cancel
Showing results for 
Search instead for 
Did you mean: 

IPsec/L2TP VPN connection failures

mjgumbley
Hooked
Posts: 6
Thanks: 2
Registered: 4 weeks ago

IPsec/L2TP VPN connection failures

Hi,

I'm having issues diagnosing my wife's work VPN connection.

It's using the built-in Windows 10 client, IPsec with pre-shared key. We have plusnet ADSL, a static IP address, use a Draytek 2830 NAT ADSL router with ipsec passthru enabled, and have ensured that UDP ports 500/4500/1701 are all forwarded to her laptop. I've traced the VPN setup with wireshark and the ISAKMP frames are on source/destination ports 500 then 4500 (src port == dst port). I see traffic going both ways from her laptop to the VPN endpoint - yet the connection fails 99% of the time with windows error 809:

https://docs.microsoft.com/en-us/window ... leshooting
which states:

Error description. The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, routers) between your computer and the remote server is not configured to allow VPN connections. Please contact your administrator or your service provider to determine which device may be causing the problem.

Possible cause. This error is caused by blocked UDP 500 or 4500 ports on the VPN server or the firewall.

Possible solution. Ensure that UDP ports 500 and 4500 are allowed through all firewalls between the client and the RRAS server.

 

 

These ports are not blocked. I've opened them on the router, forwarded them to the laptop and verified that data passes in. I'm not firewalling this data off; I have the plusnet broadband firewall turned off. There's a registry key needed on Windows 10 if the VPN endpoint or client is behind a NAT router: we've set this appropriately, being behind NAT at home.

This connection has worked a few times in the past, but is now stuck with failure - and if she tethers through her 4G phone rather than through plusnet, it always works - so we know the Windows 10 client is set up fine. My plusnet connection is otherwise working fine, and my work VPN (OpenVPN) works fine. Other users can connect to her company VPN fine.

I've phoned plusnet support to be told that nothing is being blocked by plusnet, but that VPNs are not supported - but have seen other posts on this forum, where knowledgeable engineers have investigated....

I'm stumped; the IT/networking engineer at my wife's employer is stumped. Could someone help please?

Kind regards & thanks in advance,

Matt Gumbley

 

7 REPLIES 7
corringham
Seasoned Pro
Posts: 609
Thanks: 303
Fixes: 7
Registered: ‎25-09-2015

Re: IPsec/L2TP VPN connection failures

Have you tried setting the 2830 to run the VPN rather than the laptop? It may not be the final acceptable solution, but it may shed light on where things are going awry.

An alternative suggestion is to check the MTU - that has been the problem for a number of VPN issues (but not all).

mjgumbley
Hooked
Posts: 6
Thanks: 2
Registered: 4 weeks ago

Re: IPsec/L2TP VPN connection failures

Hi @corringham thank you for your reply - I have thought of making the 2830 launch the VPN, I'd have to firewall off the company servers so they're only accessible to my wife & add a router login for her.. this may not be allowed by the company, I'd have to ask... but the MTU might be the cause - it's currently set to 1442, and https://www.networkworld.com/article/2224654/mtu-size-issues.html suggests 1400 would be better for IPsec. I'll try that, and report back.

Kind regards,

Matt

mjgumbley
Hooked
Posts: 6
Thanks: 2
Registered: 4 weeks ago

Re: IPsec/L2TP VPN connection failures

Hi @corringham I tried changing the 2830's WAN MTU to 1400, and after it had rebooted and reconnected, there's no change - still getting the same error. Thank you for suggesting it.

corringham
Seasoned Pro
Posts: 609
Thanks: 303
Fixes: 7
Registered: ‎25-09-2015

Re: IPsec/L2TP VPN connection failures

It may still be worth checking from the laptop that there is no fragmentation at that MTU - I'm sure you know, but running

ping your.wife's.employer.co.uk -f -l 1400

will show whether there is fragmentation - the figure that has no fragmentation is 28 less than than the max MTU for that link.

When I was using Three I had to use a MTU as low as 1320 for one VPN.

mjgumbley
Hooked
Posts: 6
Thanks: 2
Registered: 4 weeks ago

Re: IPsec/L2TP VPN connection failures

Hi, I've tried various values now, including that recommended by my wife's system admin, to no avail. The remote endpoint doesn't respond to ICMP echo, so the ping you suggest doesn't help (but thank you for the suggestion).

Still at a loss to work out what might be preventing the connection to set up.

mjgumbley
Hooked
Posts: 6
Thanks: 2
Registered: 4 weeks ago

Re: IPsec/L2TP VPN connection failures

I wonder if @bobpullen would be able to comment on this problem, if possible, please?

mjgumbley
Hooked
Posts: 6
Thanks: 2
Registered: 4 weeks ago

Re: IPsec/L2TP VPN connection failures

Miraculously, without me, or the company admins changing anything - it has started working.