Windows 10 L2TP VPN connection issue
Trouble getting Windows to connect to an L2TP VPN
-
Firstly, if the VPN server is behind a NAT and the VPN client is behind a NAT this could cause a problem because apparently "by default Windows does not support IPSec network address translation (NAT) Traversal (NAT-T) security associations to servers that are located behind a NAT device", and this applies to Windows 10 still as well.
The advice given by Microsoft "if you have to put a server behind a NAT device and then use an IPsec NAT-T environment, you can enable communication by changing a registry value on the VPN client computer and the VPN server."
PowerShell (Suggested Fix)
Note: You must run this in an admin elevated PowerShell session.
## -- Add registry key to support for L2TP communications via double NAT
Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Services\PolicyAgent" -Name "AssumeUDPEncapsulationContextOnSendRule" -Type DWORD -Value 2 –Force;
Important: You must restart the machine(s) you apply this to before it's effective.
Create and configure the
AssumeUDPEncapsulationContextOnSendRule
registry key with a2
value beneathHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
registry subkey and define it as aDWORD
value.
- A value of
2
configures Windows so that it can establish security associations when both the Windows Server and Windows VPN client computer are behind NAT devices.Source
PowerShell (Remove Fix)
Note: You must run this in an admin elevated PowerShell session.
## -- Remove registry key for L2TP communications support via double NAT
Remove-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Services\PolicyAgent" -Name "AssumeUDPEncapsulationContextOnSendRule" –Force;
Important: You must restart the machine(s) you apply this to before it's effective.
If it is not a double NAT issue then . . .
It seems perhaps in some configurations port1701
is used over TCP and UDP both and not just UDP only. Adjust your rule to allow the TCP port1701
through as well and see if that fixes the problem.
Layer Two Tunneling Protocol (L2TP) uses TCP port 1701 and is an extension of the Point-to-Point Tunneling Protocol. L2TP is often used with IPSec to establish a Virtual Private Network (VPN).2020-06-25: Fixed typo, that L2TP uses UDP, not TCP
Source
- Furthermore, ensure your Windows Firewall "allow" rule(s) for the applicable TCP and UDP ports (and any correlated VPN client software exe's, etc.) from the
Advanced
tab has allprivate
,domain
, andpublic
profiles checked.
-
Upon further research it's not super clear to me if some of this applies to the client side rather than the VPN server side for L2TP but some advice suggests actually allowing UDP port
50
. -
There's another post that also talks about the
ESP (value 50) <- Used by IPSec data path
and others that refer to the ports used by IPSec protocols and ports.
-
Remember, I'm not certain if #4 and #5 both apply to the connecting client side but something to consider investigating further and opening up additional access for correlated protocols and/or ports.
Further Troubleshooting
To troubleshoot further, consider running Wireshark with the Windows Firewall disabled and make the successfully VPN connection and save that trace. Then with the Windows Firewall enabled, run a new trace, attempt a VPN connection, and save that trace.
Now you can look over both successful and unsuccessful L2TP VPN connection traces, filter, and see at the packet level what is really going on to determine what further you may need to allow through the Windows Firewall.
Supporting Resources
-
How to configure an L2TP/IPsec server behind a NAT-T device in Windows and in Windows Server
-
Windows 10 L2TP/IPsec Manual Setup Instructions
-
What is a NAT firewall and how does it work?
-
Set-ItemProperty
-
Remove-ItemProperty
-
L2TP Ports
-
Understanding Firewall Profiles
-
Layer 2 Tunneling Protocol