Hi,
We had some issues with remote users logging on the VPN L2TP/IPsec service. These were getting ‘The L2TP connection attempt failed because a processing error occurred during the initial security negotiation with the remote computer’.
Seems that a Windows 11 update has caused this and the solution is to remove the update - https://techcommunity.microsoft.com/t5/report-an-issue/windows-11-update-kb5009566-inhibits-vpn-connection/m-p/3057844
Rgds,
Mark.
Confirmed.
Same with Win 10 update KB5009543.
Windows 10:
wusa /uninstall /kb:5009543
A few days ago I contact MS live support and ask them if they have any plan to add SHA2 for PH2 negotiation. and they told me that they will release an update this month.
wusa /uninstall /kb:5009543
Work perfect thanks
KB5009566 on Windows 11
I really appreciate it!
MS posted a workaround:
Workaround: To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings. Note: Not all VPN servers have the option to disable Vendor ID from being used.
But I don’t think we can do that in RouterOS..
So far my colleague tried:
6.40.9 - VPN OK
6.47 - not working, win update issue
6.49 - not working, win update issue
Disabling Vendor ID sending on responder side is not a viable option in my opinion as NAT-T detection depends on Vendor ID’s. So disabling Vendor ID option on server side would not allow clients behind NAT to connect, which are most of Windows users anyway.
lol, So it’s a two-edged sword for Microsoft.
Interesting they say “Workaround: To mitigate the issue for some VPNs” - do they mean only some VPNs are broken, or all VPNs are broken and some may be fixed?
I am still able to connect successfully to Mikrotiks running 6.47.9 and 6.47.10 from Windows 10 with KB5009543 installed…
I was unable to connect with L2TP/IPSec VPN to any of my clients, ROS ranging from 6.45.9 LT to 6.47.10 LT
Wait… so disabling Vendor ID as which a Microsoft-recommended workaround for their broken update will essentially break the VPN for all users behind NAT? It’s like 99% users now with mobile networks using CGNAT…
Hi All,
Is there a way to disable vendor ID on Mikrotik’s? We are using mostly GR3 and RB1100 with 6.47.10 OS. I can see a Vendor ID option for DCHP but not for VPN’s.
Thanks.
I have experienced this problem aswell, both last week and now today for two different clients.
yeah this works, and you will have reenter the L2TP username/password in windows, the IPsec PSK remained.
KB5010793 has been released to fix the problems caused by the January Update
Just use https://www.draytek.com/products/smart-vpn-client/
Works just fine with Mikrotik.
You can export your profiles and import them back when needed.
Haven’t used the Windows client directly in a long time.
MS has released a out-of-band fix for this VPN issue.
Windows 10: https://support.microsoft.com/en-gb/topic/january-17-2022-kb5010793-os-builds-19042-1469-19043-1469-and-19044-1469-out-of-band-f2d4f178-5b36-49cb-a6fd-4bf9857574f9
Windows update catalog (Win 10): https://www.catalog.update.microsoft.com/Search.aspx?q=KB5010793
I’ve verified that VPN is working again after this fix.
Probably Win 11 is covered as well (I just dont have the links).