L2TP VPN fails with error 787 can be resolved with Bobcares by your side. 

At Bobcares, we offer solutions for every query, big and small, as a part of our VPN Provider Support.

Let’s take a look at how our Support Team is ready to help customers when L2TP VPN fails with error 787.

How to fix: L2TP VPN fails with error 787

The L2TP VPN fail occurs when the L2TP VPN connection to a Remote Access server is not successful. It results in the following error 787 message:

The L2TP connection attempt failed because the security layer could not authenticate the remote computer.

In this scenario, our Support Techs note that Server configuration for VPN connections and DirectAccess is in place, in addition to at least two valid certificates. One of these certificates is for L2TP and the other is for IPHTTPS. Additionally, these certificates need to have at least the Server Authentication EKU.

For instance:

• Server Authentication (1.3.6.1.5.5.7.3.1)
• Client Authentication (1.3.6.1.5.5.7.3.2) optionally also
• IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

In this event, one of the certificates will be a wildcard certificate. Moreover, the certificates may also be from different Certificate Authorities.

Upon investigation, our Support Techs have come to the conclusion that this error occurs due to the server using a wildcard certificate, or a certificate from a different CA as the computer certificate configured on the clients.

Routing and Remote Access (RRAS) works by choosing the first certificate it locates in the computer certificate store. For L2TP, we rely on the RRAS to choose a certificate. We cannot influence this in any way.

Fortunately, our Support Techs have come up with two different ways to solve this issue:

• We can use a single certificate for L2TP and IP-HTTPS to resolve the issue.
• We can manually configure L2TP Ipsec policy on the RRAS server as well as disable the Ipsec policy:
  • Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
  • Value Name: ProhibitIpSec
  • Data Type: REG_DWORD
  • Value: 1

The next step would be to add an Ipsec policy manually:

Rule Name: L2TP Manual Rule 
Description: L2TP Manual Rule 
Enabled: Yes 
Profiles: Private, Public 
Type: Dynamic 
Mode: Transport 
InterfaceTypes: Any 
Endpoint1: Any 
Endpoint2: 131.107.0.2/32 
Port1: Any 
Port2: 1701 
Protocol: UDP 
Action: RequireInRequireOut 
Auth1: ComputerCert
 Auth1CAName: DC=com, DC=contoso, DC=corp, CN=corp-DC1-CA 
Auth1CertMapping: No Auth1ExcludeCAName: No 
Auth1CertType: Root 
Auth1HealthCert: No 
MainModeSecMethods: DHGroup2-AES128-SHA256, 
DHGroup2-AES128-SHA1, DHGroup2-3DES-SHA1 
MainModeKeyLifetime: 480min,0sess 
QuickModeSecMethods: ESP:SHA1-None+60min+100000kb,ESP:SHA1-
AES128+60min+100000kb,ESP:SHA1-
3DES+60min+100000kb,AH:SHA1+60min+100000kb 
QuickModePFS: None R
ule source: Local Setting 
ApplyAuthorization: No

[Looking for a solution to another query? We are just a click away.]

Conclusion

In brief, our skilled Support Engineers at Bobcares demonstrated what to do when L2TP VPN fails with error 787.