Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Sunday, June 10, 2012 7:10 PM
I've been trying to set up a L2TP VPN server using a Preshared Key (PSK) on a Windows Server 2003 workgroup-based server. The router has the appropriate ports forwarded. I can see using the Microsoft Network Monitor utility that both UDP Ports 500 and 4500 are making it through to the server, but my client computer (Windows 7) fails to connect.
While trying to figure out what's wrong, I noticed the following error in the Event Viewer on the server:
Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20192
Date: 6/9/2012
Time: 2:25:49 PM
User: N/A
Computer: [ServerNameHere]
Description:
A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted.
Oddly enough, searching on multiple search engines and forums, I can't seem to find an explanation of what this error means and how to resolve it. This definitely wasn't mentions in the support articles on Microsoft's web site on setting up a L2TP VPN server doesn't mention anything about certificates.
Just to note, PPTP connections to the server are currently working fine.
Can anyone provide some insight on this error and how it can be resolved? Thank you.
(Yes, I know. Certificate-based is better than Preshared Key, but I gotta work within the means I've been given, so Preshared Key it is.)
- Travis Tubbs [email protected] http://travistubbs.net
All replies (10)
Thursday, June 14, 2012 1:35 AM ✅Answered
Hi,
How are things going? I just want to check the status of the issue. In addition, you may check the following article to troubleshoot this issue.
Troubleshooting common VPN related errors
Best Regards,
Aiden
Aiden Cao
TechNet Community Support
Friday, June 15, 2012 1:01 AM ✅Answered
I didn't mean to imply I made registry changes on the server. Here's a quick rundown of everything I did.
1.) On office network, forwarded UDP Ports 500, 1701, and 4500 to the VPN Server on office router.
2.) Set up Routing and Remote Access on Windows Server 2003. (see http://support.microsoft.com/kb/323441)
3.) Enabled custom IPSec policy for L2TP connections on VPN server and typed in a pre-shared key. (see http://support.microsoft.com/kb/324258)
4.) Although possibly not necessary, restarted Routing and Remote Access service.
At this point, nothing else needs to be done on non-Microsoft operating systems. Windows XP and higher (including Windows 8) need a little more convincing though.
5. Edit registry on Windows clients to allow access to an L2TP/IPsec server behind NAT-T devices. (see http://support.microsoft.com/kb/926179/)
6. Restart Windows.
As both my home computer and server are behind a router that use NAT, I had to set the value of the AssumeUDPEncapsulationContextOnSendRule key to 2.
- Travis Tubbs [email protected] http://travistubbs.net
Monday, June 11, 2012 7:54 AM
Hi,
In order to troubleshoot, please post the full error message on the Win 7 computer when client trying to establish VPN connection. I know Pre Shared key method is being used. Please make sure the same PSK is configured on the client and the VPN server.
About the warning message showing up, it indicated that a computer certificate required for IPsec is not available. If you do not use certificate-based L2TP/IPsec, you can ignore this error.
Event ID 20192 — RRAS IPsec Configuration
http://technet.microsoft.com/en-us/library/dd349018(v=ws.10).aspx
Best Regards,
Aiden
Aiden Cao
TechNet Community Support
Monday, June 11, 2012 3:18 PM
Oops. Guess the client-side errors would be a bit of help too, eh? Here are the various messages showing up on the event log on the client. (Computer names, destinations, etc. masked.)
Log Name: Application
Source: RasClient
Date: 6/9/2012 2:13:59 PM
Event ID: 20221
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: [ComputerName]
Description:
CoId={AE656CF4-7965-4BE7-A3BB-E9ACB0D2D9D7}: The user [ComputerName]\[Username] has started dialing a VPN connection using a per-user connection profile named [ConnectionName]*. The connection settings are: *
Dial-in User = [RemoteUsername]
VpnStrategy = L2TP
DataEncryption = Require
*PrerequisiteEntry = *
AutoLogon = No
UseRasCredentials = Yes
*Authentication Type = CHAP/MS-CHAPv2 *
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
*IpDnsFlags = *
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
IPsec authentication for L2TP = Pre-shared key.
-
Log Name: Application
Source: RasClient
Date: 6/9/2012 2:13:59 PM
Event ID: 20222
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: [ComputerName]
Description:
CoId={AE656CF4-7965-4BE7-A3BB-E9ACB0D2D9D7}: The user [ComputerName]\[Username] is trying to establish a link to the Remote Access Server for the connection named [ConnectionName] *using the following device: *
Server address/Phone Number = ***.***.***.***
Device = WAN Miniport (L2TP)
Port = VPN2-2
MediaType = VPN
-
Log Name: Application
Source: RasClient
Date: 6/11/2012 9:45:24 AM
Event ID: 20227
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: [ComputerName]
Description:
CoId={55179172-1727-49B8-BA58-C27949158C9A}: The user [ComputerName]\[Username] dialed a connection named [ConnectionName] which has failed. The error code returned on failure is 809.
-
Upon reading up on Error 809, there appears to be a change in the Windows Registry I need to make (http://support.microsoft.com/kb/926179/). I turned off the PSK temporarily on the server (since I was testing with a very simple key) and setting it again requires restarting RRAS, I'll follow-up hopefully tonight to let you know if this helped or not.
Thursday, June 14, 2012 1:45 AM
Sorry about the lack of an update.
Turns out the registry changes were needed to resolve the problem as both the server and client are behind a router and use NAT. Kind of annoying this isn't noted when setting up the VPN on the server or in the articles telling you how to set it up. Even more annoying since other non-Microsoft OSes have no problem with this.
Either way, all is good for now as I test everything and make sure it's nice and stable. Thanks for helping me think this out.
- Travis Tubbs [email protected] http://travistubbs.net
Thursday, June 14, 2012 9:54 PM
Could you share with us what registry changes are needed on the server side?
I found out about the client but didnt know I had to change the server... Still struggling....
Thursday, June 14, 2012 10:50 PM
For some reason (I suspect MS12-034 updates) my UDP encapsulation setting on the registry disappeared and the server was unable to understand the UDP packets that was receiving to establish the connection.
All working now.
Monday, April 25, 2016 9:20 AM
Hi
i just wanted to let all know that the rg fix oon point 5) has worked for us. RRAS VPN L2TP on 2012R", and all clients required it too : W7, W8.1 and W10.
You would think MS would have resolved this by now by other means than a reg hack.
Hope this helps anyone thats trying this today as this fix is still very relevant..
Cheers..
Barney
Sunday, March 11, 2018 9:59 AM
Hi,
The problem may be caused by some third party softwares. In my case, it was Qualcomm Atheros Killer Network Service. Everything worked fine after disabling it and setting the value of the AssumeUDPEncapsulationContextOnSendRule key to 2.
Best regards
Thursday, October 11, 2018 9:01 AM
Hi,
The problem may be caused by some third party softwares. In my case, it was Qualcomm Atheros Killer Network Service. Everything worked fine after disabling it and setting the value of the AssumeUDPEncapsulationContextOnSendRule key to 2.
Best regards
This did it for me aswell, thanks.