You may come across the issue that the MAC users are able to connect to windows VPN server, but windows users are not. And you can not find any log on the server or the client. This is probably related to the NAT traversal (NAT-T)
When you start the connection, an initial L2TP packet is sent to the server, requesting a connection. This packet causes the IPSec layer on your computer to negotiate with the VPN server to set up an IPSec protected session (a security association). Depending on a number of factors including link speed, the IPSec negotiations may take from a few seconds to around two minutes. When an IPSec security association (SA) has been established, the L2TP session starts. When it starts, you receive a prompt for your name and password
If the IPSec layer cannot establish an encrypted session with the VPN server, it will fail silently.
NAT traversal and VPN
By default, Windows and the Windows Server operating system do not support Internet Protocol security (IPsec) network address translation (NAT) Traversal (NAT-T) security associations to servers that are located behind a NAT device. Therefore, if the virtual private network (VPN) server is behind a NAT device, a Windows -based VPN client computer or a Windows Server 2008-based VPN client computer cannot make a Layer Two Tunneling Protocol (L2TP)/IPsec connection to the VPN server. This scenario includes VPN servers that are running Windows Server 2003 and later.
Because of the way in which NAT devices translate network traffic, you may experience unexpected results when you put a server behind a NAT device and then use an IPsec NAT-T environment. Therefore, if you must have IPsec for communication, we recommend that you use public IP addresses for all servers that you can connect to from the Internet. However, if you have to put a server behind a NAT device and then use an IPsec NAT-T environment, you can enable communication by changing a registry value on the VPN client computer and the VPN server.
To create and configure the AssumeUDPEncapsulationContextOnSendRule registry value, follow these steps:
- Log on to the Windows client computer as a user who is a member of the Administrators group.
- Click Start, point to All Programs, click Accessories, click Run, type Regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
- Locate and then click the following registry subkey:
Create a DWORD value AssumeUDPEncapsulationContextOnSendRule
- In the Value Data box, type one of the following values:
A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows -based or Windows Server 2008-based VPN client computer are behind NAT devices.
- In our situation, we choose 2, Click OK, and then exit Registry Editor.
- Restart the computer.