Problem scenario: I tried to pre-configure my Windows 10 notebook (Dell XPS 9550) for connecting to an L2TP/IPSec (PSK) VPN, so I can leave the home office with the possibility to still have the access to the local resources. Therefore I configured the VPN
with the external domain address, which gets resolved to the right IP.
Infrastructure:
- VPN Server: QNAP NAS (QVPN Service 2.0)
- Router with NAT (Cisco): Port-forwarding is set-up for the ports 500, 1701, 4500
- VPN Client #1: Windows 10 (with latest updates 29. Nov. 2018) - fails with error code 789
- VPN Client #2: MacBook Pro (late 2017) (Mojave - 10.14.1 (18B75)) - works like a charm
As the VPN Client #2 works fine (implicitly it confirms the correctness of port-forwarding, domain name resolution & server configuration), I'll break-down the scenario with Client #1:
Test with internal IP address (192.168.x.x) configuration works fine
Test with external IP address (x.x.x.x) fails with error code 789
(so i do not even need to try with external domain name resolution)
I've already found topics with a similar problem: (https://social.technet.microsoft.com/Forums/en-US/45cdc1ed-58b4-40e4-9ddd-0308c6123b9a/vpn-error-789?forum=winserverNIS) - this quotes possible reasons from an MSDN blog, which I did not find for the second time now:
- as I use Pre-Shared Key c) and d) do not fit
- b) I've double checked my PSK, username and password - these work with the Mac OS
- a) - this fits: both server and client is behind a NAT; behind the same NAT - if I use another Win10 client behind another NAT to connect, it works.
I've already tried the "right" registry setting (see this article https://support.microsoft.com/en-gb/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule= 0x2
Of course, I've already tried through the different combinations, no difference: if both the server and client resides behind the same NAT, connection trial fails.
Is it a bug or do I miss a setting?
(VPN) L2TP/IPSec (PSK) connection trial fails if both server & client behind *same* NAT
Infrastructure:
- VPN Server: QNAP NAS (QVPN Service 2.0)
- Router with NAT (Cisco): Port-forwarding is set-up for the ports 500, 1701, 4500
- VPN Client #1: Windows 10 (with latest updates 29. Nov. 2018) - fails with error code 789
- VPN Client #2: MacBook Pro (late 2017) (Mojave - 10.14.1 (18B75)) - works like a charm
As the VPN Client #2 works fine (implicitly it confirms the correctness of port-forwarding, domain name resolution & server configuration), I'll break-down the scenario with Client #1:
Test with internal IP address (192.168.x.x) configuration works fine
Test with external IP address (x.x.x.x) fails with error code 789
(so i do not even need to try with external domain name resolution)
I've already found topics with a similar problem: (https://social.technet.microsoft.com/Forums/en-US/45cdc1ed-58b4-40e4-9ddd-0308c6123b9a/vpn-error-789?forum=winserverNIS) - this quotes possible reasons from an MSDN blog, which I did not find for the second time now:
- as I use Pre-Shared Key c) and d) do not fit
- b) I've double checked my PSK, username and password - these work with the Mac OS
- a) - this fits: both server and client is behind a NAT; behind the same NAT - if I use another Win10 client behind another NAT to connect, it works.
I've already tried the "right" registry setting (see this article https://support.microsoft.com/en-gb/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule= 0x2
Of course, I've already tried through the different combinations, no difference: if both the server and client resides behind the same NAT, connection trial fails.
Is it a bug or do I miss a setting?
(VPN) L2TP/IPSec (PSK) connection trial fails if both server & client behind *same* NAT