Windows L2TP/IPsec VPN fails with RasClient 651 when WSL2 mirrored networking is running

[jereviikari]

Windows Version

Microsoft Windows [Version 10.0.26200.8655]

WSL Version

2.7.10.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

6.18.33.2-2

Distro Version

Ubuntu 26.04

Other Software

Windows built-in VPN client using L2TP/IPsec with pre-shared key.

.wslconfig

  [wsl2]
  networkingMode=mirrored
  dnsTunneling=true
  autoProxy=true

  guiApplications=true
  nestedVirtualization=true
  vmIdleTimeout=1000

  [experimental]
  autoMemoryReclaim=gradual
  sparseVhd=true

### Repro Steps

  1. Configure WSL2 with networkingMode=mirrored.
  2. Start Ubuntu under WSL2.
  3. Attempt to connect a Windows built-in L2TP/IPsec VPN profile.
  4. Observe that the VPN fails.
  5. Run wsl --shutdown.
  6. Retry the same VPN profile from the Windows taskbar Network applet.


### Expected Behavior

The Windows built-in L2TP/IPsec VPN should connect regardless of whether WSL2 Ubuntu is running with mirrored networking enabled.

### Actual Behavior

  When Ubuntu/WSL2 is running with mirrored networking enabled, the VPN fails with RasClient error 651.

  Observed Event Viewer / RasClient result, with private names and endpoints redacted:

  The user <redacted> dialed a connection named <redacted> which has failed.
  The error code returned on failure is 651.
  Device = WAN Miniport (L2TP)
  Server address/Phone Number = <redacted>

  IKE/IPsec events show that IPsec main mode and quick mode are established, then immediately terminated:

  IPsec: Main Mode SA Established
  An IPsec quick mode security association was established
  An IPsec quick mode security association ended
  IPsec: Main Mode SA Terminated

  After running:

  wsl --shutdown

  the same VPN gets past link establishment. Connecting from the Windows taskbar Network applet then succeeds.

  ### Additional Context

  This appears similar to #10830, but that issue is closed and was reported against WSL 2.0.11.0. This still reproduces on WSL 2.7.10.0 with mirrored networking.

  The selected route to the VPN server was the physical Wi-Fi interface, not WSL. Endpoint details are intentionally redacted because this is a private VPN gateway.

### Diagnostic Logs

_No response_

[github-actions]

Logs are required for review from WSL team

If this a feature request, please reply with '/feature'. If this is a question, reply with '/question'.
Otherwise, please attach logs by following the instructions below, your issue will not be reviewed unless they are added. These logs will help us understand what is going on in your machine.

How to collect WSL logs

Download and execute collect-wsl-logs.ps1 in an administrative powershell prompt:

Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-wsl-logs.ps1" -OutFile collect-wsl-logs.ps1
Set-ExecutionPolicy Bypass -Scope Process -Force
.\collect-wsl-logs.ps1

The script will output the path of the log file once done.

If this is a networking issue, please use .\collect-wsl-logs.ps1 -LogProfile networking instead, following the instructions in Collect WSL logs for networking issues

Once completed please upload the output files to this GitHub issue.

See Collect WSL logs (recommended method).

If you choose to email these logs instead of attaching them to the bug, please send them to wsl-gh-logs@microsoft.com with the GitHub issue number in the subject, and include a link to your GitHub issue comment in the message body, and reply with '/emailed-logs'.

[jereviikari]

I cannot attach the collected WSL networking logs publicly due to security restrictions. The logs may contain private VPN gateway details, internal network configuration, account identifiers, DNS/routing data, or packet trace metadata.