A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

W10 L2TP question



 
 
Thread Tools Display Modes
  #1  
Old May 6th 20, 02:44 PM posted to uk.telecom.broadband
Graham J[_3_]
external usenet poster
 
Posts: 356
Default W10 L2TP question

Two virtually identical laptops trying to connect via a dial-up VPN
using L2TP - one connects - the other fails. I have syslog output from
the Vigor router that they try to connect with.

Both laptops are apparently fuly up-to-date.

Reference Judy: Windows 10 Build 1909 version 18363.778 - this one works

Reference Simon: Windows 10 Build 1909 version 18363.815 - this one fails.

Both are sitting side by side on the same table.

Both connect by WiFi to the same router.

Both can be made to work if they and the router are configured for PPTP;
but not if they and the router are configured for L2TP.

Both have the same configuration for the VPN, checked by comparing the
setup screens, parameter by parameter:

Username
Password
IP address of target router
PPP settings have "Enable LCP Extensions" checked
Security: L2TP/IPSec - advanced = Use certificate
Data encryption = Optional
Use EAP = No
Allow protocols CHAP and MS-CHAP-V2

Target router is Vigor 2860 (but same problem occurs with a V2832).
Setting is:
VPN remote access: PPTP, IPSec, L2TP
IPSec General: certificate = None, Method, Basic, AH = Enable
Dial-in user: Type = L2TP, IPSec policy = None
Username & Password.

Syslog on V2860:

For good connection: Judy - starts with

141May 6 12:09:52 V2860n: L2TP == Control(0xC802)-L-S Ver:2 Len:97,
Tunnel ID:0, Session ID:0, Ns:0, Nr:0

141May 6 12:09:52 V2860n: L2TP client from 213.205.192.17:62117 ...

141May 6 12:09:52 V2860n: L2TP == Control(0xC802)-L-S Ver:2 Len:103,
Tunnel ID:6, Session ID:0, Ns:0, Nr:1

.... and continues to show the connection being established.


For failing connection: Simon - starts with

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_SA,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: Responding to Main Mode from 213.205.192.17

141May 6 12:13:23 V2860n: Matching General Setup key for dynamic ip
client...

141May 6 12:13:23 V2860n: Accept Phase1 proposals : ENCR
OAKLEY_AES_CBC, HASH OAKLEY_SHA

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_SA,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_KE,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: NAT-Traversal: Using RFC 3947, peer is NATed

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_KE,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: ]
err: infomational exchange message is invalid 'cos incomplete ISAKMP SA


The only common parameter is the IP address of the originating site.

The two laptops are clearly behaving very differently. But I can't see
any difference between them.

Any ideas?

TIA

--
Graham J
  #2  
Old May 6th 20, 03:14 PM posted to uk.telecom.broadband
Martin Brown[_2_]
external usenet poster
 
Posts: 247
Default W10 L2TP question

On 06/05/2020 14:44, Graham J wrote:
Two virtually identical laptops trying to connect via a dial-up VPN
using L2TP - one connects - the other fails.* I have syslog output from
the Vigor router that they try to connect with.

Both laptops are apparently fuly up-to-date.

Reference Judy: Windows 10 Build 1909 version 18363.778 - this one works

Reference Simon: Windows 10 Build 1909 version 18363.815 - this one fails.

Both are sitting side by side on the same table.

Both connect by WiFi to the same router.

Both can be made to work if they and the router are configured for PPTP;
but not if they and the router are configured for L2TP.

Both have the same configuration for the VPN, checked by comparing the
setup screens, parameter by parameter:

Username
Password
IP address of target router
PPP settings have "Enable LCP Extensions" checked
Security: L2TP/IPSec - advanced = Use certificate
Data encryption = Optional
Use EAP = No
Allow protocols CHAP and MS-CHAP-V2

Target router is Vigor 2860 (but same problem occurs with a V2832).
Setting is:
VPN remote access: PPTP, IPSec, L2TP
IPSec General: certificate = None, Method, Basic, AH = Enable
Dial-in user: Type = L2TP, IPSec policy = None
Username & Password.

Syslog on V2860:

For good connection: Judy - starts with

141May* 6 12:09:52 V2860n: L2TP == Control(0xC802)-L-S Ver:2 Len:97,
Tunnel ID:0, Session ID:0, Ns:0, Nr:0

141May* 6 12:09:52 V2860n: L2TP client from 213.205.192.17:62117 ...

141May* 6 12:09:52 V2860n: L2TP == Control(0xC802)-L-S Ver:2 Len:103,
Tunnel ID:6, Session ID:0, Ns:0, Nr:1

... and continues to show the connection being established.


