Can't connect to Windows L2TP VPN through GL-X3000 / Spitx AX

I have a GL-X3000 / Spitx AX I’ve purchased and I’m using to connect to Tmobile home internet. Everything is working great, except when try to connect to my office VPN. I’m not able to establish a connection from my Windows 10 PC (connected to the Spitx AX) to my office VPN, which uses a Cisco Meraki L2TP/IPsec VPN. I get the following error on my Windows 10 PC (VPN client) when trying to connect to my office VPN: “Cannot connect to VPN, The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.”
I have no issues connecting to NordVPN servers (which uses IKEv2/IPsec and OpenVPN protocols) using the same Windows PC with the Spitx AX. I’ve done a lot of experiments and the issue seems to be following the Spitx AX.
I’m able to connect to my office VPN with the same Windows 10 PC using the Sagemco Fast 5688W Gateway (connected to Tmobile home internet) and the Netgear CM700 cable modem (connected to Spectrum home internet).

Is there a setting in the Spitz AX that needs to be changed so my Windows 10 PC can communicate with my office VPN (via L2TP/IPsec)? There seems to be some issue with the Spitz AX blocking L2TP/IPsec protocol packets.

Try this method, install nat helper extra in the router.

opkg update
opkg install kmod-nf-nathelper-extra

If the above does not solve your issue, on your windows, set the mtu value lower.

#first find out the network interface to Spitz AX

netsh interface ipv4 show subinterfaces

#Then set up mtu to 1280. Pls do replace the interface name in <>
netsh interface ipv4 set subinterface <subinterface name> mtu=1280 store=persistent

Thank you for the fast reply. I tried your suggestions, but I’m still seeing the same problem.

I installed kmod-nf-nathelper-extra and also changed the subinterface mtu to 1280 (Wi-Fi I’m using to connect to the Spitx AX router) :

With IPv6 enabled (NAT6 mode), I get the following error when trying to connect to the VPN:
“Cannot connect to VPN, The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.”

With IPv6 disabled, I get the following error when trying to connect to the VPN:
“The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections.”

Any other suggestions to try and debug the problem?

Try on the spitz to assign your windows ip to the DMZ zone . Can you connect ?

And what if you connect windows to the modem through a cable?

Update: I think your issue is similar to this:

Apply the configs mentioned in the link and test again.

Also take a try with this, go to network settings and turn off hardware acceleration.
Check if it shall work when the ipv6 is disabled.

Thanks for all your continued support and suggestions, but unfortunately, no luck getting it to work yet.

  1. Assigned the Window PC IP to the DMZ zone => same error, L2TP connection failed
  2. Connected the Windows PC directly to the LAN port with an ethernet cable => same error, L2TP connection failed
  3. I tried the suggestions here: VPN Passthrough
    but get the same error, L2TP connection failed
    Set forwarding for port 1723 in Firewall → Port Forwards
    Installed the packages
    opkg update
    opkg install kmod-nf-nathelper-extra

Added a line to the file /etc/sysctl.d/local.conf
net.netfilter.nf_conntrack_helper = 1
and rebooted router
The above link mentions setting the firewall > NAT > portforward, but I don’t see that option in Gi-iNet, probably because the instructions are for the OPNsense 20.1 router, not the Spitz AX.

  1. I also added port forwarding for ports 500 and 4500, which is supposedly used by the Meraki, still have the same issue.
    IPSec VPN Port Overlap with Manual Port Forwarding rules - Cisco Meraki Documentation

  1. I disabled hardware acceleration and tried with IPv6 both disabled and enabled, but that doesn’t fix the problem either (same issue).

As an additional experiment I tried running an OpenVPN client on the Spitz AX using my NordVPN account to see if that could workaround the issue, but that doesn’t work and there is a separate issue. The client is stuck trying to start…

I copied the log, see attached.
openvpn_nordvpn_log.zip (1.3 KB)

It fails when running the following script: /usr/bin/gl_block.sh

Not sure if this provides any additional clues.

The problem is NordVPN:

Terrible provider.

Found another article for it, could you please also kindly take a try?

https://www.wintips.org/fix-cannot-connect-to-l2tp-vpn-in-windows-10-solved/

Thanks guys for the additional suggestions! I did get the NordVPN client to run on the Spitz AX after updating the credentials. It’s interesting that a different set of credentials are required for the NordVPN service credentials. However, even after getting the NordVPN client running on the Spitz AX between the WAN and LAN, I’m still not able to connect to my office VPN.

I also tried all the steps in the wintips article (FIX: Cannot Connect to L2TP VPN in Windows 10 (Solved) - WinTips.org), but still not able to connect to my office VPN (same error). I had actually made the registry update previously (to allow L2TP connections behind NAT), but didn’t solve the problem.

Did you reboot the modem after each configuration change ?

Can you try another windows L2TP client. It may work.

Last resort is to run wireshark on windows and tcpdump on the modem and check which packet is breaking the connection.

If your server does not block your double VPN, lowing the mtu should solve the issue.