In other Windows versions, the connection errors 800, 794 or 809 may evidence the same problem.
It is worth to note that the VPN server is behind a NAT, and the router is configured to forward L2TP ports (TCP 1701, UDP 500, UDP 4500 and Protocol 50 ESP).
As it turned out, the problem is already known and described in the article https://support.microsoft.com/en-us/kb/926179. If the L2TP/IPsec VPN server is behind a NAT device, in order to connect external clients through NAT correctly, you have to make some changes to the registry both on the server and client side that enable UDP packet encapsulation for L2TP and NAT-T support for IPsec.
- Open the Registry Editor and go to the following registry key:
- Windows 10,8,7, Vista — HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
- Windows XP — HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
- Create a DWORD parameter with the name AssumeUDPEncapsulationContextOnSendRule and the value 2. Or use the command:
reg add HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
. Possible AssumeUDPEncapsulationContextOnSendRule values are:
- 0 – (a default value) suggests that the server is connected to the Internet without any NAT;
- 1 – the server is behind a NAT device
- 2 —both a server and a client are behind a NAT
- Just restart your computer and make sure that the VPN tunnel is established successfully.