Re: L2TP/IPSEC - error 678

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: JJ (iamjimjones_at_earthlink.net)
Date: 01/04/05 

Date: Tue, 04 Jan 2005 18:48:57 GMT

In article <3M4Cd.7670$JC2.3460@newsread2.news.atl.earthlink.net>,
iamjimjones@earthlink.net says...
> I am in the middle of a win2003 RAS rollout...with an end goal of L2TP/IPSEC
> for both VPN and wireless connections (802.1x). I've waded through the PKI
> setup...certs are issued to my IAS/RAS servers and my test client machine.
>
> Servers are all win2003...client is winXP (sp2). RAS server has a public IP
> (firewalled) and a private IP (for corporate LAN)...authentication is via
> IAS installed on win2003 DC's...client is using standard dial-up (no NAT).
>
> I can establish a VPN connection through PPTP...with either CHAP or
> EAP-TLS...with no problems.
>
> When I attempt to connect via L2TP/IPSEC I consistently get 678 errors
> (server did not respond)...this is the case for both preshared key and
> certificate attempts.
>
> When I attempt the L2TP connection it behaves as if it were a firewall
> problem...client sends out an L2TP request on 1701...and then seemingly
> nothing happens...error 678 server did not respond. However...I have tested
> with the client and RAS server on the same (public) subnet...as well as
> opening all traffic to/from the RAS server from another known public IP. So
> I am fairly confident it is not a firewall issue.
>
> The fact that PPTP works with EAP-TLS would seem to imply that it is not a
> certificate related problem. As would the fact that L2TP also fails with
> preshared key attempts.
>
> I've not been this stumped in quite some time...would appreciate advice on
> where to focus troubleshooting efforts.
>

problem (FINALLY) solved...and i hope one of the MS guys can/will
comment on this. IPSEC was disabled in the registry on my client
machine. not sure how/why this was so...perhaps a sp2 change on xp?

anyway...the key i needed to change to get L2TP/IPSEC working:

HKLM\System\CurrentControlSet\Services\RasMan\Parameters\ProhibitIpSec

changed from 1 (default?!?) to 0...problem solved.

Relevant Pages

  • RE: PPTP VPN connection problems
    ... Since you want to contact your local MS support for help, ... Additional, you can establish the VPN connection from internal client, that ... | A ping to the server would result in "Request timed out". ...
    (microsoft.public.windows.server.sbs)
  • RE: PPTP VPN connection problems
    ... But I do not think it is in the ADSL router itself. ... They do not say it but maybe they prohibit VPN connections ... fix IP for my connection – PPPoE/PPPoA) subscription at belgacom in Belgium ... | A ping to the server would result in "Request timed out". ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Client
    ... Thanks for the help on losing the remote connection when you connect to VPN. ... Regarding the router port forward issue, you should point the port 1723 to ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Ports to Open
    ... the VPN connection after you change the firewall before SBS. ... On the server, please stop the Routing and Remote Access service. ... Total GRE packets sent = 1 ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN connection not passing the password auth stage.
    ... I understand that when you try to establish a VPN ... connection, the connection fails in the process of verifying the ... PPTP client and a PPTP server. ... The router must be able to pass Generic ...
    (microsoft.public.windows.server.sbs)