Problem connecting to L2TP VPN on Windows 10 (with possible solution!)

I ran into a difficult technical problem recently, and after a lot of googling, managed to find a fix. I’m writing this post in case anyone else has the same issue.

Description of the issue:

  • Trying to connect to a L2TP VPN from Windows 10 to a Synology Diskstation (but others have described the same problem connecting to other types of servers).
  • Diskstation is a 213J running DSM 6.2.4-25556.
  • PC is a Lenovo M91p running Windows 10 Pro 21H1 / 19043.1055. General network connectivity is fine.
  • The VPN fails to connect. Examining logs in Windows Event Viewer, attempting to connect would consistently fail with an error from RasClient:
    CoId={96684EEB-618C-0002-366E-68968C61D701}: The user MACHINE\Username dialed a connection named VPNName which has failed. The error code returned on failure is 809.
  • An Information entry precedes the Error message, “VPNName requires attention”. This is what eventually led me to the solution.
  • Error 809 is described by Microsoft: “The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, routers) between your computer and the remote server is not configured to allow VPN connections. Please contact your administrator or your service provider to determine which device may be causing the problem.” (This message also appeared in the VPN Settings after a failure to connect.)
    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-troubleshooting

A very similar problem is described on the Ubiquiti forums here on a post by “rybad“:  “L2TP VPN error 809 Frustrating!

The problem appears to be similar that described here in a post on Microsoft Community by “sbudaj”: “Problem with Connecting to a VPN”, but that user had different error messages.

Initial Diagnostics & Attempted Solutions:

  • Another device (MacBook Air with MacOS 10.13.6) was able to connect to the Synology VPN without problems, so issue isn’t the local router, remote router (L2TP ports are correctly forwarded), or the VPN server config.
  • In PowerShell, was able to ping the VPN server without problem.
  • Ruled out Malware Bytes (uninstalled)
  • Ruled out Windows Defender Firewall (disabled)
  • I looked into ways to test a UDP connection on Windows, but didn’t proceed with installing the software to do so.
  • Tried suggestion listed here: https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/problem-with-connecting-to-a-vpn/91f9c5d7-7186-4982-bb5f-b203b1f8f367?page=2 – uninstalling the Wan Miniport interfaces in the WiFi adapter in Device Manager, then reinstalling them via “Scan for hardware changes”, with no effect.

Solution

The information message “VPNName requires attention” eventually led me to this page from TPLink which addresses an issue where a Windows 10 machine cannot connect to an L2TP VPN on one of their routers.

https://www.tp-link.com/us/support/faq/1029/

The problem is as described in their second image: “Can’t connect to L2TP. The network connection between your computer and the VPN server could not be established because the remote server is not responding. […]”

I’m not going to repost the entire contents of the TP-Link page which includes a detailed walkthrough for performing the recommended actions, but I’ll post the summary here in case that page eventually becomes unavailable.

Note: the services changes in Step 1 may be unnecessary, I recommend trying Step 2 first then rebooting and seeing if the problem is fixed.

Step 1

Start the following services on the client PC:

    IKE and AuthIP IPsec Keying Modules

    IPsec Policy Agent

    Remote Access Auto Connection Manager

    Remote Access Connection Manager

    Secure Socket Tunneling Protocol Service

Step 2

Modify the Register of the Windows OS.

    1. Click Win+R, then type “regedit.exe” in the box. Click OK.
    2. Go to HKEY_LOCAL_MACHINE——SYSTEM——CurrentControlSet——services——RasMan——Parameters, Find “ProhibitIpSec“, double click it, then set the value as 0. If you cannot find the parameter in the list, you can new it like below, then rename it as ProhibitIpSec(case insensitive) and set the value as 0.HKEY_LOCAL_MACHINE——SYSTEM——CurrentControlSet——Services——PolicyAgent, find “AssumeUDPEncapsulationContextOnSendRule“, double-click it, and set its value to 2. If it doesn’t exist, new it like above and set it to 2.[Clarification: “new it” means create a new entry in the registry with the name & value described. Both of these entries are type DWORD (32-bit).]

Step 3

Restart the computer, make sure the services are started and try to connect to the VPN.

The services IPsec Policy Agent, Remote Access Auto Connection Manager, and Secure Socket Tunneling Protocol Service were set to Manual on my machine. I started them, changed them all to Automatic (Delayed Start).

Both of the registry entries were missing on my machine, and I entered them as described.

Following a reboot, the VPN connected successfully.

Now that I know about the registry change, I note the solution is also described at these locations, including terminal commands to make the registry changes quickly. It’s possible that the services changes above are unnecessary thus my recommendation to try just the registry edits first.

https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#windows

https://windowsreport.com/windows-10-connect-l2tp-vpn-reg/

https://superuser.com/questions/1298513/l2tp-ipsec-vpn-fails-to-connect-on-windows-10-works-fine-on-ios

I hope this helps someone out there!

Comments are closed.