error 788 when trying to connect to a Meraki MX64W

Question

Hello everyone,

I have been stumped on this error for one of the users for my client when they try to connect to their office using the built-in VPN client in Windows 10. When I try to connect on this users laptop, I get an error saying that the connection timed out. I was able to grab some logs from Event Viewer and found that the RasClient error is 788. I have scoured the interwebz and all I found was to try a 3rd-party VPN app (https://www.reddit.com/r/meraki/comments/ox3qur/vpn_client_error_on_windows_10/). Well that didn't work. Just to let you know, I have setup another user with the exact same settings (I quadruple-checked all settings) on both computers and that user was able to connect. I even setup the VPN on my own laptop and it works with the Windows VPN. It's not a username/password issue and i'm starting to believe that it has something to do with his computer itself, maybe something that might be installed as I had found another article stating that someone had Visual Studio installed and after they removed it the VPN started working.

If anyone has any idea what may be causing this or can point me in the right direction, that would be great. I've already removed/re-added the connection so that didnt work. Below is the event Viewer info I pulled. All private info has been changed. Thank in advance!

===========================================================================================================

Event 20221

CoId={852F9A16-32DB-40A1-948A-822C2AA81D91}: The user SYSTEM has started dialing a VPN connection using a all-user connection profile named To Vigor. The connection settings are:
Dial-in User = user@tiedtlaw email .com
VpnStrategy = L2TP
DataEncryption = Requested
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = PAP
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = No
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
IPsec authentication for L2TP = Pre-shared key.

Event 20222

CoId={852F9A16-32DB-40A1-948A-822C2AA81D91}: The user SYSTEM is trying to establish a link to the Remote Access Server for the connection named To Vigor using the following device:
Server address/Phone Number = xxx.xxx.xxx.xxx
Device = WAN Miniport (L2TP)
Port = VPN4-1
MediaType = VPN.

Event 20227 (Error)

CoId={852F9A16-32DB-40A1-948A-822C2AA81D91}: The user SYSTEM dialed a connection named To Vigor which has failed. The error code returned on failure is 788.

Answer 1

Hello @damien-m79 ,

Error 788 is ERROR_OAKLEY_ATTRIB_FAIL and indicates that a common set of security parameters could not be negotiated.

The security parameter options on the client side can be set with the PowerShell cmdlet Set-VpnConnectionIPsecConfiguration, but I can't think of an easy way to display the current settings (they are stored in rasphone.pbk as a hexadecimal string).

The first thing that I would try is deleting the VPN connection definition on the client and recreating it - this will "reset" the security parameters. [Update: alternatively one could try Set-VpnConnectionIPsecConfiguration with the option -RevertToDefault]

If that fails, I would then make a network trace; two sets of security parameters are negotiated (main mode and quick mode) and just counting the number of IKE packets exchanged will indicate which set has problems. The main mode security parameter negotiation is visible in plaintext in the network trace (the quick mode negotiation is encrypted).

Gary