Event ID 20111, Error 792 or Error 781 When Establishing an L2TP/IPSec Connection (247231)

SYMPTOMS

When you attempt to manually establish a Layer 2 Tunneling Protocol (L2TP)/IP Security Protocol (IPSec) connection with a Windows 2000-based server by using the Routing and Remote Access snap-in, you may be unable to do so, and the initiator computer may display the following error message:

Routing and Remote Access
An error occurred during connection of the interface.
The L2TP connection attempt failed because security negotiation timed out.

In addition, the following event is logged in the System event log of the initiator computer:

Source: RemoteAccess
Event ID: 20111
Description: A Demand Dial connection to the remote interface <interface name> on port VPNx-y was successfully initiated but failed to complete successfully because of the following error: The L2TP connection attempt failed because security negotiation timed out.

NOTE: If the connection is triggered by demand-dial traffic, then only Event 20111 is logged.

When you attempt to establish an L2TP/IPSec connection by using Network and Dial-up Connections, you are unable to do so, and the initiator computer may display the following error message:

Error Connecting to <Connectoid Name>
Connecting to <IP address>...
Error 792: The L2TP connection attempt failed because security negotiation timed out.

-or-

Error Connecting to <Connectoid Name>
Connecting to <IP address>...
Error 781: Encryption failed because no valid certificate was found.

NOTE: That Event 20111 is not logged at either the client or server when you attempt to establish the connection by using Network and Dial-up Connections.

CAUSE

This issue can occur because of one of the following reasons:

The certificate on the virtual private networking (VPN) server is not a valid machine certificate or is missing. If the VPN server got a certificate during the Certificate Authority installation, this certificate is not valid for IPSec machine authentication.
The IPSec Policy Agent service is stopped and started without stopping and starting the Routing and Remote Access service on the remote computer.
The IPSec Policy Agent service is not running when you start the Routing and Remote Access service.

RESOLUTION

To resolve this issue, do one of the following:

Install a valid machine certificate on the VPN server.
Stop and start the IPSec Policy Agent service, and then stop and start the Routing and Remote Access service on the remote computer. To do so, use one of the following methods.
Method 1
1. Click Start, point to Programs, point to Administrative Tools, and then click Computer Management.
2. Double-click Services and Applications, double-click Services, double-click IPSEC Policy Agent, click Stop, click Start, and then click OK.
3. Double-click Routing and Remote Access, click Stop, click Start, and then click OK.
Method 2
At a command prompt, type the following commands pressing ENTER after each command:
net stop policyagent
net start policyagent
net stop remoteaccess
net start remoteaccess
NOTE: The IPSec Policy Agent service must be started when the Routing and Remote Access service initializes.

MORE INFORMATION

When you stop and start the IPSec Policy Agent service without stopping and starting the Routing and Remote Access service, the automatic IPSec policy that is usually created for the L2TP/IPSec connection is not created and the connections are not successful.

If you stop the IPSec Policy Agent service while you have active tunnel connections without first stopping the Routing and Remote Access service, the tunnels are unsecured, and data is exposed in the clear. It is recommended that you stop active tunnel connections before you stop the IPSec Policy Agent service.

Note that stopping the IPSec Policy Agent and the Routing and Remote Access services may remove filters that are critical to protecting your computers, and to prevent this downtime in security, it is recommended that you disconnect the network cable.