Due to disabling PPTP VPN support in iOS, one of my clients decided to reconfigure the VPN server running Windows Server 2012 R2 from PPTP to L2TP/IPSec. Internal VPN clients from inside LAN connect to the VPN server without any problems, however external Windows clients get the error 809 when trying to establish the connection with the L2TP VPN server:
The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g. firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.
In other Windows versions, the connection errors 800, 794 or 809 may indicate the same problem.
It is worth to note that the VPN server is behind a NAT, and the router is configured to forward L2TP ports:
- UDP 1701 — Layer 2 Forwarding Protocol (L2F) & Layer 2 Tunneling Protocol (L2TP)
- UDP 500
- UDP 4500 NAT-T – IPSec Network Address Translator Traversal
- Protocol 50 ESP
These ports are also open in the Windows Firewall rules for VPN connection. Those, the classic configuration is used. The built-in Windows VPN client is used for connection.
VPN Error 809 for L2TP/IPSec on Windows behind NAT
As it turned out, the problem is already known and described in the article https://support.microsoft.com/en-us/kb/926179. The Windows built-in VPN client doesn’t support by default L2TP/IPsec connections through NAT. This is because IPsec uses ESP (Encapsulating Security Payload) to encrypt packets, and ESP doesn’t support PAT (Port Address Translation). If you want to use IPSec for communication, Microsoft recommends using public IP addresses on the VPN server.
But there is also a workaround. You can fix this drawback by enabling support for the NAT-T protocol, which allows you to encapsulate ESP 50 packets in UDP packets on port 4500. NAT-T is enabled by default in almost all operating systems (iOS, Android, Linux) except Windows.
If the L2TP/IPsec VPN server is behind a NAT device, in order to connect external clients through NAT correctly, you have to make some changes to the registry both on the server and client side to allow UDP packet encapsulation for L2TP and NAT-T support in IPsec.
- Open the Registry Editor (
regedit.exe) and go to the following registry key:- Windows 10/8.1/Vista and Windows Server 2016/2012R2/2008R2 — HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
- Windows XP/Windows Server 2003 — HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
- Create a DWORD parameter with the name AssumeUDPEncapsulationContextOnSendRule and the value 2;
Note. Possible AssumeUDPEncapsulationContextOnSendRule values are:- 0 – (a default value) suggests that the server is connected to the Internet without NAT;
- 1 – the VPN server is behind a NAT device ;
- 2 — both VPN server and client are behind a NAT.
- Just restart your computer and make sure that the VPN tunnel is established successfully
[alert] If both Windows VPN server and client are behind NAT, you need to change this setting on both devices.Also, you can use a PowerShell cmdlet to make changes to the registry:
Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Services\PolicyAgent" -Name "AssumeUDPEncapsulationContextOnSendRule" -Type DWORD -Value 2 –Force;After enabling NAT-T support, you will be able to successfully connect to the VPN server from the client through NAT (including double NAT).
In some cases, for VPN to work properly, you need to enable an additional firewall rule for TCP 1701 (in some L2TP implementations, this port is used in conjunction with UDP 1701).NAT-T didn’t work correctly in earlier Windows 10 builds, for example, 10240, 1511, 1607. If you have an older Windows version, we recommend you to upgrade the Windows 10 build.Multiple L2TP VPN Connections from the same LAN
There is another interesting VPN bug. If your local network has several Windows computers, you cannot establish more than one simultaneous connection to an external L2TP/IPSec VPN server. If you try to connect to the same VPN server from another computer (with an active VPN tunnel from different device), error code 809 or 789 will appear:
Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remove computer.
Interestingly, this problem only occurs on Windows devices. On Linux/MacOS/Android devices on the same local network, there are no such problems. You can easily connect to the VPN L2TP server from multiple devices at the same time.According to TechNet, the issue is related to incorrect implementation of the L2TP/IPSec client on Windows (not fixed for many years).
To fix this bug, you need to change two registry parameters in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters registry key and restart your computer:
- AllowL2TPWeakCrypto – change to 00000001 (allows weak encryption algorithms, for L2TP/IPSec the MD5 and DES algorithms are used);
- ProhibitIPSec – change to 00000000 (enables IPsec encryption, which is often disabled by some VPN clients or system tools).
