Windows 10 L2TP VPN connection issue
Trouble getting Windows to connect to an L2TP VPN
-
Firstly, if the VPN server is behind a NAT and the VPN client is behind a NAT this could cause a problem because apparently "by default Windows does not support IPSec network address translation (NAT) Traversal (NAT-T) security associations to servers that are located behind a NAT device", and this applies to Windows 10 still as well.
The advice given by Microsoft "if you have to put a server behind a NAT device and then use an IPsec NAT-T environment, you can enable communication by changing a registry value on the VPN client computer and the VPN server."
PowerShell (Suggested Fix)
Note: You must run this in an admin elevated PowerShell session.
## -- Add registry key to support for L2TP communications via double NAT
Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Services\PolicyAgent" -Name "AssumeUDPEncapsulationContextOnSendRule" -Type DWORD -Value 2 –Force;
Important: You must restart the machine(s) you apply this to before it's effective.
Create and configure the
AssumeUDPEncapsulationContextOnSendRuleregistry key with a2value beneathHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgentregistry subkey and define it as aDWORDvalue.
- A value of
2configures Windows so that it can establish security associations when both the Windows Server and Windows VPN client computer are behind NAT devices.
PowerShell (Remove Fix)
Note: You must run this in an admin elevated PowerShell session.
## -- Remove registry key for L2TP communications support via double NAT
Remove-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Services\PolicyAgent" -Name "AssumeUDPEncapsulationContextOnSendRule" –Force;
Important: You must restart the machine(s) you apply this to before it's effective.
If it is not a double NAT issue then . . .
It seems perhaps in some configurations port1701is used over TCP and UDP both and not just UDP only. Adjust your rule to allow the TCP port1701through as well and see if that fixes the problem.
Layer Two Tunneling Protocol (L2TP) uses TCP port 1701 and is an extension of the Point-to-Point Tunneling Protocol. L2TP is often used with IPSec to establish a Virtual Private Network (VPN).2020-06-25: Fixed typo, that L2TP uses UDP, not TCP
- Furthermore, ensure your Windows Firewall "allow" rule(s) for the applicable TCP and UDP ports (and any correlated VPN client software exe's, etc.) from the
Advancedtab has allprivate,domain, andpublicprofiles checked.
-
Upon further research it's not super clear to me if some of this applies to the client side rather than the VPN server side for L2TP but some advice suggests actually allowing UDP port
50. -
There's another post that also talks about the
ESP (value 50) <- Used by IPSec data pathand others that refer to the ports used by IPSec protocols and ports.
-
Remember, I'm not certain if #4 and #5 both apply to the connecting client side but something to consider investigating further and opening up additional access for correlated protocols and/or ports.
Further Troubleshooting
To troubleshoot further, consider running Wireshark with the Windows Firewall disabled and make the successfully VPN connection and save that trace. Then with the Windows Firewall enabled, run a new trace, attempt a VPN connection, and save that trace.
Now you can look over both successful and unsuccessful L2TP VPN connection traces, filter, and see at the packet level what is really going on to determine what further you may need to allow through the Windows Firewall.
Supporting Resources
Related videos on Youtube
08 : 24
05 : 14
02 : 00
![The L2TP Connection Attempt Failed Because the Security Layer Encountered a Processing Error [FIX]](https://i.ytimg.com/vi/hvrLx3Nci-E/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBbdHflKFNOhJRaveCbil710JOdiA)
08 : 57
06 : 46
Comments
-
Panomosh over 1 year
I have a Windows 10 client which has been configured to connect to an L2TP VPN.
To get the connection to work, I had to add the
"AssumeUDPEncapsulationContextOnSendRule"registry Key, and then totally disable Windows Firewall—the VPN connects perfectly this way.However, I cannot get the VPN to connect with the Windows Firewall enabled and I really need to keep the Windows Firewall enabled and be able to connect to the L2TP VPN.
I have also allowed...
- Protocol
50(ESP) in and out - UDP
1701,4500,500in and out
However the VPN still only connects if I totally disable the Windows Firewall and not with it enabled.
Question: Any help or guidance suggested to further troubleshoot this problem?
-
StarCat over 4 yearsAFAIK the UDP ports you need for L2TP are 1701, 4500 and 500. Not 5000.
-
Panomosh over 4 yearsI will try that and let you know to post the answer if it works thanks @Pimp
-
harrymc over 4 yearsTry to enable IP Protocol ID 51 for Authentication Header (AH) traffic.
- Protocol
-
Panomosh over 4 yearsFor the effort and completeness of this answer you get the bounty. Thank you
-
Russell G over 2 yearsThe source for point 2 has changed their page to say that 1701 is UDP only - it no longer mentions 1701 over TCP. Thanks for the registry fix!