For failing connection: Simon - starts with

141May* 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_SA,
Exchange Type = 0x2, Message ID = 0x0

141May* 6 12:13:23 V2860n: Responding to Main Mode from 213.205.192.17

141May* 6 12:13:23 V2860n: Matching General Setup key for dynamic ip
client...


[snip]

The only common parameter is the IP address of the originating site.

The two laptops are clearly behaving very differently.* But I can't see
any difference between them.

Any ideas?


Can you back up Simon and then use a restore point to take it back to
18363.778?

Or more risky backup Judy create a restore point and then and advance it
to .815. Might be worth looking for any known VPN SNAFUs in MSKB.

Or find yet another laptop and test the VPN connectivity with that at
progressively more updates applied until it fails.


--
Regards,
Martin Brown
  #3  
Old May 6th 20, 05:25 PM posted to uk.telecom.broadband
Graham J[_3_]
external usenet poster
 
Posts: 356
Default W10 L2TP question

Martin Brown wrote:

[snip]


Can you back up Simon and then use a restore point to take it back to
18363.778?

Or more risky backup Judy create a restore point and then and advance it
to .815. Might be worth looking for any known VPN SNAFUs in MSKB.

Or find yet another laptop and test the VPN connectivity with that at
progressively more updates applied until it fails.



Other W10 laptops selected at random do work correctly. I will find out
their version numbers.

Can you think of a search term other than "L2TP fails". Something more
specific that allows me to indicate what is in the syslog for the
failing connection?


--
Graham J
  #4  
Old May 6th 20, 05:55 PM posted to uk.telecom.broadband
R. Mark Clayton[_2_]
external usenet poster
 
Posts: 705
Default W10 L2TP question

On Wednesday, 6 May 2020 14:44:43 UTC+1, Graham J wrote:
Two virtually identical laptops trying to connect via a dial-up VPN
using L2TP - one connects - the other fails. I have syslog output from
the Vigor router that they try to connect with.

Both laptops are apparently fuly up-to-date.

Reference Judy: Windows 10 Build 1909 version 18363.778 - this one works

Reference Simon: Windows 10 Build 1909 version 18363.815 - this one fails.

Both are sitting side by side on the same table.

Both connect by WiFi to the same router.

Both can be made to work if they and the router are configured for PPTP;
but not if they and the router are configured for L2TP.

Both have the same configuration for the VPN, checked by comparing the
setup screens, parameter by parameter:

Username
Password
IP address of target router
PPP settings have "Enable LCP Extensions" checked
Security: L2TP/IPSec - advanced = Use certificate
Data encryption = Optional
Use EAP = No
Allow protocols CHAP and MS-CHAP-V2

Target router is Vigor 2860 (but same problem occurs with a V2832).
Setting is:
VPN remote access: PPTP, IPSec, L2TP
IPSec General: certificate = None, Method, Basic, AH = Enable
Dial-in user: Type = L2TP, IPSec policy = None
Username & Password.

Syslog on V2860:

For good connection: Judy - starts with

141May 6 12:09:52 V2860n: L2TP == Control(0xC802)-L-S Ver:2 Len:97,
Tunnel ID:0, Session ID:0, Ns:0, Nr:0

141May 6 12:09:52 V2860n: L2TP client from 213.205.192.17:62117 ...

141May 6 12:09:52 V2860n: L2TP == Control(0xC802)-L-S Ver:2 Len:103,
Tunnel ID:6, Session ID:0, Ns:0, Nr:1

... and continues to show the connection being established.


For failing connection: Simon - starts with

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_SA,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: Responding to Main Mode from 213.205.192.17

141May 6 12:13:23 V2860n: Matching General Setup key for dynamic ip
client...

141May 6 12:13:23 V2860n: Accept Phase1 proposals : ENCR
OAKLEY_AES_CBC, HASH OAKLEY_SHA

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_SA,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_KE,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: NAT-Traversal: Using RFC 3947, peer is NATed

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_KE,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: ]
err: infomational exchange message is invalid 'cos incomplete ISAKMP SA


The only common parameter is the IP address of the originating site.

The two laptops are clearly behaving very differently. But I can't see
any difference between them.

Any ideas?

TIA

--
Graham J


Is one W10 Pro and the other W10 Home? Some of the better network security features are only available in the Pro version.
  #5  
Old May 6th 20, 06:53 PM posted to uk.telecom.broadband
grinch
external usenet poster
 
Posts: 99
Default W10 L2TP question

On 06/05/2020 17:55, R. Mark Clayton wrote:
On Wednesday, 6 May 2020 14:44:43 UTC+1, Graham J wrote:
Two virtually identical laptops trying to connect via a dial-up VPN
using L2TP - one connects - the other fails. I have syslog output from
the Vigor router that they try to connect with.

