Avatar of Pawel_Kowalski
 asked on

L2TP Connection Not working


I setup a lab server running Server 2012 Standard. I installed the routing and remote access role, setup a preshared key for the custom IPsec policy for L2TP/IKEv2 connections (the key is 1234 as a test), and gave my account access to dial in.

On the client side I set up the VPN with the same preshared key and L2TP/IPSEC as the type of tunnel.

However, I can only connect using PPTP if I change the tunnel to automatic. L2TP and IKEv2 fail. L2TP shows error 789 on the client (Windows 7 pro) and no error that I can find on the server. I disabled the firewall on the server as a test, still no go.

Any help would be greatly appreciated. After searching the internet for troubleshooting I setup my VPN identical to this guide:


Both servers are being a NAT on my home network (my lab). However, the SQL server 2012 is behind a VMware machine with 2 network ports. The internal network port is linked to a pfsense test setup (192.168.1.x) and the external interface is what I'm trying to dial in to (10.10.10.x).

Internet Protocol SecurityVPNMicrosoft Server OS

Avatar of undefined
Last Comment

8/22/2022 - Mon

I am still banging my head against the desk, however, here are a few more things I did.

I forwarded ports 1701, 500, and 4500 through my home router to expose the server to the outside world. I then tried to connect with Windows 7 from an outside network. Same error. I tried my Android phone, had more success there. Said "failed IKE negotiation" but at least my server logs show the error and have the following in the event log:

560 085 924 (4:07 PM):
CoId={NA}: The following error occurred in the Point to Point Protocol module on port: VPN0-127, UserName: Administrator. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

I'm not sure which encryption method to use as Android gives me 100 different combinations.

2. I noticed lots of talk about NAT-T issues and to modify the registry by adding a key as outlined in this KB:


Added it to both my client and server and rebooted both. Same issue.
Jody Lemoine

Just to be complete, you should forward protocol 50 (ESP), ports 500/udp (IKE) and 4500/udp (IPSec NAT Traversal) and make sure that they're permitted all the way through. Port 1701/tcp isn't really necessary because it's encapsulated in IPSec. Watch the protocol being permitted here. I've seen lots of cases where TCP is being permitted rather than UDP... and that will mess things up.

Thanks, all those are open and no luck. I had a synology box that you can install L2TP/IPSEC VPNs on and also same issue, same with pFsense.

That tells me that maybe there is something wrong with my network configuration and my understanding of how the connection takes place. I suspect since both devices are behind a NAT this is causing huge issues. Would that be correct to say?

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Jody Lemoine

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

There's a lot more things to go wrong besides this. I spent two days before finding them all. I made a You Tube video for anyone who wants to see a comprehensive solution.