L2TP over IPSec from Windows 10 fails after ISP change

%3CLINGO-SUB%20id%3D%22lingo-sub-1204502%22%20slang%3D%22en-US%22%3EL2TP%20over%20IPSec%20from%20Windows%2010%20fails%20after%20ISP%20change%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1204502%22%20slang%3D%22en-US%22%3E%3CP%3EUSG20-VPN%2C%20behind%20Comcast%20gateway%20modem%20router%2C%20passthrough%20mode%2C%20only%20used%20as%20modem.%20Wireless%20router%20is%20configured%20as%20WAP%2C%20is%20not%20in%20front%20of%20USG20%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHP%20Spectre%20X360%2C%20Windows%2010%20Pro%20(12-2018)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20used%20the%20USG20%20for%20past%20few%20years%20with%20L2TP%20over%20IPSec%20VPN%20with%20preshared%20key%20configured%20in%20server%20role%2C%20no%20problems%20with%20VPN%20connections%20from%20my%20home%20(was%20Charter%2FSpectrum%20for%20ISP)%20using%20the%20embedded%20iOS%20and%20MacOS%20L2TP%20over%20IPsec%20VPN%20clients.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChanged%20to%20a%20Windows%2010%20laptop%2012-2018%2C%20and%20no%20problems%20with%20connectivity%20using%20the%20Windows%2010%20embedded%20VPN%20client%2C%20same%20for%20one%20of%20my%20employees%2C%20who%20also%20has%20Charter%2FSpectrum%20for%20ISP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERecently%20changed%20to%20gigabit%20fiber%20optic%20broadband%20from%20our%20local%20power%20board%20with%20symmetric%201%20gigabit%20connection%2C%20no%20NAT%20function%20on%20their%20fiber%20optic%20modem%2C%20and%20the%20VPN%20connection%20fails%20with%20the%20error%20%22can't%20connect%20to%20%22VPN%20connection%20name%22%20...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20problem%20connecting%20from%20my%20iPhone%20or%20MacBook%20Pro%2C%20and%20my%20employee%20still%20has%20connectivity%20coming%20from%20a%20Charter%2FSpectrum%20IP%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20difference%20whether%20connecting%20to%20my%20wireless%20router%20or%20directly%20to%20the%20modem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20deleted%20the%20prior%20L2TP%20over%20IPsec%20configuration%20on%20the%20USG20%2C%20rebuilt%20it%20using%20one%20of%20the%20Zyxel%20wizards%2C%20with%20the%20same%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20security%20settings%20on%20the%20adapter%20generated%20with%20Windows%2010%20were%20already%20CHAP%2FMSCHAP%20v2.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20found%20a%20number%20of%20posts%20on%20the%20Zyxel%20Biz%20Forum%20that%20reference%20a%20fix%20for%20Windows%2010%20clients%20that%20were%20never%20able%20to%20successfully%20connect%2C%20requiring%20the%20registry%20change%20added%20via%20command%20line%20%22REG%20ADD%20HKLM%5CSYSTEM%5CCurrentControlSet%5CServices%5CPolicyAgent%20%2Fv%20AssumeUDPEncapsulationContextOnSendRule%20%2Ft%20REG_DWORD%20%2Fd%200x2%20%2Ff%26nbsp%3Bfollowed%20by%20reboot%20to%20allow%20the%20registry%20change%20to%20take%20effect.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20has%20had%20no%20impact%20on%20this%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExamination%20of%20the%20IKE%20log%20indicates%20that%20the%20tunnel%20is%20created%2C%20then%20the%20Windows%2010%20client%20sends%20the%20same%20delete%20notification%20to%20disconnect%20the%20tunnel%20that%20is%20sent%20by%20the%20iOS%20or%20MacOS%20clients%20when%20the%20VPN%20connection%20is%20manually%20closed%20as%20per%20attached%20file%20where%20IP%20addresses%20are%20redacted%2F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20ISP%20hasn't%20been%20able%20to%20find%20an%20explanation%20for%20this%20problem%2C%20and%20even%20came%20out%20and%20installed%20a%20new%20modem%2C%20without%20any%20impact.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20use%20RDP%20directly%20without%20a%20VPN%20tunnel%20to%20connect%20to%20the%20office%20server%20at%20the%20office%20external%20static%20IP%2C%20and%20there%20are%20no%20security%20rules%20on%20the%20USG20%20to%20block%20connections%20from%20the%20IP%20addresses%20used%20by%20my%20new%20ISP.%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Visitor

Zyxel USG20-VPN, behind Comcast gateway modem router, passthrough mode, only used as modem. Wireless router is configured as WAP, is not in front of USG20

 

HP Spectre X360, Windows 10 Pro (12-2018)

 

Have used the USG20 for past few years with L2TP over IPSec VPN with preshared key configured in server role, no problems with VPN connections from my home (was Charter/Spectrum for ISP) using the embedded iOS and MacOS L2TP over IPsec VPN clients.

 

Changed to a Windows 10 laptop 12-2018, and no problems with connectivity using the Windows 10 embedded VPN client, same for one of my employees, who also has Charter/Spectrum for ISP.

 

Recently changed to gigabit fiber optic broadband from our local power board with symmetric 1 gigabit connection, no NAT function on their fiber optic modem, and the VPN connection fails with the error "can't connect to "VPN connection name" ...

 

No problem connecting from my iPhone or MacBook Pro, and my employee still has connectivity coming from a Charter/Spectrum IP address.

 

No difference whether connecting to my wireless router or directly to the modem.

 

I deleted the prior L2TP over IPsec configuration on the USG20, rebuilt it using one of the Zyxel wizards, with the same problem.

 

The security settings on the adapter generated with Windows 10 were already CHAP/MSCHAP v2.

 

I found a number of posts on the Zyxel Biz Forum that reference a fix for Windows 10 clients that were never able to successfully connect, requiring the registry change added via command line "REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f followed by reboot to allow the registry change to take effect.

 

That has had no impact on this problem.

 

Examination of the IKE log indicates that the tunnel is created, then the Windows 10 client sends the same delete notification to disconnect the tunnel that is sent by the iOS or MacOS clients when the VPN connection is manually closed as per attached file where IP addresses are redacted/

 

The ISP hasn't been able to find an explanation for this problem, and even came out and installed a new modem, without any impact.

 

I can use RDP directly without a VPN tunnel to connect to the office server at the office external static IP, and there are no security rules on the USG20 to block connections from the IP addresses used by my new ISP.

Thanks

0 Replies