L2TP VPN not working in Windows

L2TP VPN not working in Windows

I’m going to skip the first troubleshooting steps because if you’re struggling with this for days I guess you’ve tried that (IE Connection, Server is up..). Now why is L2TP VPN  not working in Windows? That is generally when the VPN server is behind a NAT-T and here’s the reason (Microsoft KB 926179) from Microsoft:

By default, Windows Vista and the Windows Server 2008 operating system do not support Internet Protocol security (IPsec) network address translation (NAT) Traversal (NAT-T) security associations to servers that are located behind a NAT device. Therefore, if the virtual private network (VPN) server is behind a NAT device, a Windows Vista-based VPN client computer or a Windows Server 2008-based VPN client computer cannot make a Layer Two Tunneling Protocol (L2TP)/IPsec connection to the VPN server.

This actually applies to every Microsoft OS up to Windows 10’s latest release (I’m writing this on the 22nd of September 2016).

In order to resolve this, you will have to add/modify the following key in the registry and reboot afterwards. For the less experts, keep reading to see the below detailed steps in order to create/modify the Key.

Registry subkey location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
DWORD Value Name: AssumeUDPEncapsulationContextOnSendRule
DWORD Value Data: 2

For Windows XP, the Registru subkey location is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec.

See these notes about the values (from Microsoft):

A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.

I’ve read on a Forum that a person had to follow the below process in order to get it working (when I tried I never had to, but I guess better mention it):

  • Add the Key above, but give it value 1.
  • Reboot.
  • Modify the Key’s value to 2.
  • Reboot

Should you have more issues with Windows 7/Windows Server 2008, try with applying this Hotfix (requires reboot): https://support.microsoft.com/en-gb/kb/2523881

Step by Step instructions

  • Open RUN by pressing the Windows key + R, type regedit and press Ok. Alternatively, if you’re on Windows Vista and above, click Start and type regedit and press Enter once the Registry Editor’s icon appear.
    • Regedit icon: regedit-start-search
    • From Run:
      run-regedit
  • Navigate all the way to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent (or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec for Windows XP).
  • Right click on PolicyAgent (or in an empty spot on the right pane) and click New > DWORD (32-bit) Value.
    • regedit-new-dword-32bit-value
  • Name it AssumeUDPEncapsulationContextOnSendRule. Note, if you saved it with the default name, you may rename it by right clickcing on it > Rename. If it already exists, go to the next step.
  • Right click on the newly created DWORD and select Modify (or double click on it).
  • Under Value data type 2 and click Ok.
    • regedit-modify-value-data
  • Close the Registry Editor and reboot your computer.

Now you should be able to connect to the VPN.

IT Droplets

IT Droplets