Microsoft L2TP Client Work-Around

On January 11, 2022, Microsoft released Windows 10 KB5009543 and Windows 11 KB5009566 as a part of their January 2022 roll-up. After applying the patches, administrators found that L2TP connections from remote Windows computers using the L2TP client would fail on connection.

At the time of this writing, Microsoft hasn’t pulled the roll-up and hasn’t issued a hotfix, suggesting instead that the IPSEC server be modified to disable the VendorID field in negotiation.

As this isn’t an option for most firewalls and would require vendors to post firmware updates for tens of thousands of product SKU’s, this effectively turned this problem into a pissing match between hardware vendors and Microsoft. Hardware vendors claim this is a Microsoft issue and advise customers to reverse the patch; Microsoft claims their implementation of the IPSEC client is correct. Meanwhile, VPN’s for millions of people working from home don’t work.

Reversing the patch may not be a suitable option when dealing with classified networks; as a system administrator, I’ve an obligation to apply Microsoft’s roll-ups to protect my clients’ data and network. Doing so may not only jeopardize IT assets that I’m responsible for but may just invalidate cyberinsurance policies because I did the exact opposite that I was supposed to do: I sacrificed a bunch of security patches in favor of one working feature; a feature that would break again unless I disabled patching on a remote machine, only exacerbating the problem over time.

The real fix for this, then, is for Microsoft to either pull the patch or issue a hotfix. Since Microsoft is (again) not stepping up to address messes that it makes, there’s a good work-around.

  1. On a machine that doesn’t have the KB updates mentioned above (or reverse the KB on the affected machine), find the file c:\windows\system32\ikeext.dll. It’ll be dated 2021.

  2. Copy this file out to where you have a copy of it.

  3. Apply the Jan 2022 patches and reboot.

  4. You’ll now find a 2022 version of ikeext.dll in the c:\windows\system32 folder.

  5. Take control of that file by changing its ownership to a local administrator (perhaps the user account you’re using), and change your permissions to Full Control.

  6. Using Task Manager, under the Services Tab, find ikeet.dll and stop it.

  7. Rename c:\windows\system32\ikeext.dll to *.old, providing administrator elevation to do so.

  8. Copy in your 2021 version of ikeext.dll to the same path.

  9. Restart the ikeet.dll under the Services Tab or reboot the machine.

You’ll find that your L2TP VPN will now work, keeping the Jan 2022 patches and isolating the roll-back to just one DLL.

R

Russell Mickler

Russell Mickler is a computer consultant in Vancouver, WA, who helps small businesses use technology better.

https://www.micklerandassociates.com/about
Previous
Previous

Google Data Migration Service START Button Grayed Out

Next
Next

Protecting Your Systems in 2022