Hi,

We had some issues with remote users logging on the VPN L2TP/IPsec service. These were getting 'The L2TP connection attempt failed because a processing error occurred during the initial security negotiation with the remote computer'.

Seems that a Windows 11 update has caused this and the solution is to remove the update - https://techcommunity.microsoft.com/t5/ ... -p/3057844

Rgds,
Mark.

Confirmed.
Same with Win 10 update KB5009543.

Windows 10:

A few days ago I contact MS live support and ask them if they have any plan to add SHA2 for PH2 negotiation. and they told me that they will release an update this month.

KB5009566 on Windows 11

Code: Select all

wusa /uninstall /kb:5009543

I really appreciate it!

MS posted a workaround:

Workaround: To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings. Note: Not all VPN servers have the option to disable Vendor ID from being used.

But I don't think we can do that in RouterOS..

So far my colleague tried:
6.40.9 - VPN OK
6.47 - not working, win update issue
6.49 - not working, win update issue

Disabling Vendor ID sending on responder side is not a viable option in my opinion as NAT-T detection depends on Vendor ID's. So disabling Vendor ID option on server side would not allow clients behind NAT to connect, which are most of Windows users anyway.

https://datatracker.ietf.org/doc/html/r ... ection-3.1

lol, So it's a two-edged sword for Microsoft.

Interesting they say "Workaround: To mitigate the issue for some VPNs" - do they mean only some VPNs are broken, or all VPNs are broken and some may be fixed?

I am still able to connect successfully to Mikrotiks running 6.47.9 and 6.47.10 from Windows 10 with KB5009543 installed...

....
I am still able to connect successfully to Mikrotiks running 6.47.9 and 6.47.10 from Windows 10 with KB5009543 installed...

I was unable to connect with L2TP/IPSec VPN to any of my clients, ROS ranging from 6.45.9 LT to 6.47.10 LT

Disabling Vendor ID sending on responder side is not a viable option in my opinion as NAT-T detection depends on Vendor ID's. So disabling Vendor ID option on server side would not allow clients behind NAT to connect, which are most of Windows users anyway.

https://datatracker.ietf.org/doc/html/r ... ection-3.1

Wait... so disabling Vendor ID as which a Microsoft-recommended workaround for their broken update will essentially break the VPN for all users behind NAT? It's like 99% users now with mobile networks using CGNAT...

Hi All,

Is there a way to disable vendor ID on Mikrotik's? We are using mostly GR3 and RB1100 with 6.47.10 OS. I can see a Vendor ID option for DCHP but not for VPN's.

Thanks.

I have experienced this problem aswell, both last week and now today for two different clients.

Windows 10:

Code: Select all

wusa /uninstall /kb:5009543

yeah this works, and you will have reenter the L2TP username/password in windows, the IPsec PSK remained.

KB5010793 has been released to fix the problems caused by the January Update

Windows 10:

Code: Select all

wusa /uninstall /kb:5009543

yeah this works, and you will have reenter the L2TP username/password in windows, the IPsec PSK remained.

Just use https://www.draytek.com/products/smart-vpn-client/
Works just fine with Mikrotik.
You can export your profiles and import them back when needed.
Haven't used the Windows client directly in a long time.

MS has released a out-of-band fix for this VPN issue.

Windows 10: https://support.microsoft.com/en-gb/top ... f9857574f9
Windows update catalog (Win 10): https://www.catalog.update.microsoft.co ... =KB5010793

I've verified that VPN is working again after this fix.

Probably Win 11 is covered as well (I just dont have the links).

MS has released a out-of-band fix for this VPN issue.

Windows 10: https://support.microsoft.com/en-gb/top ... f9857574f9
Windows update catalog (Win 10): https://www.catalog.update.microsoft.co ... =KB5010793

I've verified that VPN is working again after this fix.

Probably Win 11 is covered as well (I just dont have the links).

2 slow :p

@inteq

Thank you for sharing I liked the Client "Draytek" it's very useful.
Did you test all the protocols working with MT?

@inteq

Thank you for sharing I liked the Client "Draytek" it's very useful.
Did you test all the protocols working with MT?

Just L2TP with IPSEC

I will test them all today.
It would be nice if MT would also provide something like this.

M$

Omg

You will need to tell windows to NOT run updates or that bug laden update will be reinstalled and you'll have the same problem. On windows10 settings => windows update settings => pause it for as long as possible.

Trying out the patch https://support.microsoft.com/en-gb/help/5010793 that is supposed to fix it (it's in optional updates as of writing this)

EDIT: Looks like it helped (standard Win10 Home 10.1.19044 built in L2TP/IPSec shared secret client + Mikrotik L2TP server)

Press Sauce: https://petri.com/microsoft-releases-ou ... ows-server

Thought I'd try the Draytek Smart VPN client as I hate all the windows updates breaking things.

I can't seem to get it to work to what was a perfectly fine Microtik using l2tp/ipsec.

I just get "unknown error"

Log on Mikrotik says: "phase1 negotiation failed due to time up:

Seems like a nice solution if I can get it to work. I think I have tried all the options in the client

Tom

Followup in case anyone is interested.

I had to install KB5010793 to fix the VPN before the Draytek client would work,

Thanks for all the info in all the posts here. Now to fix a bunch of clients.

Tom

My Win10 laptop hadn't been updated since late last year. Today tested L2TP/IPSec and it works - I am mystfied why a client's Win11 machine doesn't (with the error above) when connecting to an RB3011. I see this thread. ^&*#%@!
Ran recommended Win10 updates and the VPN stopped with the same new error. Curses.
Refreshed the updates again and it's just finished installing 2022-01 Preview Cumulative Update 21H2 (KB5009596) and now the VPN is working again.
I'll get the client to try updating his Win11 machine to see if it's fixed for him too. <edit> He updated Win11 just now and the VPN is working again.