Windows10 VPN using IPSEC/IKEv2 won't connect

IsmoM 6 Reputation points
2020-09-29T09:47:56.34+00:00

I have set up a VPN server using IPSEC/IKEv2. Certificates are used for authentication, both for the server and a client.

VPN connection works great with a third party VPN client (Greenbow) but native Windows VPN client won't even try to connect.

Trying to open VPN connection (Start -> VPN settings -> [select VPN] -> Connect) results just a dialog "Verifying your sign-in info" which terminates with message "The context has expired and can no longer be used". Wireshark shows no traffic related to the connection excluding a DNS query.

Certificate chain and a user certificate are installed in 'Local Computer' certificate storage. I don't really understand which "sign-in info" is being verified. I have also tried to set up the connection with power shell, but that wouldn't help either:

Add-VpnConnection -Name "MyVPN" -ServerAddress "vpn.acme.com" -AuthenticationMethod "MachineCertificate" -EncryptionLevel "Required" -TunnelType "IKEv2"

System info:
OS Name Microsoft Windows 10 Pro
Version 10.0.18363 Build 18363

How to fix this? I would really like to use VPN client included in Windows10 if only it wasn't broken.

-Ismo

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,371 questions
{count} vote

5 answers

Sort by: Most helpful
  1. Gary Nebbett 6,096 Reputation points
    2020-09-29T15:15:48.763+00:00

    Hello Ismo,

    You could try the following steps in a command window running as administrator:

    • issue the command: logman start gary -ets -p Microsoft-Windows-WFP -o ikev2.etl
    • try to connect to the VPN; wait until it fails
    • issue the command: logman stop gary -ets
    • issue the command: wevtutil qe /lf /f:text ikev2.etl
    • examine the output for messages like: "IPsec: Send ISAKMP Packet" and "IPsec: Receive ISAKMP Packet"

    If any ISAKMP packets are being sent/received (the progress message "Verifying your sign-in info" suggests very much that packets are being sent and received), then it should be possible to capture them with Wireshark. You could try searching your Wireshark capture for UDP ports 500 and 4500 rather than the VPN server IP address.

    Gary

    1 person found this answer helpful.

  2. Gary Nebbett 6,096 Reputation points
    2020-09-29T13:58:54.187+00:00

    Hello Ismo,

    It is difficult to believe that no IKEv2 messages are being exchanged. Did you perform the Wireshark trace on the VPN server or client? Was Wireshark listening on all network interfaces? Were any capture filters active that might have excluded UDP ports 500 or 4500?

    Gary

    0 comments No comments

  3. IsmoM 6 Reputation points
    2020-09-29T14:19:46.027+00:00

    Wireshark was listening ethernet-interface of the VPN client (Windows 10) . Started from 'welcome' page of wireshark by clicking 'Ethernet'. No filters active. Capture shows lots of other traffic but filtering the capture log with ip.addr == <VPN server ip> produces no data.

    0 comments No comments

  4. Gloria Gu 3,916 Reputation points
    2020-09-30T03:17:03.46+00:00

    Hi,

    Thank you for posting in Q&A!

    According to the errror message, can you check the user account in the VPN connection and the permission&configuration of this account?
    29302-22.png

    Since "Wireshark shows no traffic related to the connection excluding a DNS query." the Network connectivity between the client and VPN server seems to have some probelm.
    Can you ping VPN server from your client?

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  5. Gary Nebbett 6,096 Reputation points
    2020-09-30T08:21:00.307+00:00

    Hello Ismo,

    You could try repeating the previous procedure, replacing Microsoft-Windows-WFP with Microsoft-Windows-RRAS.

    Below is the trace text that I get using the same set-up (IKEv2 with machine certificates). Check where your trace diverges in substance from mine.

