Why else (even after all the settings), often, can L2TP-VPN not work under Windows 7?

P

Programmerus2018-10-16 19:17:46

VPN

Programmerus, 2018-10-16 19:17:46

There is an L2TP VPN-Server on Windows 2012. It works and is correctly configured.
Is LAN from which various clients are connected to this server (ie "transport" conditions identical).

All Windows 10 clients work fine
All OS X clients work fine
One Windows 7 client works, but the other two don't. configured identically.

Connection error:

Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (eg, firewalls, NAT, Router etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.

What has already been done:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule (tried values 2 and 0)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\ProhibitIpSec (tried 0 and 1)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\AllowL2TPWeakCrypto (tried 0 and 1)
Windows Firewall completely disable and add rules for UDP 500, 1701, 4500
"IKE and AuthIP IPsec Keying Modules" service is started and starts automatically
The "IPsec Policy Agent" service is started and starts automatically
No Xbox Live Networking on Windows 7 (It sometimes gets in the way on Windows 10)

More ideas? :-)

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Viktor Borovikov, 2018-10-17
@theo127

It can easily be a provider with its locks

M

Maxim Grishin, 2018-10-17
@vesper-bot

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule (tried values 2 and 0) - leave it at 2, in any case, the client is behind nat, and if suddenly the server is also behind nat, then without two it will not start here in principle.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\ProhibitIpSec (tried 0 and 1) - leave it at 0, it's deaf without encryption, but it's just good in IPsec - MPPE in L2TP is, to put it mildly, weak by today's standards.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\AllowL2TPWeakCrypto (tried 0 and 1) - Should be irrelevant, but depends on server settings.
Windows Firewall completely disable and add rules for UDP 500, 1701, 4500 - irrelevant, from the client side the connection is outgoing, the default policy allows them.
Next - run the VPN on the PC with the seven that connects, then raise the sniffer on the router and collect the packet exchange between the second computer and the server. There is a suspicion that the router incorrectly implements NAT-T processing for L2TP and broadcasts packets from the second client also to port 4500, either knocking it out, or simply sending a response for the second client to the first one, it may make sense to disable separate L2TP / IPsec passthrough processing on it and check the work of all clients.