View Single Post
  #4  
Old May 6th 20, 05:55 PM posted to uk.telecom.broadband
R. Mark Clayton[_2_]
external usenet poster
 
Posts: 692
Default W10 L2TP question

On Wednesday, 6 May 2020 14:44:43 UTC+1, Graham J wrote:
Two virtually identical laptops trying to connect via a dial-up VPN
using L2TP - one connects - the other fails. I have syslog output from
the Vigor router that they try to connect with.

Both laptops are apparently fuly up-to-date.

Reference Judy: Windows 10 Build 1909 version 18363.778 - this one works

Reference Simon: Windows 10 Build 1909 version 18363.815 - this one fails.

Both are sitting side by side on the same table.

Both connect by WiFi to the same router.

Both can be made to work if they and the router are configured for PPTP;
but not if they and the router are configured for L2TP.

Both have the same configuration for the VPN, checked by comparing the
setup screens, parameter by parameter:

Username
Password
IP address of target router
PPP settings have "Enable LCP Extensions" checked
Security: L2TP/IPSec - advanced = Use certificate
Data encryption = Optional
Use EAP = No
Allow protocols CHAP and MS-CHAP-V2

Target router is Vigor 2860 (but same problem occurs with a V2832).
Setting is:
VPN remote access: PPTP, IPSec, L2TP
IPSec General: certificate = None, Method, Basic, AH = Enable
Dial-in user: Type = L2TP, IPSec policy = None
Username & Password.

Syslog on V2860:

For good connection: Judy - starts with

141May 6 12:09:52 V2860n: L2TP == Control(0xC802)-L-S Ver:2 Len:97,
Tunnel ID:0, Session ID:0, Ns:0, Nr:0

141May 6 12:09:52 V2860n: L2TP client from 213.205.192.17:62117 ...

141May 6 12:09:52 V2860n: L2TP == Control(0xC802)-L-S Ver:2 Len:103,
Tunnel ID:6, Session ID:0, Ns:0, Nr:1

... and continues to show the connection being established.


For failing connection: Simon - starts with

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_SA,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: Responding to Main Mode from 213.205.192.17

141May 6 12:13:23 V2860n: Matching General Setup key for dynamic ip
client...

141May 6 12:13:23 V2860n: Accept Phase1 proposals : ENCR
OAKLEY_AES_CBC, HASH OAKLEY_SHA

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_SA,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_KE,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: NAT-Traversal: Using RFC 3947, peer is NATed

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_KE,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: ]
err: infomational exchange message is invalid 'cos incomplete ISAKMP SA


The only common parameter is the IP address of the originating site.

The two laptops are clearly behaving very differently. But I can't see
any difference between them.

Any ideas?

TIA

--
Graham J


Is one W10 Pro and the other W10 Home? Some of the better network security features are only available in the Pro version.