    Gary

    IPv6CP: Setting tracing parameters
    From !!!!!SDOWRAPPER.LIB!!!!!!!!!!
    PAP: Setting tracing parameters
    FROM !!!!!WFP.LIB!!!!!!!!
    From !!!!!SDOWRAPPER.LIB!!!!!!!!!!
    From !!!!HOSTROUT.LIB!!!!!
    VPNIKE Recevied message PROTOCOL_MSG_GetNewIkeTunnelId
    Entering BaseConnectionFactory::GenerateConnectionId...
    Leaving BaseConnectionFactory::GenerateConnectionId (status: 0).
    VPNIKE Recevied message PROTOCOL_MSG_Start
    Entering ConnectionTable::GetConnection...
    Leaving ConnectionTable::GetConnection
    Entering VPNIKEProtocolEngine::GetRasDeviceParams...
    RasDeviceGetInfo=603,s=294
    RasDeviceGetInfo=0,s=294,noParams=3
    ConnectionId=11,Destination IP=192.168.0.3
    Leaving VPNIKEProtocolEngine::GetRasDeviceParams (status: 0).
    Username:
    Domain:
    Un-expected PSK size: 0 received. Ignoring the PSK.
    CorrelationGuid: {25996167-C42C-422A-84DA-D583AD85C005}
    PhonebookPath: [C:\Users\Gary\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk], EntryName: [Test-Direct]
    Destination Address: [192.168.0.3]
    ConfigFlags: 0x0c000208, ProtocolConfigFlags: 0x00000188
    IdleTimeOut: -1, NetworkOutageTime: 1800
    ipv6addres [IpRemote=0]
    PrefixLength [0]
    Entering VPNIKEConnectionFactory::CreateConnection...
    Entering BaseConnection::BaseConnection...
    Configured IdleTimeOut:4294967295, approx. value used:4294967295
    InterfaceIndex:9, MTU:1500
    Leaving BaseConnection::BaseConnection (status: 0).
    Entering VPNIKEConnection::VPNIKEConnection...
    Entering IPv4Helper::IPv4Helper...
    Leaving IPv4Helper::IPv4Helper (status: 0).
    Entering IPv6Helper::IPv6Helper...
    Leaving IPv6Helper::IPv6Helper
    Entering IPNotifications::IPNotifications...
    Leaving IPNotifications::IPNotifications
    Created new IPNotifications instance
    Leaving VPNIKEConnection::VPNIKEConnection (status: 0).
    Entering VPNIKEClientConnection::VPNIKEClientConnection...
    Entering BFEHandler::BFEHandler...
    Entering BFEHandler::GetBfeHandle...
    Leaving BFEHandler::GetBfeHandle (status: 0).
    Leaving BFEHandler::BFEHandler (status: 0).
    Entering ClientBFEHandler::ClientBFEHandler...
    Leaving ClientBFEHandler::ClientBFEHandler
    BaseAAAHelper Instance is getting created
    Leaving VPNIKEClientConnection::VPNIKEClientConnection (status: 0).
    Entering ConnectionTable::Add...
    Add new connection with Id 17 @ index 17
    Leaving ConnectionTable::Add (status: 0).
    Signalling the event that the number of connections are atleast 1
    Leaving VPNIKEConnectionFactory::CreateConnection (status: 0).
    Entering BFEHandler::PopulateTrafficSelectors...
    Entering TrafficSelectors::TrafficSelectors...
    Total list of TS Payloads = 1
    Leaving TrafficSelectors::TrafficSelectors
    Entering TrafficSelectors::InitTsPayloads...
    Entering TrafficSelectors::PopulateTsPayloadById...
    Entering TrafficSelectors::GetDefaultTs...
    Leaving TrafficSelectors::GetDefaultTs
    Entering TrafficSelectors::GetDefaultTs...
    Leaving TrafficSelectors::GetDefaultTs
    Leaving TrafficSelectors::PopulateTsPayloadById
    Leaving TrafficSelectors::InitTsPayloads
    Leaving BFEHandler::PopulateTrafficSelectors (status: 0).
    Entering ThreadPoolHelper::QueueWorkItem...
    Leaving ThreadPoolHelper::QueueWorkItem (status: 0).
    Entering VPNIKEProtocolEngine::DispatchMessageA...
    Processing PROTOCOL_MSG_Start for hPort=5
    Entering ConnectionTable::GetConnection...
    Leaving ConnectionTable::GetConnection
    Entering VPNIKEClientConnection::ProcessStart...
    ===> Setting EAP Auth Type NONE
    Entering ClientBFEHandler::PlumbPolicy...
    Adding Policy for Server address
    Adding Cert as LocalAuth method
