question

PaulAziz-5959 avatar image
0 Votes"
PaulAziz-5959 asked CandyLuo-MSFT commented

Connecting to VPN Seerver

I have windows 2019 standard server configured with following roles and its cofigure with static IP 192.168.0.10

  1. Active Directory Controller Server

  2. DNS Server

  3. DHCP Server

  4. VPN Server

I have added Routing Remote Access to the server's firewall

I am using d-link dwr-960 4G router and implemented port forwarding in the router to forward traffic to the VPN Server.



But anytime I try to connect to the VPN Server I get error:
"The remote connection was not made because the attempted vpn tunnel failed. The VPN sever might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly"


I have been trying to resolve this for the past week using all the online suggestion but I have been successful.


I have included relevant pages of the router settings.

113917-2021-07-12-1.png113992-2021-07-12-2.png113939-2021-07-12-3.png113940-2021-07-12-4.png114021-2021-07-12-5.png113986-2021-07-12-6.png


windows-server-2019
2021-07-12-1.png (215.0 KiB)
2021-07-12-2.png (245.1 KiB)
2021-07-12-3.png (208.1 KiB)
2021-07-12-4.png (217.4 KiB)
2021-07-12-5.png (194.9 KiB)
2021-07-12-6.png (189.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered CandyLuo-MSFT edited

Hi ,

Based on my understanding, you put a VPN server behind a NAT device. Is that right? Please feel free to let me know if I have any misunderstanding.

If yes, the Windows built-in VPN client doesn’t support by default L2TP/IPsec connections through NAT. This is because IPsec uses ESP (Encapsulating Security Payload) to encrypt packets, and ESP doesn’t support PAT (Port Address Translation).

As a workaround, you can create a registry key of AssumeUDPEncapsulationContextOnSendRule in the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

0 – (a default value) suggests that the server is connected to the Internet without NAT;
1 – the VPN server is behind a NAT device ;
2 – both VPN server and client are behind a NAT.

When it's set to 1, Windows can establish security associations with servers that are located behind NAT devices.

For your reference:

Configure a L2TP/IPsec server behind a NAT-T device

Configuring L2TP/IPSec VPN Connection Behind a NAT, VPN Error Code 809

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulAziz-5959 avatar image
0 Votes"
PaulAziz-5959 answered CandyLuo-MSFT edited

@CandyLuo-MSFT thanks so much for your suggestion. I did not work, it returned with a new error:


The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer. The network connection between your and the vpn server was interrupted




UDP ports 1701, 500 and 4500 are open and the server is listening on them but they seem to blocked on the router even though I have port forwarded them to the server. Do I have to add these ports to the router's firewall whitelist?

Please find table modified router port forwarding table to be sure if I am doing the right thing


114306-2021-07-13.png



2021-07-13.png (206.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please check client's event log to see if there is any error code for us to do troubleshooting.

In addition, if both Windows VPN server and client are behind NAT, you need to change AssumeUDPEncapsulationContextOnSendRule to 2.



0 Votes 0 ·
PaulAziz-5959 avatar image
0 Votes"
PaulAziz-5959 answered PaulAziz-5959 commented

@CandyLuo-MSFT thanks so much your assistance. The event error:

The user SYSTEM dialed a connection named VPN Connection which has failed. The error code returned on failure is 789.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry for the delayed response. My comment seems missing. Did you have any updates during this process?

0 Votes 0 ·

No update, the error The error code returned on failure is 789, persist

0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered CandyLuo-MSFT commented

Hi ,

Let's confirm the following configurations:

Make registry changes to allow L2TP behind NAT, this registry change needs to be done on the VPN server and all Windows VPN clients:

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
Create a new DWORD 32 type value:
Name: AssumeUDPEncapsulationContextOnSendRule
Data: 2

0 - No connection to servers behind NAT (Default).

1 - Connection where VPN server is behind NAT.

2 - Connection where VPN server and client are behind NAT.

Then reboot computer for changes to take effect.

For your reference:

Proper NAT and Firewall Rules for L2TP Server behind Mikrotik Router

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

If it still doesn't work, we need to trace network traffic to find the cause. However, analysis of network traffic is beyond our forum support level and due to forum security policy, we have no such channel to collect user log information. So we recommend you open a case with MS Professional tech support service, they will help you open a phone or email case to Microsoft, so that you would get a technical support on a one-to-one basis while ensuring private information.

Here is the link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks so much @CandyLuo-MSFT. I am indeed grateful for your assistance. I implemented all your suggestions.

I have also contacted my router manufacturer for assistance.

Nonetheless, I will open a case with MS Professional tech support as you suggested.

I will keep you posted



Best regards,
Paul

0 Votes 0 ·

I will wait for your good news. Wish you have a wonderful day ! :)

0 Votes 0 ·