Overview
When trying to install Kerio VPN client 32-bit version on Windows 10, the following error 28201. Installation of VPN device driver failed. 0x800F0235, Failed to register device is displayed, so you'd rather use the Windows built-in VPN functionality to connect to Kerio Control VPN server.
This procedure also applies for Windows ARM machines, as the Kerio Control VPN client is not ARM-compatible.
This article describes how to properly configure Kerio Control and Windows VPN client:
- Configuring Kerio Control
- Configuring VPN Settings on the Client Windows 10 System with L2TP PSK (preshared key)
- Configuring VPN Settings on the Client Windows 10 System with Kerio Control 9.4.4 and newer versions (IKEv2 with username and password)
Prerequisites
The following ports need to be allowed on the router, and forwarding needs to be enabled for them:
- TCP/UDP 4090
- TCP/UDP 4081
- TCP/UDP 500
- TCP/UDP 4500
Solution
Configuring Kerio Control
- In Kerio Control Webadmin, navigate to Settings (Gear Icon) > Interfaces > VPN Server Properties.
- Check the following options:
- Enable Kerio IPsec VPN Server
- Enable Kerio VPN Server
- Use certificate for clients
- Use preshared key (also, you need to enter the key in the corresponding field)
- Enable MS-CHAP v2 authentication
-
IPSec VPN configuration in older Kerio Control versions
- IPSec configuration in Kerio Control 9.4.4 and newer
- Click OK, and navigate to the Traffic Rules menu.
- Ensure that the default rule named VPN Services exists and is active to allow VPN access.
- Navigate to the Users menu and ensure that the option User can connect using VPN is enabled for the corresponding user.
Configuring VPN Settings on the Client Windows 10 System with L2TP PSK (preshared key)
- Open Network & Internet Settings.
- Navigate to the VPN menu, and click Add a VPN Connection.
- Specify the VPN settings:
- Select VPN provider as Windows (built-in).
- Enter a Connection name.
- Enter Public IP or hostname of the Kerio VPN Server in the Server name or address field.
- Select L2TP/IPsec with pre-shared key as VPN type.
- Enter the Pre-shared key (PSK) matching the PSK key entered in Kerio Control VPN settings (step 2).
- Select User name and password as Type of sign-in info.
- Enter the User name and the Password.
- Check Remember my sign-in info.
- Click Save button
- Select the VPN connection you created and click the Connect button.
Configuring VPN Settings on the Client Windows 10 System with Kerio Control 9.4.4 and newer versions (IKEv2 with username and password)
Please note that Configuring VPN Settings on the Client Windows 10 System with L2TP PSK (preshared key) also works with Kerio Control 9.4.4 and later, however, Kerio Control 9.4.4 introduces IPSec Site-to-Client IKEv2 support, which allows you to use IKEv2 as well, not only L2TP in Windows Native VPN client configurations.
- Open Network & Internet Settings.
- Navigate to the VPN menu, and click Add a VPN Connection.
- Specify the VPN settings:
- Select VPN provider as Windows (built-in).
- Enter a Connection name.
- Enter Public IP or hostname of the Kerio VPN Server in the Server name or address field.
- Select IKEv2 as VPN type.
- Select User name and password as Type of sign-in info.
- Enter the User name and the Password.
- Check Remember my sign-in info.
- Click Save button
- Select the VPN connection you created and click the Connect button.
Troubleshooting connectivity issues
If you are experiencing connection issues, change the Local Security Policy on the client computer (ensure that the option to send LM and NTLM negotiations is enabled) following the next steps:
-
- Open Local Security Policy in Windows 10.
From the Start menu, in the Search programs and files dialog, entersecpol.msc
and press Enter.
- Expand Local Policies and click on the Security Options folder.
- On the right-hand side of the Local Security Policy window, locate and double-click on Network security: LAN Manager authentication level.
- In the drop-down list, select Send LM & NTLM - use NTLMv2 session security if negotiated.
Click OK.
- Reboot the PC and try connecting again.
- Open Local Security Policy in Windows 10.
If you are still experiencing connection issues like the one below (Windows event viewer may show The error code returned on failure is 809), there is an additional tweak that can be done at Windows level:
-
- Right-click Start and select Run
- Type regedit and press Enter
- Go to this location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
- Open the Edit menu, go to New, and click DWORD (32-bit) Value
- Type AssumeUDPEncapsulationContextOnSendRule and press Enter
- Double-click the AssumeUDPEncapsulationContextOnSendRule entry
- Set Base to Hexadecimal
- Set Value data to 2
- Click OK
- Restart your PC.
Please note that the scope of support for Windows VPN client connectivity is limited, as often times, there are environmental issues, or Windows issues that prevent a proper connection from being established, and Microsoft Support should be reached. A good starting point of investigating any issues is the Windows Event viewer.