    Adding Cert as RemoteAuth method
    IsCertRequestPayloadDisabled: RegQueryValueEx for DisableCertReqPayload failed with 2
    Adding Cert(method type: 7) as RemoteAuth method
    Adding Cert(method type: 8) as RemoteAuth method
    Chosen encryption: 1,localauth: 2,remoteauth: 2
    Entering BFEHandler::GetBfeHandle...
    Leaving BFEHandler::GetBfeHandle (status: 0).
    Leaving ClientBFEHandler::PlumbPolicy (status: 0).
    Adding header v4 remote address to additional addresses
    Entering LogAdditionalAddresses...
    Additional Address: NumberOfIPv4Address: [1] [0]:192.168.0.3 NumberOfIPv6Address: [0]
    Leaving LogAdditionalAddresses
    Entering VPNIKEConnection::UpdatePeerAdditionalAddresses...
    Leaving VPNIKEConnection::UpdatePeerAdditionalAddresses
    Entering ClientBFEHandler::StartSANegotiation...
    Entering BFEHandler::GetBfeHandle...
    Leaving BFEHandler::GetBfeHandle (status: 0).
    IsCertSubjectNameCheckDisabled failed: RegQueryValueEx for DisableIKENameEkuCheck failed with 2
    TunnelProtocolV4
    StartService failed with error: 0
    Leaving ClientBFEHandler::StartSANegotiation (status: 0).
    UpdateState: 0x00000001
    Leaving VPNIKEClientConnection::ProcessStart (status: 0).
    Processing done PROTOCOL_MSG_Start for hPort=5. Error:0
    Leaving VPNIKEProtocolEngine::DispatchMessageA (status: 0).
    Entered: GetConfigurationPayloadRequest
    Entering InitializeVpnIkeRpcClient...
    Leaving InitializeVpnIkeRpcClient
    Entering VpnikeGetCfgPayloadRequest...
    Tunnel ID: 0x11
    Entering ConnectionTable::GetConnection...
    Leaving ConnectionTable::GetConnection
    Entering VPNIKEConnection::ProcessCP...
    UpdateState: 0x00000011
    Entering ClientBFEHandler::ProcessCP...
    Entering ClientBFEHandler::ProcessCPRequest...
    Leaving ClientBFEHandler::ProcessCPRequest (status: 0).
    Leaving ClientBFEHandler::ProcessCP
    Leaving VPNIKEConnection::ProcessCP
    Send Cfg Request to Server.....
    Config Payload Type: 1 Attr Type[0]: 1 (Length: 0) AttrValue[0]: Attr Type[1]: 3 (Length: 0) AttrValue[1]: Attr Type[2]: 4 (Length: 0) AttrValue[2]: Attr Type[3]: 23456 (Length: 0) AttrValue[3]: Attr Type[4]: 8 (Length: 0) AttrValue[4]: Attr Type[5]: 10 (Length: 0) AttrValue[5]: Attr Type[6]: 23457 (Length: 0) AttrValue[6]:
    Leaving VpnikeGetCfgPayloadRequest (status: 0).
    Leaving: GetConfigurationPayloadRequest
    Entered: FreeConfigurationPayloadBuffer
    Leaving: FreeConfigurationPayloadBuffer
    Entered: GetTrafficSelectorsRequest
    Entering InitializeVpnIkeRpcClient...
    Leaving InitializeVpnIkeRpcClient
    Entering VpnikeGetTsRequest...
    Tunnel ID: 0x11
    Entering ConnectionTable::GetConnection...
    Leaving ConnectionTable::GetConnection
    TS Initiator: Requested TS for TsId [1]
    Entering VPNIKEConnection::ProcessTS...
    UpdateState: 0x00000031
    Entering TrafficSelectors::GetTrafficSelectorsForId...
    Leaving TrafficSelectors::GetTrafficSelectorsForId (status: 0).
    Leaving VPNIKEConnection::ProcessTS
    TS Initiator: Send TS payload for TsId [1]
    Entering LogTsPayload...
    Logging tsI.....
    [0] [T:7][P:0][PS:0][PE:65535] [StartIP]:0.0.0.0 [EndIP]:255.255.255.255 [1] [T:8][P:0][PS:0][PE:65535] [StartIP]::: [EndIP]:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    Logging tsR.....
    [0] [T:7][P:0][PS:0][PE:65535] [StartIP]:0.0.0.0 [EndIP]:255.255.255.255 [1] [T:8][P:0][PS:0][PE:65535] [StartIP]::: [EndIP]:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    Leaving LogTsPayload
    Leaving VpnikeGetTsRequest (status: 0).
    Leaving: GetTrafficSelectorsRequest
    Entered: FreeTrafficSelectors
    Leaving: FreeTrafficSelectors
    Entered: ProcessTrafficSelectorsReply
    Entering InitializeVpnIkeRpcClient...