Both laptops are apparently fuly up-to-date.

Reference Judy: Windows 10 Build 1909 version 18363.778 - this one works

Reference Simon: Windows 10 Build 1909 version 18363.815 - this one fails.

Both are sitting side by side on the same table.

Both connect by WiFi to the same router.

Both can be made to work if they and the router are configured for PPTP;
but not if they and the router are configured for L2TP.

Both have the same configuration for the VPN, checked by comparing the
setup screens, parameter by parameter:

Username
Password
IP address of target router
PPP settings have "Enable LCP Extensions" checked
Security: L2TP/IPSec - advanced = Use certificate
Data encryption = Optional
Use EAP = No
Allow protocols CHAP and MS-CHAP-V2

Target router is Vigor 2860 (but same problem occurs with a V2832).
Setting is:
VPN remote access: PPTP, IPSec, L2TP
IPSec General: certificate = None, Method, Basic, AH = Enable
Dial-in user: Type = L2TP, IPSec policy = None
Username & Password.

Syslog on V2860:

For good connection: Judy - starts with

141May 6 12:09:52 V2860n: L2TP == Control(0xC802)-L-S Ver:2 Len:97,
Tunnel ID:0, Session ID:0, Ns:0, Nr:0

141May 6 12:09:52 V2860n: L2TP client from 213.205.192.17:62117 ...

141May 6 12:09:52 V2860n: L2TP == Control(0xC802)-L-S Ver:2 Len:103,
Tunnel ID:6, Session ID:0, Ns:0, Nr:1

... and continues to show the connection being established.


For failing connection: Simon - starts with

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_SA,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: Responding to Main Mode from 213.205.192.17

141May 6 12:13:23 V2860n: Matching General Setup key for dynamic ip
client...

141May 6 12:13:23 V2860n: Accept Phase1 proposals : ENCR
OAKLEY_AES_CBC, HASH OAKLEY_SHA

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_SA,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_KE,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: NAT-Traversal: Using RFC 3947, peer is NATed

141May 6 12:13:23 V2860n: IKE ==, Next Payload=ISAKMP_NEXT_KE,
Exchange Type = 0x2, Message ID = 0x0

141May 6 12:13:23 V2860n: ]
err: infomational exchange message is invalid 'cos incomplete ISAKMP SA


The only common parameter is the IP address of the originating site.

The two laptops are clearly behaving very differently. But I can't see
any difference between them.

Any ideas?

TIA

--
Graham J


Is one W10 Pro and the other W10 Home? Some of the better network security features are only available in the Pro version.


#
Also the one that is failing is trying to use IPsec encryption is that
configured on the router ? It is a pain to get working. If you are using
encryption which you should be, try SSL its easier to get working.
  #6  
Old May 6th 20, 07:55 PM posted to uk.telecom.broadband
Graham J[_3_]
external usenet poster
 
Posts: 356
Default W10 L2TP question

grinch wrote:

[snip]


Is one W10 Pro and the other W10 Home?* Some of the better network
security features are only available in the Pro version.


#
Also the one that is failing is trying to use IPsec encryption is that
configured on the router ? It is a pain to get working. If you are using
encryption which you should be, try SSL its easier to get working.


The router is the same, no changes between testing the two laptop clients.

The settings on the laptops are visibly identical. How would I find out
whether one laptop is trying to use encryption? Does the syslog output
I showed in the original post indicate that?


--
Graham J
  #7  
Old May 6th 20, 08:43 PM posted to uk.telecom.broadband
grinch
external usenet poster
 
Posts: 99
Default W10 L2TP question

On 06/05/2020 19:55, Graham J wrote:
grinch wrote:

[snip]


Is one W10 Pro and the other W10 Home?* Some of the better network
security features are only available in the Pro version.


#
Also the one that is failing is trying to use IPsec encryption is that
configured on the router ? It is a pain to get working. If you are
using encryption which you should be, try SSL its easier to get working.


The router is the same, no changes between testing the two laptop clients.

The settings on the laptops are visibly identical.* How would I find out
whether one laptop is trying to use encryption?* Does the syslog output
I showed in the original post indicate that?



