Error 792 - The L2TP connection attempt failed because security negociation timed out

From: Guillaume Tamisier (wrong_at_email.com)
Date: 03/20/05 

Date: Sun, 20 Mar 2005 15:55:00 +0100

Hi,

I recently set up a VPN access for my company employees. I chose L2TP/IPSec
for the tunneling protocol and EAP-TLS for the authentication protocol for
maximum security. The VPN access works pretty well, but sometimes, when a
user tries to connect, he receives the message : "Error 792 - The L2TP
connection attempt failed because security negociation timed out". A entry
is also written in the security event log :

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 20/03/2005
Time: 00:46:17
User: NT AUTHORITY\NETWORK SERVICE
Computer: TITUS
Description:
IKE security association negotiation failed.
 Mode:
Key Exchange Mode (Main Mode)

 Filter:
Source IP Address 192.168.2.25
Source IP Address Mask 255.255.255.255
Destination IP Address 193.31.14.117
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.2.25
IKE Peer Addr 193.31.14.117

 Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject CN=titus.aliantiz.org
My SHA Thumbprint 381ed26a335e9fe1a56d4f119e7bd4fdf2565986
Peer IP Address: 193.31.14.117

  Failure Point:
Me

 Failure Reason:
Negotiation timed out

 Extra Status:
0x0 0x0

So it seems that the VPN server does not send a correct computer certificate
(Peer SHA Thumbprint 0000000000000000000000000000000000000000).

If the user waits for several minutes before attempting to connect again,
then it works. The problem seems to occur only with the Windows XP VPN
client (not with the Windows Server 2003 VPN client).

The VPN server is an ISA Server 2004 server, directly connected to the
Internet (there is no server between the Internet network and the ISA
server). We use RADIUS for authentication (the ISA computer is not part of
the domain).

How can I troubleshot this error ? Any help would be appreciated !

Thanks. 

-- 
Guillaume Tamisier

Relevant Pages

  • security-basics Digest of: get.123_145
    ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
    (Security-Basics)
  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: Securing against an internet based intrusion
    ... trying to access your computer via a server service such as file and print ... his "computer" could not authenticate to your VPN. ... our current security in reply to Lanwench's post. ... You can use Local Security Policy in XP Pro only ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Routing and Remote Access - Authentication Failure
    ... because the real client computer can tunel through it's local NAT router, ... travel the Intrenet, join the VPN and access the server, when this feature ... Their security system decided that the server was trying to steel ...
    (microsoft.public.windows.server.networking)
  • related- time limits for trust- was Re: Best way to implement 2 remote branch offices ?
    ... peer to peer network ... one of those pc's is vpn'd into the server. ... you can setup windows site to site VPN. ... How to Setup Windows, Network, VPN & Remote Access on ...
    (microsoft.public.windows.server.sbs)