    Leaving InitializeVpnIkeRpcClient
    Entering VpnikeProcessTsReply...
    Tunnel ID: 0x11
    Entering ConnectionTable::GetConnection...
    Leaving ConnectionTable::GetConnection
    TS Initiator: Got reponse for TsId [1]
    Entering LogTsPayload...
    Logging tsI.....
    [0] [T:7][P:0][PS:0][PE:65535] [StartIP]:0.0.0.0 [EndIP]:255.255.255.255 [1] [T:8][P:0][PS:0][PE:65535] [StartIP]::: [EndIP]:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    Logging tsR.....
    [0] [T:7][P:0][PS:0][PE:65535] [StartIP]:0.0.0.0 [EndIP]:255.255.255.255 [1] [T:8][P:0][PS:0][PE:65535] [StartIP]::: [EndIP]:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    Leaving LogTsPayload
    Entering VPNIKEConnection::ProcessTS...
    UpdateState: 0x00000031
    Entering TrafficSelectors::ReplyTrafficSelectorsForId...
    Entering TrafficSelectors::VerifyTrafficSelectorResponse...
    Entering TrafficSelectors::GetTrafficSelectorsForId...
    Leaving TrafficSelectors::GetTrafficSelectorsForId (status: 0).
    Leaving TrafficSelectors::VerifyTrafficSelectorResponse
    Leaving TrafficSelectors::ReplyTrafficSelectorsForId (status: 0).
    Leaving VPNIKEConnection::ProcessTS
    Leaving VpnikeProcessTsReply (status: 0).
    Leaving: ProcessTrafficSelectorsReply
    Entered: ProcessConfigurationPayloadReply
    Entering InitializeVpnIkeRpcClient...
    Leaving InitializeVpnIkeRpcClient
    Entering VpnikeProcessCfgPayloadReply...
    Tunnel ID: 0x11
    Entering ConnectionTable::GetConnection...
    Leaving ConnectionTable::GetConnection
    Got Cfg Response from Server.....
    Config Payload Type: 2 Attr Type[0]: 1 (Length: 4) AttrValue[0]: C0 A8 00 87 Attr Type[1]: 3 (Length: 4) AttrValue[1]: 9D A1 09 07 Attr Type[2]: 3 (Length: 4) AttrValue[2]: 9D A1 09 06 Attr Type[3]: 23456 (Length: 4) AttrValue[3]: C0 A8 00 80
    Entering VPNIKEConnection::ProcessCP...
    UpdateState: 0x00000031
    Entering ClientBFEHandler::ProcessCP...
    Entering ClientBFEHandler::ProcessCPReply...
    NotifyCaller(hPort=5, PROTOCOL_RES_Projecting)
    Processed first INTERNAL_IP4_DNS
    Processed second INTERNAL_IP4_DNS
    Leaving ClientBFEHandler::ProcessCPReply (status: 0).
    Leaving ClientBFEHandler::ProcessCP
    Leaving VPNIKEConnection::ProcessCP
    Leaving VpnikeProcessCfgPayloadReply (status: 0).
    Leaving: ProcessConfigurationPayloadReply
    Entered: CreateTunnel
    Entering InitializeVpnIkeRpcClient...
    Leaving InitializeVpnIkeRpcClient
    Entering VpnikeCreateTunnel...
    Tunnel ID: 0x11
    LocalTunnelAddress:192.168.0.6 RemoteTunnelAddress:192.168.0.3 Flags: 0x00000001 VPN Encryption: 1 Initiator Cookie: 0x72DD1CDA0B275EE3 Responder Cookie: 0x8D02A39A2800C54B Local Authentication Type : 1 Remote Authentication Type : 1 Size of Peer Encoded Certificate : 1183 Size of My Encoded Certificate : 1158
    Entering ConnectionTable::GetConnection...
    Leaving ConnectionTable::GetConnection
    Entering VPNIKEClientConnection::CreateTunnel...
    Entering VPNIKEConnection::CreateTunnel...
    UpdateState: 0x00000035
    Entering IPNotifications::AddOrModifyIPAddressChangeForConnection...
    Entering IPNotifications::DeleteIPAddressChangeForConnection...
    Leaving IPNotifications::DeleteIPAddressChangeForConnection (status: 0).
    DELETE List: Insert IP Address[192.168.0.6]
    DELETE List: Insert ConnectionID[0x11] for IP Address[192.168.0.6]
    Leaving IPNotifications::AddOrModifyIPAddressChangeForConnection (status: 0).
    Entering BFEHandler::GetQMEncryption...
    Entering BFEHandler::EnumQMSA...
    Create enum handle
    EnumQMSAs returns [1] entries Status = 0
    Leaving BFEHandler::EnumQMSA (status: 0).
    IPsec transform type 4 cipher type 5
    Leaving BFEHandler::GetQMEncryption (status: 0).