'cos incomplete ISAKMP SA this is telling you that the pre shared key
is not matching . As I said before IPsec is hard work ,try using SSL
encryption.
  #8  
Old May 6th 20, 09:51 PM posted to uk.telecom.broadband
Graham J[_3_]
external usenet poster
 
Posts: 356
Default W10 L2TP question

grinch wrote:
On 06/05/2020 19:55, Graham J wrote:
grinch wrote:

[snip]


Is one W10 Pro and the other W10 Home?* Some of the better network
security features are only available in the Pro version.


#
Also the one that is failing is trying to use IPsec encryption is
that configured on the router ? It is a pain to get working. If you
are using encryption which you should be, try SSL its easier to get
working.


The router is the same, no changes between testing the two laptop
clients.

The settings on the laptops are visibly identical.* How would I find
out whether one laptop is trying to use encryption?* Does the syslog
output I showed in the original post indicate that?



*'cos incomplete ISAKMP SA this is telling you that the pre shared key
is not matching . As* I said before IPsec is hard work ,try using SSL
encryption.


The router is set for L2TP with NO IPSec policy.

The working client is set for L2TP, advanced = use certificate. I.E. no
pre-shared key.

The non-working client is set the same way; so that should not be using
IPSec either. So are you saying that DESPITE THESE SETTINGS the
non-working client is actually trying to use a pre-shared key?



--
Graham J
  #9  
Old May 7th 20, 10:20 AM posted to uk.telecom.broadband
Graham J[_3_]
external usenet poster
 
Posts: 356
Default W10 L2TP question

R. Mark Clayton wrote:

[snip]

The two laptops are clearly behaving very differently. But I can't see
any difference between them.

Any ideas?

TIA

--
Graham J


Is one W10 Pro and the other W10 Home? Some of the better network security features are only available in the Pro version.


Just checked: both laptops run Windows 10 Home. Only difference is
version number, despite both claiming to be fully up to date

Judy: Windows 10 Build 1909 version 18363.778 - this one works

Simon: Windows 10 Build 1909 version 18363.815 - this one fails.

I've now established there are two other Windows 10 Home PCs with Build
1909 version 18363.778 that also work correctly.

So the difference appears to be caused by version 18363.815 so I will
see if I can find one showing that version number.

Googling for

Windows 10 Build 1909 version 18363.815 breaks L2TP dial-in VPN

.... doesn't bring up anything useful.


--
Graham J
  #10  
Old May 7th 20, 12:21 PM posted to uk.telecom.broadband
brightside
external usenet poster
 
Posts: 20
Default W10 L2TP question

On Thu, 7 May 2020 10:20:03 +0100, Graham J
wrote:

R. Mark Clayton wrote:

[snip]

The two laptops are clearly behaving very differently. But I can't see
any difference between them.

Any ideas?

TIA

--
Graham J


Is one W10 Pro and the other W10 Home? Some of the better network security features are only available in the Pro version.


Just checked: both laptops run Windows 10 Home. Only difference is
version number, despite both claiming to be fully up to date

Judy: Windows 10 Build 1909 version 18363.778 - this one works

Simon: Windows 10 Build 1909 version 18363.815 - this one fails.

I've now established there are two other Windows 10 Home PCs with Build
1909 version 18363.778 that also work correctly.

So the difference appears to be caused by version 18363.815 so I will
see if I can find one showing that version number.

Googling for

Windows 10 Build 1909 version 18363.815 breaks L2TP dial-in VPN

... doesn't bring up anything useful.


https://support.microsoft.com/en-gb/...date-kb4550945
shows what was updated by .815 from .778

..778 was released 14 APL 2020 and .815 was released 21 APL 2020

There is a 'fix' released for vpn in .815, but vpn is a mystery to me
but maybe the update means something to you.


--
brightside s9
..
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
New router question/another numpty question (was: New router question) Jon uk.telecom.broadband (UK broadband) 1 April 18th 07 04:27 PM
Wireless network camera, Vcenter NC1000-W10 - anyone got one? Chunky uk.comp.home-networking (UK home networking) 12 August 2nd 05 01:06 AM
Good morning or good evening depending upon your location. I want to ask you the most important question of your life. Your joy or sorrow for all eternity depends upon your answer. The question is: Are you saved? It is not a question of how good rhyzome uk.telecom.broadband (UK broadband) 0 April 22nd 05 11:07 PM
L2TP Nicola Redwood uk.telecom.broadband (UK broadband) 3 February 22nd 05 12:46 PM
win2k client -- cisco pix l2tp ipsec vpn Daniel uk.telecom.broadband (UK broadband) 0 December 2nd 03 12:17 AM


All times are GMT +1. The time now is 03:48 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2020 BroadbanterBanter.
The comments are property of their posters.