L2TP Connection Not working

Hello,

I setup a lab server running Server 2012 Standard. I installed the routing and remote access role, setup a preshared key for the custom IPsec policy for L2TP/IKEv2 connections (the key is 1234 as a test), and gave my account access to dial in.

On the client side I set up the VPN with the same preshared key and L2TP/IPSEC as the type of tunnel.

However, I can only connect using PPTP if I change the tunnel to automatic. L2TP and IKEv2 fail. L2TP shows error 789 on the client (Windows 7 pro) and no error that I can find on the server. I disabled the firewall on the server as a test, still no go.

Any help would be greatly appreciated. After searching the internet for troubleshooting I setup my VPN identical to this guide:

http://www.cloudservers.com/setup-l2tpipsec-vpn-on-windows-server-2012-cloud-vps/

Both servers are being a NAT on my home network (my lab). However, the SQL server 2012 is behind a VMware machine with 2 network ports. The internal network port is linked to a pfsense test setup (192.168.1.x) and the external interface is what I'm trying to dial in to (10.10.10.x).

Thanks.
Pawel_KowalskiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pawel_KowalskiAuthor Commented:
I am still banging my head against the desk, however, here are a few more things I did.

I forwarded ports 1701, 500, and 4500 through my home router to expose the server to the outside world. I then tried to connect with Windows 7 from an outside network. Same error. I tried my Android phone, had more success there. Said "failed IKE negotiation" but at least my server logs show the error and have the following in the event log:

560 085 924 (4:07 PM):
CoId={NA}: The following error occurred in the Point to Point Protocol module on port: VPN0-127, UserName: Administrator. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

I'm not sure which encryption method to use as Android gives me 100 different combinations.

2. I noticed lots of talk about NAT-T issues and to modify the registry by adding a key as outlined in this KB:

http://support.microsoft.com/en-us/kb/926179

Added it to both my client and server and rebooted both. Same issue.
0
Jody LemoineNetwork ArchitectCommented:
Just to be complete, you should forward protocol 50 (ESP), ports 500/udp (IKE) and 4500/udp (IPSec NAT Traversal) and make sure that they're permitted all the way through. Port 1701/tcp isn't really necessary because it's encapsulated in IPSec. Watch the protocol being permitted here. I've seen lots of cases where TCP is being permitted rather than UDP... and that will mess things up.
0
Pawel_KowalskiAuthor Commented:
Thanks, all those are open and no luck. I had a synology box that you can install L2TP/IPSEC VPNs on and also same issue, same with pFsense.

That tells me that maybe there is something wrong with my network configuration and my understanding of how the connection takes place. I suspect since both devices are behind a NAT this is causing huge issues. Would that be correct to say?

Thanks.
0
Jody LemoineNetwork ArchitectCommented:
4500/udp is what is used to tunnel past NAT. As long as that's open and forwarded and both ends support NAT traversal, you should be good. What does a packet capture (with these ports/protocols used as a filter) give you?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
A-T-1Commented:
There's a lot more things to go wrong besides this. I spent two days before finding them all. I made a You Tube video for anyone who wants to see a comprehensive solution.


https://www.youtube.com/watch?v=Xl3BhwLFgB4
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.