Windows 7 IPSec/L2TP VPN connection problem
In windows 7 i have problem with my L2TP vpn connection so i describe the problem I build the connection and also in the security tab set it to use L2TP and set the Pre-shared key (The VPN server use Preshared for l2tp) then i try to connect to VPN server but nothing is happened and after a moment the Error 789 is appeared but with PPTP the vpn work fine so i curios about it and i see something odd when i use PPTP during the connecting in the "Control Panel\Network and Internet\Network Connections " I see that the status of connection is Connecting but during the running of L2TP connection the status is constantly Disconnected like there is nothing is happened and i do nothing!! Microsoft Certified System Engineer 2003
December 8th, 2009 10:22pm

Any idea or something else?what should i do?Microsoft Certified System Engineer 2003
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2009 4:12pm

well i found something new about this problem!! I setup a VPN server with windows server 2008 R2 (Install Windows Server 2008 R2 in Virtual-box) and use the Pre-shared key for L2TP connection and it is work fine BUT the difference is in the encryption status the encryption is "IPSec: AES 128" and in the past when i use Windows XP I remmeber that the encryption is "IPSec ESP 3DES" The VPN Server is Windows Server 2003 so what should I do to add ESP 3DES in windows 7 or add AES 128 in windows server 2003? By the way i think the primary problem is from integrity during IPSec because the problem is before opening session I completely confused please help me :(Microsoft Certified System Engineer 2003
December 10th, 2009 12:52pm

Maybe ISAKMP protocol is blocked. This behavior can be caused by firewall on the computer, in the router or on the ISP side. You may temporary disable the firewall. If the issue persists, temporary bypass the router or disable the firewall on the router. If the issue still occurs, try to connect to the L2TP VPN from another system, if the connection is not established, the most possible cause can be the ISP side. Meantime please also make sure that the "IPsec Policy Agent" service is enabled.Arthur Xie - MSFT
Free Windows Admin Tool Kit Click here and download it now
December 10th, 2009 1:15pm

Maybe ISAKMP protocol is blocked. This behavior can be caused by firewall on the computer, in the router or on the ISP side. You may temporary disable the firewall. If the issue persists, temporary bypass the router or disable the firewall on the router. If the issue still occurs, try to connect to the L2TP VPN from another system, if the connection is not established, the most possible cause can be the ISP side. Meantime please also make sure that the "IPsec Policy Agent" service is enabled. Arthur Xie - MSFT Thanks for your reply. About the ISAKMP protocol i disable my pc firewall but nothing changed so this is not the answer and also in the past I able to connect when i have windows XP pro so the ISP is not the answer. about the router my router is "ZyXel ZyWALL 2 Plus " and is disable it's firewall too but no differences and i'm unabel to connect but im my point of view the most suspicious thing is the router but when i think about it I realize that in the windows XP and in windows 7 XP mode i'm able to connect !! "IPsec Policy Agent" service is enabled and the start up mode is automatic. and now the new things that i found out !! I install Windows Server 2003 R2 (Virtual-box) and able to connect it and the ecryption method is IPSec ESP 3DES !! in my last comment i said that i'm unable to connect the VPN Server because of encryption method but after this test well this is not the problem. Please Help me Microsoft Certified System Engineer 2003
December 10th, 2009 6:54pm

well thanks to all Technet forum moderator for helping me !! anyway I think i found the cause of the problem but i don't know how to fix it. when I connect to internet with my broadband connection VPN work fine but when my router connect to internet and I connect to internet trough it the problem is coming ... The VPN Server is Microsoft Windows Server 2003 and I'm the administrator of it. Please help me to solve this problem .... this error isn't just for me. Thanks a lotMicrosoft Certified System Engineer 2003
Free Windows Admin Tool Kit Click here and download it now
December 13th, 2009 8:52am

Does your router have a firewall? You need to change the settings for the router to allow ISAKMP protocol UDP port 500. Please refer the instruction from the router manufacturer. Or you can contact the technical support of the manufacturer.Arthur Xie - MSFT
December 14th, 2009 9:38am

Does your router have a firewall? You need to change the settings for the router to allow ISAKMP protocol UDP port 500. Please refer the instruction from the router manufacturer. Or you can contact the technical support of the manufacturer. Arthur Xie - MSFT Thankwell my router have a firewall and I add a rule which is permit Lan to Wan traffic over UDP:500 but nothing changed then I compeletly disabled my router firewall and nothing happened again even i disable my windows firewall and nothing happend again.the wierd part is the VPN work fine in the windows XP but since I install windows 7 this problem is comming and even in the windows 7 , XP mode the vpnwork fine ...Microsoft Certified System Engineer 2003
Free Windows Admin Tool Kit Click here and download it now
December 14th, 2009 7:21pm

I am having the exact same issue, were you able to find the solution
January 28th, 2010 6:56pm

When you working with Microsoft XP, Vista, 7, 2003 or 2008 and IPSEC/L2TP behind NAT then you need to create an registrykey. You can find this by a Google search on NAT-Traversal with IPSEC.And when you using NAT at the server site then you have to make an extra port-forwading to your server UDP 4500.
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2010 11:33am

The problem that you are describing is way old and was solved since Windows XP SP2. Noticed how Sayed and myself don’t have this issue in XP, its on Windows 7. From taking a sniff I can see that the first IKE packet now includes both the Draft rfc for NAT-T as well as the RFC 3947, I am pretty sure that is the problem. There has to be some windows registry to change that packet so the process can continue. So has anyone else encountered this issue?
January 31st, 2010 12:47am

