L2TP on Windows 2003 with Windows XP client

Posted on 2007-10-01
Last Modified: 2010-04-12
I am having a problem getting L2TP to work correctly.  I have a Windows 2003 SP1 server running RRAS and am trying to connect to it using a Windows XP SP2 workstation. I have tested it on a workstation inside our network and it works fine.  I then tried to test it on a laptop coming from outside our network and it fails.  I don't think it's our firewall (PIX 515e) rules that are the problem though, as I've allowed UDP 500, 4500 and 1701 through, and I see no denials on my syslog server.

The error that I get in the event log on the laptop is:

Event ID 547:
IKE security association negotiation failed.
Data Protection Mode (Quick Mode)
(..Info blacked out for security..)
Protocol 17
Source Port 1701
Destination Port 1701
(..Info blacked out for security..)
Failure Point:
Failure Reason:
New policy invalidated SAs formed with old policy
Extra Status:
0x0 0x0
Question by:zheron
    LVL 70

    Accepted Solution

    Does a PPTP VPN work? is NAT involved? if so it could be a NAT traversal issue - see
    LVL 1

    Author Comment

    Yes PPTP does work.  Yes NAT is involved, however, the Windows 2003 server is in a static one-to-one NAT, so I didn't think that the NAT would cause a problem.

    It definately appears to be the firewall though.  I took the laptop and connected directly to our network nd tested the VPN without the firewall in the way and it connected no problem, so it's definately not a certificate issue.

    Would static NAT still be an issue for the IPSec?
    LVL 1

    Author Comment

    I guess NAT was it.  Apparently the Windows L2TP client doesn't like the server behind NAT, even if it is a static NAT.  I found this article that helped.:

    By making the registry change I was able to get it to work.  Not really what I want to have to do, but at least now I know what the problem is.  Thanks.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
    Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now