VPN Problem, PC not Authenticating with Server

Discussion in 'Windows Small Business Server' started by Roger, Feb 9, 2006.

  1. Roger

    Roger Guest

    I have a client that has a SBS2003 Server, they also have a hardware based
    firewall which all works.
    The problem is that we are trying to use the L2TP IPSec Windows XP VPN
    Client to VPN to the firewall so they can get to their server, the remote PC
    can ping the server but it will not authenticate to allow access to shares
    and email.

    If you log onto the local pc as the administrator and give it the same
    password as the server it all works ?!!
     
    Roger, Feb 9, 2006
    #1
    1. Advertisements

  2. Roger

    Crina Li Guest

    Hi Roger,

    Thank you for posting in SBS newsgroup.

    From the description, do you mean you have configured L2TP/IPSec VPN
    between Windows XP and SBS? If so, would you please help me confirm which
    is the VPN server, SBS or router?

    According to my research, it appears that the XP client cannot establish
    the connection if the NAT router does not open the following required ports
    and protocols for L2TP/IPSec NAT-T connections.

    - L2TP - User Datagram Protocol (UDP) 500, UDP 1701
    - NAT-T - UDP 4500
    - ESP - Internet Protocol (IP) protocol 50

    Please make sure that all of the ports and protocols are opened.

    Regarding the configuration of L2TP VPN, please also refer to the following
    documents:

    247231 Event ID 20111, Error 792 or Error 781 When Establishing an
    L2TP/IPSec Connection
    http://support.microsoft.com/?id=247231

    818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000
    http://support.microsoft.com/?id=818043

    885348 IPSec NAT-T is not recommended for Windows Server 2003 computers that
    http://support.microsoft.com/?id=885348

    324258 HOW TO: Configure a Preshared Key for Use with Layer 2 Tunneling
    Protocol Connections in Windows Server 2003
    http://support.microsoft.com/?id=324258

    Computer certificates for L2TP/IPSec VPN connections
    http://technet2.microsoft.com/WindowsServer/en/Library/222d5646-4e81-4efb-af
    6e-616e9cd3f7db1033.mspx

    Virtual Private Networking with Windows Server 2003: Deploying Remote
    Access VPNs
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
    networking/vpndeplr.mspx

    Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
    networking/rmotevpn.mspx

    259335 Basic L2TP/IPSec troubleshooting in Windows 2000
    http://support.microsoft.com/?id=259335

    I just wanted to stress the following:

    To use L2TP in Windows Server 2003, you must have a public key
    infrastructure (PKI) to issue computer certificates to the VPN server and
    to clients so that the IKE authentication process can occur.

    With Windows Server 2003, although you can use a preshared key for IKE
    authentication, we don't encourage the use of preshared keys, because it is
    a less secure method of authentication than certificates. Preshared keys
    are not meant to replace the use of certificates; instead, preshared keys
    are another method for testing and internal operations.

    In order to create an L2TP/IPSec connection using the computer certificate
    authentication method, you must install a certificate in the local computer
    certificate store on the VPN client and VPN server computer. To install a
    computer certificate, a certification authority must be present to issue
    certificates. Once the certification authority is configured, you can
    install a certificate in three different ways:

    - By configuring the automatic enrollment, or auto-enrollment, of computer
    certificates to computers in a Windows Server 2003 domain.

    - By using the Certificates snap-in to obtain a computer certificate.

    - By using your browser to connect to the CA Web enrollment pages to
    install a certificate on the local computer or to a floppy disk for
    installation on another computer, such as a user's home computer.

    Please note that the autoenrollment of remote access clients with the
    appropriate certificate requires the creation and usage of a Version 2
    certificate template. Version 2 certificates are not available on or
    distributable by Windows Server 2003, Standard Edition, but they are
    distributable by Windows Server 2003, Enterprise Edition. SBS 2003 is built
    on Windows Server 2003 Standard Edition, therefore, version 2 certificates
    are not supported.

    You can add an additional member server running Windows Server 2003
    Enterprise as the CA server, so that you can allow for autoenrollment. Or
    else you have to enroll certificates through the Web enrollment method.

    Windows 98 does not support virtual private networking (VPN) protocols,
    like Internet Protocol security (IPSec) or Layer 2 Tunneling Protocol
    (L2TP). You should install the Microsoft L2TP/IPSec VPN Client at:

    Microsoft L2TP/IPSec VPN Client
    http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpcl
    ient.asp

    Also, I provide some general steps below to configure VPN access on an SBS
    environment?

    1. Run CEICW, follow the wizard and select Enable firewall and then make
    sure Virtual Private Networking (VPN) is selected in the Services
    Configuration page. And make sure you have typed the public FQDN of the SBS
    server on the Web Server Certificate page.
    2. Run Remote Access Wizard in Server Management\Internet and
    E-mail\Configure Remote Access, and select VPN access in the Remote Access
    Method page. After finishing this wizard, RRAS is configured to allow
    inbound VPN access, and it can assign IP addresses to the VPN clients by
    using DHCP.

