EDIT: RESOLVED. It was the MS-CHAP(V2) setting. Thanks everyone!
VPN server-side config:
- ISP fixed IP on cable modem running in router mode
- UDP ports 500 & 4500 forwarded to USG Pro 4 running 4.4.56 firmware
- Unifi OS 2.5.11 running on UCK G2 Plus
- Network App 7.2.95 using default config (VPN server enabled, pre-shared key auto generated, user auth: user, password)
client side:
- Win11 Pro behind NAT pointing to ISP modem public fixed IP
- VPN type: L2TP/IPsec with pre-shared key
- sign-in info: Username and Password
- AssumeUDPEncapsulationContextOnSendRule reg key added & set to 2 (1 doesn’t work at all)
Upon clicking “connect”, it establishes the connection to the VPN server and validates the sign-in info. Shortly after, it comes back with the following error:
“The connection was prevented because of a policy configured on the RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.”
Any ideas on what might be causing this error?
EDIT: added more details
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
I’ve gotten this exact error on a Windows box after reinstallation. Turns out I had missed a setting to allow MS-CHAP v2 under adapter options; that fixed it for me.
It’s described under the “Configuring Clients” here:
https://help.ui.com/hc/en-us/articles/115005445768-UniFi-Network-Configuring-Remote-Access-VPNs-VPN-Server-
HTH.
If your USG is running the VPN server, you don’t need to port forward.
Reboot the USG and within minutes of it coming online, try the vpn.
Make sure you have the key entered and the proper auth method assigned on the vpn client connection. The “wizard” in window 10 and 11 doesn’t give you any of the actual options needed to correctly setup the profile.
I’ve had very poor reliability of the L2TP function on unifi. Only thing that doesn’t seem to be a fail is site to site on IPSec.
Follow this yt guide, then watch it again, review your settings, watch again.
https://help.ui.com/hc/en-us/articles/115005445768-UniFi-Network-Configuring-Remote-Access-VPNs-VPN-Server-#:~:text=Go%20to%20Settings%20>%20Network%20%26%20internet,in%20your%20UniFi%20Network%20settings.&text=Click%20the%20Security%20tab%2C%20then,method%20to%20MS-CHAP%20v2
thank you! This did it. Somehow, I skipped this step even though I had already set a different client for another network - oops.
Now, if I could only figure out how to access the local machines at that site, I’d be set. I can RDP using my iPhone, but not from Windows.
Thanks for the reply, but the later reply pegged it. I do need to port forward because the USG is not internet-facing. It sits behind a cable modem that I can’t set to passthrough because of some restrictions from my provider.
