Error: "IKEv2 Client VPN Windows Error 809"

Issue

When I try to connect to my DNA from a Windows 10 machine using IKEv2, I get the error message, "IKEv2 Client VPN Windows Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding."

Environment

• Datto Networking Appliance (DNA)

Cause

IPSec uses a 2012-byte IKE_AUTH response and uses IKEv2 fragmentation to break the IKEW_AUTH request into multiple messages. Some versions of Windows 10 do not support IKEv2 fragmentation.

Solutions

Update Windows 10

To solve this issue, We recommend updating Windows 10 to version 1809 or higher.

Modify the Windows Registry

In some cases modifying the Windows Registry and rebooting the machine will allow connection to the DNA via IKEv2 without updating Windows 10.

On Windows Vista, Windows 7, Windows 8-10 machines:

1. In the Registry Editor (Regedit), add the following entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent RegValue: AssumeUDPEncapsulationContextOnSendRule Type: DWORD Data Value: 2

You can also add the entry by entering the following in an elevated command prompt:

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v
AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

2. Reboot the machine. If the error persists, contact Datto Networking Support.

On Windows XP machines:

1. In the Registry Editor (Regedit), add the following entry and reboot the machine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
RegValue: AssumeUDPEncapsulationContextOnSendRule
Type: DWORD
Data Value: 2

You can also add the entry by entering the following in an elevated command prompt:

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v
AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

2. Reboot the machine. If the error persists, contact Datto Networking Support.