DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Win10 L2TP/IPsec connection problem, with NAT routing

  • mattgumbley
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
14 Apr 2021 12:01 #99067 by mattgumbley
Hi,
I have a 2830 ADSL router, in NAT mode (subnet 192.168.0.x). Connected to this is a 2926ac Wifi router, also NAT (subnet 192.168.1.x). A variety of clients connect to the 2926ac via wifi and all work fine for typical Internet access.

However, one Windows 10 system needs to make an L2TP/IPsec (preshared key) connection to a work VPN. This works very occasionally, but mostly fails with Windows error 809 :

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-troubleshooting
which states:

Error description. The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, routers) between your computer and the remote server is not configured to allow VPN connections. Please contact your administrator or your service provider to determine which device may be causing the problem.

Possible cause. This error is caused by blocked UDP 500 or 4500 ports on the VPN server or the firewall.

Possible solution. Ensure that UDP ports 500 and 4500 are allowed through all firewalls between the client and the RRAS server.

I have used wireshark between the ADSL and Wifi routers and can see the client making UDP requests on port 500, then port 4500 to the VPN endpoint. I see some data coming back from the VPN endpoint. (ISAKMP, ESP, UDPENCAP frames) But the tunnel does not successfully establish.

I've tried opening these ports on the ADSL router, forwarding them through the Wifi router to the Windows 10 system (whose MAC address is bound to a fixed IP address in the 192.168.1.x range, outside the DHCP pool). No luck.

I've tried connecting the Windows 10 system directly into the ADSL router via Ethernet and also via Wifi - so there's only one level of NAT going on - but no luck.

Are there any settings I have to make to allow IPsec VPN connections 'out' through these routers?

Note: I am not connecting 'in' to any VPN served by my Draytek routers - it's all outbound to a work VPN.
Also: If the Windows 10 system is connected to a mobile broadband network via a tethered phone, the VPN connection works - so the software/configuration on the PC isn't the problem.

Kind regards, and thanks in advance for any assistance you may be able to provide,
Matt Gumbley

Please Log in or Create an account to join the conversation.

  • mattgumbley
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
14 Apr 2021 22:06 #99075 by mattgumbley
Further attempts:
I've set the Windows 10 PC as the DMZ host.
I've set up a NAT Open Ports list for UDP 500, UDP 4500, UDP 1701, TCP 1701 - forwarding to the Windows 10 PC.
I've used the telnet interface to srv nat ipsecpass on.
No luck.

Please Log in or Create an account to join the conversation.

  • mattgumbley
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
23 Apr 2021 09:17 #99129 by mattgumbley
I've also tried changing the WAN MTU to 1400 as suggested in https://www.networkworld.com/article/2224654/mtu-size-issues.html - did not fix the problem.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami