L2TP over IPSec from Windows 10 fails after ISP change

Options
easttn
easttn Posts: 5  Freshman Member
First Anniversary First Comment
edited April 2021 in Security

USG20-VPN, behind Comcast gateway modem router, passthrough mode, only used as modem. Wireless router is configured as WAP, is not in front of USG20

HP Spectre X360, Windows 10 Pro (12-2018)

Have used the USG20 for past few years with L2TP over IPSec VPN with preshared key configured in server role, no problems with VPN connections from my home (was Charter/Spectrum for ISP) using the embedded iOS and MacOS L2TP over IPsec VPN clients.

Changed to a Windows 10 laptop 12-2018, and no problems with connectivity using the Windows 10 embedded VPN client, same for one of my employees, who also has Charter/Spectrum for ISP.

Next changed to gigabit fiber optic broadband from our local power board a few weeks ago, symmetric 1 gigabit connection, no NAT function on their fiber optic modem, and the VPN connection fails with the error "can't connect to "VPN connection name" ...

No problem connecting from my iPhone or MacBook Pro, and my employee still has connectivity coming from a Charter/Spectrum IP address.

No difference whether connecting to my wireless router or directly to the modem.

I deleted the prior L2TP over IPsec configuration on the USG20, rebuilt it using one of the wizards, with the same problem.

The security settings on the adapter generated with Windows 10 were already CHAP/MSCHAP v2.

I found a number of posts that reference a fix for Windows 10 clients that were never able to successfully connect, requiring the registry change added via command line "REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

followed by reboot to allow the registry change to take effect.

That has had no impact on this problem.

Examination of the IKE log indicates that the tunnel is created, then the Windows 10 client sends the same delete notification to disconnect the tunnel that is sent by the iOS or MacOS clients when the VPN connection is manually closed.

unsuccessful connection disconnect - L2TP over IPsec VPN - Win10.pdf

I only included the log entries for an unsuccessful VPN connection from Windows 10 from tunnel connection to disconnection, as saving log as PDF results in a non-editable PDF (at least with Power PDF Standard 3), so that I can't redact IP addresses, and the conversion to editable MS Word file has too many errors to be worth correcting.

Also tried emailing log files to get something editable, but can't get them to send to either my Hotmail or Gmail addresses.

The ISP hasn't been able to find an explanation for this problem; they even came out and installed a new modem, without any impact.

I can use RDP directly without a VPN tunnel to connect to the office server at the office external static IP, and there are no security rules on the USG20 to block connections from the IP addresses used by my new ISP.

Thanks

All Replies

  • Blabababa
    Blabababa Posts: 151  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Options

    The symptom looks like the root cause is somewhere on your Win10 registers. Do you have another Win10 PC/laptop to do crosschecking?

  • easttn
    easttn Posts: 5  Freshman Member
    First Anniversary First Comment
    Options

    Thanks -

    I think you're probably right about something that was changed in the registry, since I had previously run DISM and then sfc without errors, mistakenly deciding that the problem wasn't from a Windows update.

    Haven't had time to post back until now, but my employee's Win 10 laptop still connects from home (Charter/Spectrum for broadband), without the registry change.

    Finally had time to take my laptop to a friend's house that still has Charter/Spectrum for broadband, was unable to connect, with the same errors and IKE key entries.

    The VPN connection was working early in the morning prior to the broadband change on a Wed afternoon, and I completed any Windows updates that morning prior to the change. One of the network engineers at the new ISP set up a test VPN, ran into the same problem as others requiring the registry change as was set behind a NAT, unlike my configuration where the USG20-VPN is out front, and the wireless router is set up as an access point.

    All of this suggested that one of the Windows updates caused the problem.

    Did a fresh reinstall of Windows 10 Pro from a USB flash drive yesterday, and the VPN connection worked first try, without needing the registry change.

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)