bitnuts.de logo   Downloads About Contact

Windows VPN: Prevent the errors 789 and 809

Having a Raspberry Pi, one of my first projects was to set up my own VPN server on this cute little machibe. Why? Well, we see free, unencrypted wireless hot spots everywhere, but you shouldn't read your private mails, facebook or your bank account on such networks, because other users or the provider of such spots might eavesdrop on your communication. A reliable solution is to use a so called virtual private network (VPN).

Using a VPN gives you the privacy of your own private network in public places, where you are using open networks in hotels, universities, coffee-shops etc. With a VPN you are using the Internet encrypted and secured over often unsecure networks, like you were at home.

Some of you might already use one of the professional VPN providers, and there are plenty of ways and providers to have a VPN from, both with free and paid plans. But you never have an in-depth look behind the scenes of such providers, do not know if they are trustworthy, secure etc. A very simple solution is to set up your own VPN server on the well known Fritz!-Boxes or using a cute Raspberry Pi and build a VPN up from scratch, if you do not own a Fritz!.

While setting up the VPN on my Raspberry Pi I ran into several issues making the server usable on my zoo of devices. The most problems and issued occured on my Windows machines, especially this pesky errors 809 and 789 on Windows 7 and 8/8.1. I tried several solutions found by googling the web, but none of them did it on the first and only run.

The main problem is, that since Windows 7 and the Server 2008, Microsoft Windows does not support IPsec network address translation (NAT) Traversal (NAT-T) security associations to servers that are behind a NAT device, like it is on most home-brew VPN servers that are behind a DSL- or LTE-modem/router. Thus, if the VPN server sits behind a NAT device, your Windows 7, 8/8.1 VPN client cannot make a (L2TP)/IPsec connection to the VPN server.

The following Windows Registry hack worked at the end, and that's why I would like to share it with you guys, hopefully it helps some of you out:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
"ProhibitIpSec"=dword:00000000

Just install this Regsitry entries, and restart your machine and try to connect with your NATed VPN server. For more details also read http://support.microsoft.com/kb/926179/en-us.