Came across a user who was unable to establish a vpn connection on his Dell laptop, running Win10. After entering his username and password, the user was stuck in a "connecting" state.
MX Appliances did update a few days ago, however all other users could connect to vpn without issue.
Dell laptop was newly imaged to Win10
Meraki gave multiple errors -
|Feb 5 13:07:45||Non-Meraki / Client VPN negotiation||msg: failed to begin ipsec sa negotiation.|
|Feb 5 13:07:45||Non-Meraki / Client VPN negotiation||msg: no configuration found for 18.104.22.168.|
|Feb 5 13:06:15||Non-Meraki / Client VPN negotiation||msg: IPsec-SA established: ESP/Transport xxxxxx spi=60769056(0x39f4320)|
|Feb 5 13:06:15||Non-Meraki / Client VPN negotiation||msg: IPsec-SA established: ESP/Transport xxxxxx spi=213759384(0xcbdb598)|
|Feb 5 13:06:15||Non-Meraki / Client VPN negotiation||msg: ISAKMP-SA xxxxxx|
|Feb 5 13:06:14||Non-Meraki / Client VPN negotiation||msg: invalid DH group 19.|
|Feb 5 13:06:14||Non-Meraki / Client VPN negotiation||msg: invalid DH group 20.|
DH 19&20 Most commonly for me, when a client didn't have Client VPN configured to properly authenticate with AD etc - Since it only affected one user, this is not the issue
Confirmed FW wasn't blocking
Confirmed that adapter settings were correct
Confirmed PSK was accurate
Uninstalled/Reinstalled all Miniports including registry entries
Confirmed TLS settings
Confirmed Dell apps Smartbyte and Killer Control Center not installed
This article allowed me to connect the user. Win10 issue FTW.
Just figured I'd post to save you all the time.
Same thing happens on our set of Dell laptops too with Windows 10 Pro.
It does not connect even from the VPN page.
After a long trying to connect "connecting" it fails with the following error "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"
Any suggestions? Or work arounds?
All the steps in the troubleshooting page were performed, but no luck.
Bonifas - that's 789, right?
Assuming this is a one PC error and you know the PSK/all settings are right: I have had luck before with uninstalling the WAN Miniport L2TP device under Device Manager, then have DM scan for new hardware. Sometimes I'm lazy and just reboot instead, because I have bad habits.
If you don't see the WAN Miniports, click View and select Show Hidden Devices. Make sure you don't uninstall the drivers themselves,
@Bonifas What errors are you getting in Meraki? You confirmed that the adapter settings are reflecting the correct security configuration?
@Bonifas Is the end user saving their credential? This can also cause Win10 to change the password protocol away from PAP. Since my help desk has told end users to no longer save credentials, but to enter it every time, it's reduced the incidence of this behavior.
Assuming an AD environment where all client VPN users have an AD account... It's easier on the end user if you can integrate the VPN with their AD account, either via RADIUS or the straight up AD integration. We typically use RADIUS, since not all customers are willing to get a valid certificate for their AD server.
You can also try changing the encryption level to Optional. Windows 10 does not actually support Required encryption for PAP. It will assume the encryption level is correct and then helpfully change the password protocol to one that supports required encryption.