I have same problem too. When I want to connect on l2tp/ipsec VPN ( 3Com 3CR870-95) with Windows7 then I receive Error 789. I have tried on 3 PC with Windows7 with same result. But on same Win7 i have XP in Virtualbox. When I connect with this WindowsXP everything works OK. Has anyone found solution for windows7?
Free Windows Admin Tool Kit Click here and download it now
February 8th, 2010 5:31pm

Did you have any luck HR-Damir? I am having the same problem, XP works fine, Windows 7 doesn't.
February 10th, 2010 6:44am

NKumarnz, I didn't have success... I just found that if I use internal ISDN card to access internet then I can connect to VPN with Windows 7 too. But if I use adsl router then works only XP. So when I have public IP then w7 works, when I have private IP then not.. Maybe somebody have some idea?
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2010 10:39am

I open a ticket with Microsoft because I could not find anything. They have been working on it for more than a week and its does not look like they are finding much on it.I did compare the IKE packets from windows 7 and windows XP and windows 7 is using the RFC for NAT-T as well as the draft version, but XP only uses the draft version. I am pretty sure that is has to do with that extra information in the IKE packet.Hope some one can figure this out
February 12th, 2010 12:25am

Well I don't now what to say but my problem is weirdly solved !! and I don't have any problem anymore !!The things that I have done is:1-in Windows services check that Both "IKE and AuthIP IPSec Keying module" and "IPSec policy agent" is set to Automatic mode and by default is set to start2-well I do this instruction too!! Link to Microsoft Support3-Update my Router!!4-Set two firewall rule which allow 4500 and 500 port traficI don't know which one of them solved the problem but I done all of them But to find out which one of them exactly solve the problem I undo some of them which I have doubt about them like the 2nd and 4th (about the 1st I'm completely sure that must be OK and about the 3rd one there is no rollback) then I undo both of them but weirdly the L2TP work fineThe questions is if my last router firmware have trouble with L2TP then why it's work in windows XP!???If the problem is because of the firewall blocking ports then why after disabling those rules it's work again?!! If the problem is because of the registry key then why after deleting that it's work?!!About this problem I really don't have any exactly true answer! but if these things works for you let the others knowThanksMicrosoft Certified System Engineer 2003
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2010 12:50am

Sayed and everyone,I had the same problem, it used to work in XP and Vista but not now in Win7 (with the AssumeUDPEncapsulationContextOnSendRule set to 2).The solution to getting it to work in Win7 is to start the "IKE and AuthIP IPsec Keying Modules" service (which makes perfect sense since we're doing IPSec). Oddly enough, the IPSec Policy Agent service itself does not need to be started, on my system it is set at manual start and it does not even start when connecting over L2TP.So bottom line; for L2TP to work when both client & server (Windows 2003) are behind NAT:1. Set AssumeUDPEncap... to 2 on both client & server2. Start IKE... service on client3. Make sure UDP port 500 and 4500 are natted from the firewall to the server4. On client create the L2TP connection, use the proper Preshared key defined on the serverWorks like a charm.
February 19th, 2010 6:48pm

Thanks for posting this. I was having the same issue and your Step 1 fixed my problem. I had installed the NCP VPN client which disabled "IKE and AuthIP IPSec Keying module" and "IPSec policy agent". Once I set the mode to "Automatic", it worked!
Free Windows Admin Tool Kit Click here and download it now
January 11th, 2011 10:38am

Gelfer, I noticed that adding the registry setting as described in step 1 is "Not Recommended" on Windows 2003 RRAS, so I am hesitant to try it on a RRAS server that works for PPTP connections. Will this affect them? Do I have to restart the server or RRAS service? My story is simple. I have users who are using the 3G Aircards from Verizon and connecting fine to my PPTP ports. One day, we recieved 4G Verizon cards and all was well in late November and December of last year, until just recently someone couldn't connect to our VPN anymore. Two days ago, I called Verizon. There apparently is a known issue with their 4G environment that is causing this PPTP VPNs to fail. They are "working on it" In the meantime, I thought I would try to use the available L2TP ports. They didn't say L2TP was NOT working. I have tried many things to make this work with no luck...
January 21st, 2011 11:19pm

Did you apply step one to the server as well? 2003 RRAS?
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2011 12:21am

My story is simple. I have users who are using the 3G Aircards from Verizon and connecting fine to my PPTP ports. One day, we recieved 4G Verizon cards and all was well in late November and December of last year, until just recently someone couldn't connect to our VPN anymore. Two days ago, I called Verizon. There apparently is a known issue with their 4G environment that is causing this PPTP VPNs to fail. They are "working on it" In the meantime, I thought I would try to use the available L2TP ports. They didn't say L2TP was NOT working. I have tried many things to make this work with no luck... If it was your problem try to use OpenVPN (It's not Microsoft Based VPN server and Client and both is free) I think that will work for you (I'm not so sure) worth a shot! BTW both me and my VPN server (2008 R2) is behind separate NAT and I try to plan this: Me(Home) <<----->> NAT <<----->> Internet <<----->> NAT <<----->> VPN Server(Work) but for me it didn't work Things that i do is: Do this on both client and server Link to Microsoft Support Allow UDP:500 and UDP:4500 port in both NAT(Router with firewall) Port Forwarding L2TP port which is 1701 on both NAT My home NAT device dose not have L2TP pass-through but the work has so I allowed it only on work NAT device It did not work for me but i must tell you PPTP is still workingMicrosoft Certified System Engineer 2003
March 18th, 2011 12:57am

Change your IPSec (phase 2) hash to use SHA instead of MD5.
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2011 1:40am

By enabling the IKE and AuthIPsec Keying Moudules and IPSec Policy Agent Services , you can successfully login to vpn server without any L2TP and PPTP error.
December 23rd, 2011 5:10am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics