Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / Configuring L2TP/IPSec VPN Connection Behind a NAT, VPN Error Code 809

September 18, 2020 Windows 10Windows Server 2016

Configuring L2TP/IPSec VPN Connection Behind a NAT, VPN Error Code 809

Due to disabling PPTP VPN support in iOS, one of my clients decided to reconfigure the VPN server running Windows Server 2012 R2 from PPTP to L2TP/IPSec. Internal VPN clients from inside LAN connect to the VPN server without any problems, however external Windows clients get the error 809 when trying to establish the connection with the L2TP VPN server:

Can’t connect to L2TP-IPsec-VPN-Server.hostname

The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g. firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.

Can’t connect to L2TP-IPsec-VPN-Server

In other Windows versions, the connection errors 800, 794 or 809 may indicate the same problem.

It is worth to note that the VPN server is behind a NAT, and the router is configured to forward L2TP ports:

  • UDP 1701 — Layer 2 Forwarding Protocol (L2F) & Layer 2 Tunneling Protocol (L2TP)
  • UDP 500
  • UDP 4500 NAT-T – IPSec Network Address Translator Traversal
  • Protocol 50 ESP

These ports are also open in the Windows Firewall rules for VPN connection. Those, the classic configuration is used. The built-in Windows VPN client is used for connection.

If you connect to the same VPN server via PPTP, the connection is successfully established.

VPN Error 809 for L2TP/IPSec on Windows behind NAT

As it turned out, the problem is already known and described in the article https://support.microsoft.com/en-us/kb/926179. The Windows built-in VPN client doesn’t support by default L2TP/IPsec connections through NAT. This is because IPsec uses ESP (Encapsulating Security Payload) to encrypt packets, and ESP doesn’t support PAT (Port Address Translation). If you want to use IPSec for communication, Microsoft recommends using public IP addresses on the VPN server.

But there is also a workaround. You can fix this drawback by enabling support for the NAT-T protocol, which allows you to encapsulate ESP 50 packets in UDP packets on port 4500. NAT-T is enabled by default in almost all operating systems (iOS, Android, Linux) except Windows.

If the L2TP/IPsec VPN server is behind a NAT device, in order to connect external clients through NAT correctly, you have to make some changes to the registry both on the server and client side to allow UDP packet encapsulation for L2TP and NAT-T support in IPsec.

  • Open the Registry Editor (regedit.exe) and go to the following registry key:
    • Windows 10/8.1/Vista  and Windows Server 2016/2012R2/2008R2 — HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
    • Windows XP/Windows Server 2003 — HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
  • Create a DWORD parameter with the name AssumeUDPEncapsulationContextOnSendRule and the value 2;AssumeUDPEncapsulationContextOnSendRule registry key
    Note. Possible AssumeUDPEncapsulationContextOnSendRule values are:
    • 0 – (a default value) suggests that the server is connected to the Internet without NAT;
    • 1 – the VPN server is behind a NAT device ;
    • 2 — both VPN server and client are behind a NAT.
  • Just restart your computer and make sure that the VPN tunnel is established successfully
[alert] If both Windows VPN server and client are behind NAT, you need to change this setting on both devices.

Also, you can use a PowerShell cmdlet to make changes to the registry:

Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Services\PolicyAgent" -Name "AssumeUDPEncapsulationContextOnSendRule" -Type DWORD -Value 2 –Force;

After enabling NAT-T support, you will be able to successfully connect to the VPN server from the client through NAT (including double NAT).

In some cases, for VPN to work properly, you need to enable an additional firewall rule for TCP 1701 (in some L2TP implementations, this port is used in conjunction with UDP 1701).
NAT-T didn’t work correctly in earlier Windows 10 builds, for example, 10240, 1511, 1607. If you have an older Windows version, we recommend you to upgrade the Windows 10 build.

Multiple L2TP VPN Connections from the same LAN

There is another interesting VPN bug. If your local network has several Windows computers, you cannot establish more than one simultaneous connection to an external L2TP/IPSec VPN server. If you try to connect to the same VPN server from another computer (with an active VPN tunnel from different device), error code 809 or 789 will appear:

Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remove computer.
Interestingly, this problem only occurs on Windows devices. On Linux/MacOS/Android devices on the same local network, there are no such problems. You can easily connect to the VPN L2TP server from multiple devices at the same time.

According to TechNet, the issue is related to incorrect implementation of the L2TP/IPSec client on Windows (not fixed for many years).

To fix this bug, you need to change two registry parameters in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters registry key and restart your computer:

  • AllowL2TPWeakCrypto – change to 00000001 (allows weak encryption algorithms, for L2TP/IPSec the MD5 and DES algorithms are used);
  • ProhibitIPSec – change to 00000000 (enables IPsec encryption, which is often disabled by some VPN clients or system tools).

AllowL2TPWeakCrypto and ProhibitIpSec for l2tp ipsec vpn connection behind a NAT on Windows

Run the following command to change apply these registry changes:

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters" /v AllowL2TPWeakCrypto /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters" /v ProhibitIpSec /t REG_DWORD /d 0 /f

This enables support for concurrent L2TP/IPSec VPN connections on Windows through a shared public IP address (works on all versions from Windows XP to Windows 10).

21 comments
8
Facebook Twitter Google + Pinterest
previous post
How to Remove Built-in Apps, Features & Editions from a Windows 10 Install Image (WIM file)?
next post
How to Enable and Configure MPIO on Windows Server 2016/2012R2?

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Disable Built-in PDF Viewer in Microsoft Edge

February 3, 2023

Join a Windows Computer to an Active Directory...

February 2, 2023

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

21 comments

Jan Lebeda November 27, 2019 - 5:33 pm

This really solved my problem! Thank you very much!

