DocLarge
Premium
join:2004-09-08
England | reply to MattE
Re: Server 2k3 cannot connect to VPN via L2TP over IPsec
Nice! How did you set that up if I may ask (not to get too far off topic).. |
|
johnpsph
join:2003-11-16
Saint Louis, MO | Well, I actually reinstalled Server 2k3 and Exchange 2003 altogether, had the same issue, tried what you suggested, but I'm still having the same issue and error. Any logs I can post up that might help? |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
 ·North State Commun..
 ·Corporate Colocation
| 
RRAS Authentication Methods |
said by johnpsph  :Well, I actually reinstalled Server 2k3 and Exchange 2003 altogether, had the same issue, tried what you suggested, but I'm still having the same issue and error. Any logs I can post up that might help? Make sure you enable MS CHAP v2. I think it may be disabled by default and Vista doesn't support MS CHAP v1.
You can check this by opening the RRAS console, right clicking on the server and choosing properties, choosing the security tab and clicking the "Authentication" button under the Authentication provider at the top.
FWIW, I ONLY have MS CHAP v2 enabled and all my Vista/XP users have no trouble. |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| reply to DocLarge
said by DocLarge :Nice! How did you set that up if I may ask (not to get too far off topic).. See the screenshot I have attached. You just enter the PSK on the left side of the screenshot, then enable in in your VPN client under IPSec settings. |
|
johnpsph
join:2003-11-16
Saint Louis, MO
 ·Charter Pipeline
edit:
May 12th, @01:25PM
| I think I might be cursed... All right, I set it up exactly as you said (before I'd had PEAP enabled as well), and now I get a new error message: "Error 691: The connection was denied because the username and/or password you specified is invalid." However, I double checked, and re-entered, several times, the username and password, only to keep getting the same error. If I flipped back over to PPTP on the Vista client, using the same username and password, it works just fine. It only gives me that error when I try to use L2TP over IPsec (I also double checked the PSK, but to no avail).
Edit: Also, I double checked that my user account has Dial in permission granted. |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
edit:
May 12th, @02:29PM
| Hrm, never seen that one before but this MS KB article says it's a domain issue: »support.microsoft.com/kb/310431
You may want to try username@domain in the username field, or use the username in the username field and put the NetBIOS domain name in the domain field.
I have a few clients where one or the other works. |
|
johnpsph
join:2003-11-16
Saint Louis, MO | Well, I don't have a domain field in the Vista VPN Client, but I did try username@domain.com, but still had the same problem |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| said by johnpsph :Well, I don't have a domain field in the Vista VPN Client, but I did try username@domain.com, but still had the same problem You have to enable the domain field in the VPN properties. |
|
johnpsph
join:2003-11-16
Saint Louis, MO
·Charter Pipeline
edit:
May 13th, @03:15AM
| Oh ok. Well, I tried that too, but got the same 691 error.
I just realized that there is a fact I haven't mentioned about my setup. The machine in question just has one NIC, so I set up a custom RRAS for VPN, I was not able to go through the standard VPN bulleted option in the RRAS setup. |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| said by johnpsph :Oh ok. Well, I tried that too, but got the same 691 error. I just realized that there is a fact I haven't mentioned about my setup. The machine in question just has one NIC, so I set up a custom RRAS for VPN, I was not able to go through the standard VPN bulleted option in the RRAS setup. Do you have L2TP ports listed under ports? |
|
johnpsph
join:2003-11-16
Saint Louis, MO | Yes, looks like 1-99. |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC | Hrm, I'd start looking at whether or not your routers pass IPSec through properly. Are there NAT routers at either end?
If so, check for an IPSec passthru setting in the router and make sure it's enabled (or disabled as some need to be). |
|
johnpsph
join:2003-11-16
Saint Louis, MO | I set up IPsec passthrough on the router previously, but that doesn't seem to have been the issue. The 2k3 server is behind a NAT Router with firewall port 1723 forwarded to it. Are there any other ports I should forward? |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC
·North State Commun..
·Corporate Colocation
| said by johnpsph :I set up IPsec passthrough on the router previously, but that doesn't seem to have been the issue. The 2k3 server is behind a NAT Router with firewall port 1723 forwarded to it. Are there any other ports I should forward? For IPSec/L2TP you need to forward UDP 4500 for IPSec NAT-T, UDP 500 for ISAKMP, and the ESP protocol to the RRAS server. The ESP protocol portion may be where you're running into trouble.
You only need 1723 and the GRE protocol for PPTP. |
|
johnpsph
join:2003-11-16
Saint Louis, MO
edit:
May 14th, @02:03PM
| All right, I forwarded the ports in question, but i'm still getting the same error, even though I have the router set up for IPsec and L2TP over IPsec passthrough. I'd be happy to post up a few screenshots of the router's setup if that might help. |
|
johnpsph
join:2003-11-16
Saint Louis, MO | Alternately, I have to run out, but I may try putting my server in the DMZ to see if that works. |
|
johnpsph
join:2003-11-16
Saint Louis, MO | Well, I tried that, and it didn't work. I also tried turning the firewall on the router off altogether for a minute, but I'm still getting the 691 message.... |
|
MattE
Obama '08
Premium
join:2003-07-20
Jamestown, NC | Do you know for a fact that your router supports forwarding ESP? In needs to allow it WAN -> LAN, not just LAN -> WAN. |
|
