johnpsph
join:2003-11-16
Saint Louis, MO
 ·Charter Pipeline
edit:
May 8th, @09:35AM
| Server 2k3 cannot connect to VPN via L2TP over IPsec
I recently set up a VPN server on a 2k3 machine, and it worked flawlessly when I had the client select "Type of VPN: Automatic". However, when I manually changed the type to L2TP over IPsec, entered a PSK (This is using the built in Vista VPN CLient), then in the Routing and Remote Access configuation, I right click my server name, go to properties, then the security tab, and check "Allow custom IPsec policy for L2TP connections" and enter the same PSK, attempting to connect to the server generates the following client error: "Error 732: Your computer and the remote computer could not agree on PPP control protocols."
One the server in Event Viewer I get: "Unable to add the interface {FE282F3E-B086-43D9-8AD5-AFC281B11CB0} with the Router Manager for the IP protocol. The following error occurred: Cannot complete this function."
Any suggestions as to what I can do to solve this would be greatly appreciated. Thanks
Sorry to cross-post, but I also posted about this in the MS forum, but wasn't able to get a solution. However, I put up a bunch of screenshots here:
»[2K3] Cannot connect to VPN via L2TP over IPsec: "could not |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
 ·North State Commun..
 ·Corporate Colocation
| said by johnpsph  :I recently set up a VPN server on a 2k3 machine, and it worked flawlessly when I had the client select "Type of VPN: Automatic". However, when I manually changed the type to L2TP over IPsec, entered a PSK (This is using the built in Vista VPN CLient), then in the Routing and Remote Access configuation, I right click my server name, go to properties, then the security tab, and check "Allow custom IPsec policy for L2TP connections" and enter the same PSK, attempting to connect to the server generates the following client error: "Error 732: Your computer and the remote computer could not agree on PPP control protocols." One the server in Event Viewer I get: "Unable to add the interface {FE282F3E-B086-43D9-8AD5-AFC281B11CB0} with the Router Manager for the IP protocol. The following error occurred: Cannot complete this function." Any suggestions as to what I can do to solve this would be greatly appreciated. Thanks Sorry to cross-post, but I also posted about this in the MS forum, but wasn't able to get a solution. However, I put up a bunch of screenshots here: » [2K3] Cannot connect to VPN via L2TP over IPsec: "could not Reboot your RRAS server or disable RRAS, reboot your server, then configure RRAS again.
I had the same issue a week ago. |
|
johnpsph
join:2003-11-16
Saint Louis, MO | Thanks for the tip. I'm actually out of town for the weekend, but I'll give it a try as soon as I'm back and let you know how it works for me. Thanks again. |
|
DocLarge
Premium
join:2004-09-08
England | reply to johnpsph
Are you running a certificate server? This is usually a prerequisite when using L2TP, unless I'm mistaken...
Jay |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| said by DocLarge :Are you running a certificate server? This is usually a prerequisite when using L2TP, unless I'm mistaken... Jay You are. But don't worry, I thought the same thing for the longest time. 
You can use L2TP with a pre-shared key instead of certificates. |
|
DocLarge
Premium
join:2004-09-08
England | Nice! How did you set that up if I may ask (not to get too far off topic).. |
|
johnpsph
join:2003-11-16
Saint Louis, MO | Well, I actually reinstalled Server 2k3 and Exchange 2003 altogether, had the same issue, tried what you suggested, but I'm still having the same issue and error. Any logs I can post up that might help? |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| 
RRAS Authentication Methods |
said by johnpsph :Well, I actually reinstalled Server 2k3 and Exchange 2003 altogether, had the same issue, tried what you suggested, but I'm still having the same issue and error. Any logs I can post up that might help? Make sure you enable MS CHAP v2. I think it may be disabled by default and Vista doesn't support MS CHAP v1.
You can check this by opening the RRAS console, right clicking on the server and choosing properties, choosing the security tab and clicking the "Authentication" button under the Authentication provider at the top.
FWIW, I ONLY have MS CHAP v2 enabled and all my Vista/XP users have no trouble. |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| reply to DocLarge
said by DocLarge :Nice! How did you set that up if I may ask (not to get too far off topic).. See the screenshot I have attached. You just enter the PSK on the left side of the screenshot, then enable in in your VPN client under IPSec settings. |
|
johnpsph
join:2003-11-16
Saint Louis, MO
·Charter Pipeline
edit:
May 12th, @01:25PM
| I think I might be cursed... All right, I set it up exactly as you said (before I'd had PEAP enabled as well), and now I get a new error message: "Error 691: The connection was denied because the username and/or password you specified is invalid." However, I double checked, and re-entered, several times, the username and password, only to keep getting the same error. If I flipped back over to PPTP on the Vista client, using the same username and password, it works just fine. It only gives me that error when I try to use L2TP over IPsec (I also double checked the PSK, but to no avail).
Edit: Also, I double checked that my user account has Dial in permission granted. |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
edit:
May 12th, @02:29PM
| Hrm, never seen that one before but this MS KB article says it's a domain issue: »support.microsoft.com/kb/310431
You may want to try username@domain in the username field, or use the username in the username field and put the NetBIOS domain name in the domain field.
I have a few clients where one or the other works. |
|
johnpsph
join:2003-11-16
Saint Louis, MO | Well, I don't have a domain field in the Vista VPN Client, but I did try username@domain.com, but still had the same problem |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| said by johnpsph :Well, I don't have a domain field in the Vista VPN Client, but I did try username@domain.com, but still had the same problem You have to enable the domain field in the VPN properties. |
|
johnpsph
join:2003-11-16
Saint Louis, MO
·Charter Pipeline
edit:
May 13th, @03:15AM
| Oh ok. Well, I tried that too, but got the same 691 error.
I just realized that there is a fact I haven't mentioned about my setup. The machine in question just has one NIC, so I set up a custom RRAS for VPN, I was not able to go through the standard VPN bulleted option in the RRAS setup. |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| said by johnpsph :Oh ok. Well, I tried that too, but got the same 691 error. I just realized that there is a fact I haven't mentioned about my setup. The machine in question just has one NIC, so I set up a custom RRAS for VPN, I was not able to go through the standard VPN bulleted option in the RRAS setup. Do you have L2TP ports listed under ports? |
|
johnpsph
join:2003-11-16
Saint Louis, MO | Yes, looks like 1-99. |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC | Hrm, I'd start looking at whether or not your routers pass IPSec through properly. Are there NAT routers at either end?
If so, check for an IPSec passthru setting in the router and make sure it's enabled (or disabled as some need to be). |
|
johnpsph
join:2003-11-16
Saint Louis, MO | I set up IPsec passthrough on the router previously, but that doesn't seem to have been the issue. The 2k3 server is behind a NAT Router with firewall port 1723 forwarded to it. Are there any other ports I should forward? |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| said by johnpsph :I set up IPsec passthrough on the router previously, but that doesn't seem to have been the issue. The 2k3 server is behind a NAT Router with firewall port 1723 forwarded to it. Are there any other ports I should forward? For IPSec/L2TP you need to forward UDP 4500 for IPSec NAT-T, UDP 500 for ISAKMP, and the ESP protocol to the RRAS server. The ESP protocol portion may be where you're running into trouble.
You only need 1723 and the GRE protocol for PPTP. |
|
johnpsph
join:2003-11-16
Saint Louis, MO
edit:
May 14th, @02:03PM
| All right, I forwarded the ports in question, but i'm still getting the same error, even though I have the router set up for IPsec and L2TP over IPsec passthrough. I'd be happy to post up a few screenshots of the router's setup if that might help. |
|
