Normally Windows will fail to connect to an L2TP/IPSec VPN server if either or both the client machine and the server are behind some form of NAT – possibly for security reasons.

However, assuming the server is properly configured to accept connections even when behind NAT (necessary ports and protocol forwards are in place) it is possible to configure a Windows machine to allow such connections via a registry tweak.

Under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent key create a new DWORD (32bit) entry with the name AssumeUDPEncapsulationContextOnSendRule and one of the following values:

  • 0 – do not accept NAT transversal
  • 1 – allow connections to a server that is behind NAT
  • 2 – allow connections when both the server and the client are behind NAT

Or use the following in an elevated command prompt:

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

A system restart is required for this change to take effect.

The procedure is valid for Windows 7, 8 and 10. The registry tweak also works on Windows Xp, but the entry needs to be added under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec key instead.

Leave a Reply