Run the following command to change apply these registry changes:
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters" /v AllowL2TPWeakCrypto /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters" /v ProhibitIpSec /t REG_DWORD /d 0 /fThis enables support for concurrent L2TP/IPSec VPN connections on Windows through a shared public IP address (works on all versions from Windows XP to Windows 10).
21 comments
This really solved my problem! Thank you very much!
This fixed my issue as well. Thanks!
Yes, works like a charm. 1 week lose before read your fix 🙂
By the way, whichs ports need to be open on the router to permit L2TP/IPsec?
Open the following ports for L2TP/IPsec traffic:
UDP 500 (IKE)
UDP 1701 (L2TP)
Protocol 50 (ESP)
UDP 4500 (if using NAT-T)
Wow, thanks for quick reply. Its working now from a external WIN10, and virtual servers configured on fiber router, but I dont know how to open protocol 50 on this router. A port scan from outside dont show any port opened 🙂
If works…dont change anything 🙂
Thanks!
This did not resolve this issue for me
The following registry settings help me to fix the 809 VPN error (VPN Server – 20012 R2, client – Windows 10)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
«AllowL2TPWeakCrypto»=dword:00000001
«ProhibitIPSec»=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
«AssumeUDPEncapsulationContextOnSendRule»=dword:00000002
[…] If using ikev2 have a look at the registry edit in this article, it is still relevant if both your vpn server and client are behind firewalls. Connecting L2TP/ IPSec VPN Server Behind a NAT, Error Code 809 | Windows OS Hub […]
Love it! Been looking for 3 days and thought it was the firewall. Someone on the Fortinet forum pointed out this article. Golden. Thank you!
Hello everyone. This solution works Great for windows running machines. Solved half my problem, só thank you very much! 🙂 the othe half of my problem resides on connecting mac os to my l2tp/ipsec windows server 2016 vpn server, that is begind Nat. I can’t test the connection atempt with public IP address on the server because the isp doesn’t allow bridge mode on their router. But Windows machines work perfectly, however Apple machines fail to connect as if the connection atempt is lost on the router. It’s as if the server does not exist at all. Has anybody else have the same issue and found a solition? Have been searching the Internet for 3 months and nothing :/ the only crap I find is to use Apple’s rubish app to make the connection. I input the router’s public IP address, the psk for ipsec, user and password, hit connect and… The server could not be found. Apple says that they give no support to this kind of problem. Can anyone help please? Thanks in advance ^^
Try both operations above, but still unable to fix my issue
did u able to fix this issue, for last month i am having same issue
You saved my night, thank you vrery much!!
😉
Hey,
Without the regedits for “Multiple L2TP VPN Connections from the same LAN” I got the generic NAT error message “The network connection between your computer and the VPN server could not be established because the remote server is not responding. …” so I tried the edits and now it fails silently without any messages.
What can I do to get more errors/logs?
It’s a Windows 10 Home Edition.
Thanks
Check VPN connection logs in Event Viewer.
Look for the following Event sources: VPN Client – vpnagent, vpnui; DHCP – DHCP-Client; Native VPN – RasMan, RasClient, Remote Access.
Windows updates from January 11, 2022 make it impossible to connect to L2TP VPN :
Windows 10 – KB5009543
Windows 11 – KB5009566
It can be solved by removing updates, or you can disable or weaken IPSec (not always posible):
REGEDIT4
[HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ Rasman \ Parameters]
“ProhibitIpSec” = dword: 00000001
Uninstalling Windows 10 – KB5009543 worked for me!
KB5009543 – KnowIssues: After installing this update, IP Security (IPSEC) connections that contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected.
This issue is resolved installing KB5010793.
I have tried each and everyone of the solutions above on a brand new windows 11 desktop, and it was unsuccessful
I had to connectr using PPP instead.
Thank you very much for writing this up! I could not figure out why my L2TP RRAS server was not working behind the firewall, I had made all these changes on the VPN itself but not the client side so needless to say this article was super helpful! thank you again!!! 🙂
Thanks a lot for the detailed explanation. My Windows 10 PC started to connect after the registry fix. I tried 1 first – one side behind NAT, and it worked for me, however I have both sides behind NAT.
My Mac (M1, Monterey 12.4) does not want to connect either. I get The l2tp-vpn server did not respond. Still cannot figure out how to get it working on Mac.