L2TP VPN access stopped working on NSG50

support_rcor Posts: 14
Friend Collector
edited January 2022 in Nebula
We have a client that has been using an NSG50 for a year or more using "L2TP over IPSec VPN server" for 13 users on the Cloud Authenticator.  It has been running smoothly for months without a peep from the client.  Over the past day or two, they can no longer access the VPN.  They immediately receive a message:

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer. 

These same settings for the Windows 10 Built-in client have been working. 
What I've tried so far:
- I've tried it on 4 separate PC's all get the same message.
- I disabled the firewall on the PC's 
- I've created a new test user
- I've enabled and disabled the PAP, CHAP and MS CHAP v2
- Updated the network drivers

Only thing I see that has changed is the Nebula update that took place on the 10th.  Can anyone provide some assistance?

Brad Carpenter
[email protected]

All Replies

  • bbp
    bbp Posts: 7
    First Comment Third Anniversary
    Check this article, seems that latest windows update broke L2TP VPN:

    New Windows KB5009543, KB5009566 updates break L2TP VPN connections

  • Thanks! Removing the KB seems to have fixed it temporarily. At least until Windows reinstalled it. I've had to lather/rinse/repeat a few times now. I've found the following from Microsoft stating that disabling Vendor ID can be done server side to alleviate the need to uninstall the KB multiple times on multiple user PCs.  Any idea on if it can be disabled on Zyxel Nebula based gateways?


    Certain IPSEC connections might fail

    StatusOriginating updateHistory
    ConfirmedOS Build 19041.1466
    Last updated: 2022-01-13, 12:11 PT
    Opened: 2022-01-13, 11:05 PT
    After installing KB5009543, IP Security (IPSEC) connections which contain a Vendor ID might fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected.

    Workaround: To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings. Note: Not all VPN servers have the option to disable Vendor ID from being used.

    Next steps: We are presently investigating and will provide an update in an upcoming release.

    Affected platforms:
    • Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB
    • Server: Windows Server 2022; Windows Server, version 20H2; Windows Server 2019; Windows Server 2016"

Nebula Tips & Tricks