    DPD configuration: dpdRequired(1), dpdTimePeriod(1200), dpdResponseTimeout(600)
    Leaving VPNIKEConnection::CreateTunnel (status: 0).
    Entering VPNIKEConnection::UpdateRoutes...
    Entering IPv4Helper::PostConnectActions...
    Entering IPv4Helper::ActivateRoute...
    RasAllocInterfaceLuidIndex returns LuidIndex:1700002A000000
    dwLocalAdd 0x8700a8c0
    AdapterName: \DEVICE{309CB5E3-CA95-4E85-9597-6CDAA31B77F7}
    Leaving IPv4Helper::ActivateRoute (status: 0).
    Entering IPv4Helper::ApplyIPv4Settings...
    Calling LoadTcpipInfo for Device={309CB5E3-CA95-4E85-9597-6CDAA31B77F7}
    LoadTcpipInfo
    Calling SaveTcpipInfo
    SaveTcpipInfo
    SaveTcpipInfo
    SaveTcpipParam
    SaveWinsParam
    SaveWinsParam
    RegDeleteValue(NetbiosOptions) failed: 2
    HelperSetDefaultInterfaceNet(IP addr: 0x8700a8c0, fPrioritize: 0, AddClassBaseRoute=1)
    RasTcpSetRouteEx(Dest: 0xa8c0, Mask: 0xffffff, NextHop: 0x8000a8c0, Metric: 1, Add)
    Dns Servers=157.161.9.7 157.161.9.6
    SaveTcpipInfo with DNS, etc.
    SaveTcpipInfo
    SaveTcpipInfo
    SaveTcpipParam
    SaveWinsParam
    SaveWinsParam
    RegDeleteValue(NetbiosOptions) failed: 2
    RasTcpAdjustMulticastRouteMetric(IP Addr: 0x8700a8c0, Set: TRUE)
    AllocateAndGetIpForwardTable Begin
    AllocateAndGetIpForwardTable End
    GetAdapterInfo
    UpdateInterface dwInterfaceIndex: 42 Tunnel is V4: 1
    Entering ConnectionTable::GetAllConnections...
    Total number of connections returned: 1
    Leaving ConnectionTable::GetAllConnections (status: 0).
    UpdateInterface looping through numberOfActiveConnections: 1
    DnsDisableDynamicRegistration
    DnsDisableAdapterDomainNameRegistration
    Entering IPv4Helper::DHCPInform...
    DHCP inform is happening asynchronously
    DhcpInformRequestAsync returns: 0
    Leaving IPv4Helper::DHCPInform (status: 0).
    Freeing Tcpip info for adapter {309cb5e3-ca95-4e85-9597-6cdaa31b77f7}
    Leaving IPv4Helper::ApplyIPv4Settings (status: 0).
    Leaving IPv4Helper::PostConnectActions (status: 0).
    Leaving VPNIKEConnection::UpdateRoutes (status: 0).
    IsRouter: 0
    NotifyCaller(hPort=5, PROTOCOL_RES_ProjectionResult)
    DhcpRequestParams({309CB5E3-CA95-4E85-9597-6CDAA31B77F7})...
    DhcpRequestParams Start
    UpdateState: 0x00010035
    ServerCoID={0B275EE3-1CDA-72DD-4BC5-00289AA3028D} : ClientCoID={25996167-C42C-422A-84DA-D583AD85C005}
    Leaving VPNIKEClientConnection::CreateTunnel (status: 0).
    Leaving VpnikeCreateTunnel (status: 0).
    Connection 0000014239B20730 is not using interface 42 or is not using the same IP protocol as the tunnel. Skipping.
    Ignoring IP?d??? notification:Index[42]:IPAddress.
    Leaving: CreateTunnel
    Trying to update the interface
    UpdateInterface dwInterfaceIndex: 42 Tunnel is V4: 1
    Entering ConnectionTable::GetAllConnections...
    Total number of connections returned: 1
    Leaving ConnectionTable::GetAllConnections (status: 0).
    UpdateInterface looping through numberOfActiveConnections: 1
    Connection 0000014239B20730 is not using interface 42 or is not using the same IP protocol as the tunnel. Skipping.
    Entering VPNIKEClientConnection::InitiateIkeCompleteCallback...
    InitiateIkeCompleteCallback:SA negotiation failure Status:0 for TunnelID: 11
    InitiateIkeCompleteCallback:All SA negotiation completed. Status:0 for TunnelID: 11
    UpdateState: 0x00010237
    Notify Rasman about VPNIKE connection done
    Entering VPNIKEConnection::IdleTimerStart...
    CreateTimerQueueTimer is set for idle time out: 4294966296
    Leaving VPNIKEConnection::IdleTimerStart (status: 0).
    NotifyCaller(hPort=5, PROTOCOL_RES_Done)
    Leaving VPNIKEClientConnection::InitiateIkeCompleteCallback

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.