Reply
Roger K. December 12, 2019 - 7:33 pm

This fixed my issue as well. Thanks!

Reply
Hector April 2, 2020 - 11:36 am

Yes, works like a charm. 1 week lose before read your fix 🙂
By the way, whichs ports need to be open on the router to permit L2TP/IPsec?

Reply
admin April 2, 2020 - 11:59 am

Open the following ports for L2TP/IPsec traffic:
UDP 500 (IKE)
UDP 1701 (L2TP)
Protocol 50 (ESP)
UDP 4500 (if using NAT-T)

Reply
Hector April 2, 2020 - 12:46 pm

Wow, thanks for quick reply. Its working now from a external WIN10, and virtual servers configured on fiber router, but I dont know how to open protocol 50 on this router. A port scan from outside dont show any port opened 🙂
If works…dont change anything 🙂
Thanks!

Reply
Russ May 12, 2020 - 2:13 pm

This did not resolve this issue for me

Reply
Serg May 15, 2020 - 5:32 am

The following registry settings help me to fix the 809 VPN error (VPN Server – 20012 R2, client – Windows 10)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
«AllowL2TPWeakCrypto»=dword:00000001
«ProhibitIPSec»=dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
«AssumeUDPEncapsulationContextOnSendRule»=dword:00000002

Reply
Windows Server VPN September 9, 2020 - 11:39 am

[…] If using ikev2 have a look at the registry edit in this article, it is still relevant if both your vpn server and client are behind firewalls. Connecting L2TP/ IPSec VPN Server Behind a NAT, Error Code 809 | Windows OS Hub […]

Reply
Joey October 22, 2020 - 8:55 pm

Love it! Been looking for 3 days and thought it was the firewall. Someone on the Fortinet forum pointed out this article. Golden. Thank you!

Reply
Rui November 26, 2020 - 11:56 pm

Hello everyone. This solution works Great for windows running machines. Solved half my problem, só thank you very much! 🙂 the othe half of my problem resides on connecting mac os to my l2tp/ipsec windows server 2016 vpn server, that is begind Nat. I can’t test the connection atempt with public IP address on the server because the isp doesn’t allow bridge mode on their router. But Windows machines work perfectly, however Apple machines fail to connect as if the connection atempt is lost on the router. It’s as if the server does not exist at all. Has anybody else have the same issue and found a solition? Have been searching the Internet for 3 months and nothing :/ the only crap I find is to use Apple’s rubish app to make the connection. I input the router’s public IP address, the psk for ipsec, user and password, hit connect and… The server could not be found. Apple says that they give no support to this kind of problem. Can anyone help please? Thanks in advance ^^

Reply
louise April 30, 2021 - 9:01 am

Try both operations above, but still unable to fix my issue

Reply
Mohamed Asik Uthumalebbe July 13, 2021 - 7:22 pm

did u able to fix this issue, for last month i am having same issue

Reply
Michael S August 19, 2021 - 11:22 pm

You saved my night, thank you vrery much!!
😉

Reply
tlf December 29, 2021 - 5:46 pm

Hey,
Without the regedits for “Multiple L2TP VPN Connections from the same LAN” I got the generic NAT error message “The network connection between your computer and the VPN server could not be established because the remote server is not responding. …” so I tried the edits and now it fails silently without any messages.
What can I do to get more errors/logs?
It’s a Windows 10 Home Edition.
Thanks

Reply
admin December 30, 2021 - 11:13 am

Check VPN connection logs in Event Viewer.
Look for the following Event sources: VPN Client – vpnagent, vpnui; DHCP – DHCP-Client; Native VPN – RasMan, RasClient, Remote Access.

Reply
serg January 12, 2022 - 2:59 pm

Windows updates from January 11, 2022 make it impossible to connect to L2TP VPN :
Windows 10 – KB5009543
Windows 11 – KB5009566
It can be solved by removing updates, or you can disable or weaken IPSec (not always posible):

REGEDIT4
[HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ Rasman \ Parameters]
“ProhibitIpSec” = dword: 00000001

Reply
Tim January 13, 2022 - 7:28 pm

Uninstalling Windows 10 – KB5009543 worked for me!

Reply
Gil May 22, 2022 - 1:54 pm

KB5009543 – KnowIssues: After installing this update, IP Security (IPSEC) connections that contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected.

This issue is resolved installing KB5010793.

Reply
Alain Bensimon March 7, 2022 - 12:20 am

I have tried each and everyone of the solutions above on a brand new windows 11 desktop, and it was unsuccessful
I had to connectr using PPP instead.

Reply
Bernie June 8, 2022 - 5:59 pm

Thank you very much for writing this up! I could not figure out why my L2TP RRAS server was not working behind the firewall, I had made all these changes on the VPN itself but not the client side so needless to say this article was super helpful! thank you again!!! 🙂

Reply
Alekss Nbit September 10, 2022 - 6:18 am

Thanks a lot for the detailed explanation. My Windows 10 PC started to connect after the registry fix. I tried 1 first – one side behind NAT, and it worked for me, however I have both sides behind NAT.

My Mac (M1, Monterey 12.4) does not want to connect either. I get The l2tp-vpn server did not respond. Still cannot figure out how to get it working on Mac.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Allow Multiple RDP Sessions in Windows 10 and 11?
  • How to Run Program without Admin Privileges and to Bypass UAC Prompt?
  • Error Code: 0x80070035 “The Network Path was not found” after Windows 10 Update
  • How to Disable UAC Prompt for Specific Applications in Windows 10?
  • How to Download APPX File from Microsoft Store for Offline Installation?
  • Fix: Windows Cannot Connect to the Shared Printer
  • Installing RSAT Administration Tools on Windows 10 and 11
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top