Vasko's Tech Blog

Home » Windows » Windows 7/8/2008/2012 Error 809, L2TP/IPSec VPN

Windows 7/8/2008/2012 Error 809, L2TP/IPSec VPN

Advertisements

By default, Windows 7 and the Windows Server 2008 operating system do not support Internet Protocol security (IPsec) network address translation (NAT) Traversal (NAT-T) security associations to servers that are located behind a NAT device. Therefore, if the virtual private network (VPN) server is behind a NAT device, a Windows 7-based VPN client computer or a Windows Server 2008-based VPN client computer cannot make a Layer Two Tunneling Protocol (L2TP)/IPsec connection to the VPN server. This scenario includes VPN servers that are running Windows Server 2008, Windows Server 2008 R2 and Microsoft Windows Server 2003.

Update: Also applies to Windows 8.1 connecting to a L2TP VPN running on a Windows Server 2012 R2

Because of the way in which NAT devices translate network traffic, you may experience unexpected results when you put a server behind a NAT device and then use an IPsec NAT-T environment. Therefore, if you must have IPsec for communication, it is recommended that you use public IP addresses for all servers that you can connect to from the Internet. However, if you have to put a server behind a NAT device and then use an IPsec NAT-T environment, you can enable communication by changing a registry value on the VPN client computer and the VPN server.

To create and configure the

AssumeUDPEncapsulationContextOnSendRule

registry value, follow these steps:

  1. Log on to the Windows 7 client computer as a user who is a member of the Administrators group.
  2. Click Start, point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
  3. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  4. On the Edit menu, point to New, and then click DWORD (32-bit) Value.
  5. Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
  6. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  7. In the Value Data box, type one of the following values:
    1. 0
      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    2. 1
      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    3. 2
      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
  8. Click OK, and then exit Registry Editor.
  9. Restart the computer.

http://support.microsoft.com/kb/926179https://technet.microsoft.com/en-us/library/dd458955%28v=ws.10%29.aspx


Found this useful? Buy me a beer 🙂

BTC: 1FRPU2cWmAtKFprNonsP76qHzoBwjiCQ6e
ETH: 0x6DC323dD9688C7eC1153eA3db8C80283a1b80714

Advertisements

14 Comments

  1. Chris says:

    You’re my hero! Worked for me like a charm. You made my day, thanks

  2. […] Fuente: https://vkelk.wordpress.com/2012/10/28/windows-72008-error-809-l2tp-vpn […]

  3. Yacco says:

    Extremely valuable information! Looks like MS windows developers were forgotten that people are actually going to use the options they have build in.

  4. […] Windows 7/2008 Error 809, L2TP/IPSec VPN « Vasko’s … – Oct 28, 2012 · By default, Windows 7 and the Windows Server 2008 operating system do not support Internet Protocol security (IPsec) network address translation (NAT …… […]

  5. […] Windows 7/2008 Error 809, L2TP/IPSec VPN « Vasko’s Tech Blog – By default, Windows 7 and the Windows Server 2008 operating system do not support Internet Protocol security (IPsec) network address translation (NAT) Traversal (NAT-T) security associations to servers that are located behind a NAT device. Therefore, if the virtual private network … […]

  6. […] Windows 7/2008 Error 809, L2TP/IPSec VPN « Vasko’s Tech Blog – registry value, follow these steps: Log on to the Windows 7 client computer as a user who is a member of the Administrators group. Click Start, point to All Programs, click Accessories, click Run, type regedit, and then click OK. […]

  7. […] Windows 7/2008 Error 809, L2TP/IPSec VPN « Vasko’s Tech Blog – Oct 28, 2012 · By default, Windows 7 and the Windows Server 2008 operating system do not support Internet Protocol security (IPsec) network address translation (NAT …… […]

  8. […] Windows 7/2008 Error 809, L2TP/IPSec VPN « Vasko’s … – Oct 28, 2012 · By default, Windows 7 and the Windows Server 2008 operating system do not support Internet Protocol security (IPsec) network address translation (NAT …… […]

  9. peters says:

    Hallo, I have got such an error from Zyxel USG110 after update firmware to AAPH.2.
    Return back to AAPH.1 solved this.

  10. John-P says:

    This was very helpful. Thank you. I can confirm that this registry setting also applies to Windows 8.1 connecting to a L2TP VPN running on a Windows Server 2012 R2.

    References…

    https://technet.microsoft.com/en-us/library/dd458955(v=ws.10).aspx

    https://support.microsoft.com/en-us/kb/926179

  11. Tim says:

    This Fixed my issue! Thank you very much.

  12. […] to connect in one network. The issue appeared to be because I was behind a double NAT. I had to add a Registry key to loosen the security around this as […]

  13. […] to connect in one network. The issue appeared to be because I was behind a double NAT. I had to add a Registry key to loosen the security around this as […]

  14. ab abogado says:

    He estado googleando un poco por posts de alta calidad o entradas en webs sobre estos temas. Explorando en Google por fin encontré este blog. Con lectura de esta información, estoy convencido que he encontrado lo que estaba buscando o al menos tengo esa extraña sensacion, he descubierto exactamente lo que necesitaba. ¡Por supuesto voy hacer que no se olvide este sitio web y recomendarlo, os pienso visitar regularmente.

    Saludos

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s