    Note: When we run the remote access wizard to set up the VPN service, we
    need to input the public IP address or the public FQDN of the SBS server.
    We need to make sure that the address can be accessed from the internet.

    3. On the VPN client, go to https://publicFQDN/remote, clear I'm using a
    public or shared computer, log in and download Connection Manager.
    4. Install Connection Manager on the VPN client.
    5. Is there a hardware router installed in front of the SBS server? If so,
    ensure that the port forwarding for TCP 1723 and GRE port (protocol number
    47) are opened. PPTP VPN is negotiating a connection on TCP port 1723 and
    send data to and from the PPTP server using the GRE protocol (IP Protocol
    47, 0x2F if you are looking in Network Monitor). You should open port 1723
    on the router and also make sure IP Protocol 47 is allowed.

    For detailed information, you can refer to the following KB articles:

    323441 How To Install and Configure a Virtual Private Network Server in
    Windows
    http://support.microsoft.com/?id=323441

    305550 How to configure a VPN connection to your corporate network in
    Windows
    http://support.microsoft.com/?id=305550

    I am appreciated your time and look forward to hearing from you.

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | From: "Roger" <>
    | Subject: VPN Problem, PC not Authenticating with Server
    | Date: Thu, 9 Feb 2006 11:24:09 -0000
    | | Newsgroups: microsoft.public.windows.server.sbs
    | |
    | I have a client that has a SBS2003 Server, they also have a hardware
    based
    | firewall which all works.
    | The problem is that we are trying to use the L2TP IPSec Windows XP VPN
    | Client to VPN to the firewall so they can get to their server, the remote
    PC
    | can ping the server but it will not authenticate to allow access to
    shares
    | and email.
    |
    | If you log onto the local pc as the administrator and give it the same
    | password as the server it all works ?!!
    |
    |
    |
     
    Crina Li, Feb 10, 2006
    #2
    1. Advertisements

  3. Roger

    Roger Guest

    wow, thanks. I will have a read and will let you know.

    Thanks

    Roger.
     
    Roger, Feb 10, 2006
    #3
  4. Roger

    Crina Li Guest

    Hi Roger,

    Thanks for your reply.

    It is my pleasure to work with you in this post. If you have any further
    questions or concerns regarding the issue, please do not hesitate to let me
    know.

    Again, thank you for using Microsoft newsgroup. Have a nice day. :)

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | From: "Roger" <>
    | References: <>
    <>
    | Subject: Re: VPN Problem, PC not Authenticating with Server
    | Date: Fri, 10 Feb 2006 13:45:43 -0000
    | Lines: 215
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    | X-RFC2646: Format=Flowed; Original
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    | Message-ID: <>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: 217-13-158-2.spitfireuk.net 217.13.158.2
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:243595
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | wow, thanks. I will have a read and will let you know.
    |
    | Thanks
    |
    | Roger.
    |
    | | > Hi Roger,
    | >
    | > Thank you for posting in SBS newsgroup.
    | >
    | > From the description, do you mean you have configured L2TP/IPSec VPN
    | > between Windows XP and SBS? If so, would you please help me confirm
    which
    | > is the VPN server, SBS or router?
    | >
    | > According to my research, it appears that the XP client cannot establish
    | > the connection if the NAT router does not open the following required
    | > ports
    | > and protocols for L2TP/IPSec NAT-T connections.
    | >
    | > - L2TP - User Datagram Protocol (UDP) 500, UDP 1701
    | > - NAT-T - UDP 4500
    | > - ESP - Internet Protocol (IP) protocol 50
    | >
    | > Please make sure that all of the ports and protocols are opened.
    | >
    | > Regarding the configuration of L2TP VPN, please also refer to the
    | > following
    | > documents:
    | >
    | > 247231 Event ID 20111, Error 792 or Error 781 When Establishing an
    | > L2TP/IPSec Connection
    | > http://support.microsoft.com/?id=247231
    | >
    | > 818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000
    | > http://support.microsoft.com/?id=818043
    | >
    | > 885348 IPSec NAT-T is not recommended for Windows Server 2003 computers
    | > that
    | > http://support.microsoft.com/?id=885348
    | >
    | > 324258 HOW TO: Configure a Preshared Key for Use with Layer 2 Tunneling
    | > Protocol Connections in Windows Server 2003
    | > http://support.microsoft.com/?id=324258
    | >
    | > Computer certificates for L2TP/IPSec VPN connections
    | >
    http://technet2.microsoft.com/WindowsServer/en/Library/222d5646-4e81-4efb-af
    | > 6e-616e9cd3f7db1033.mspx
    | >
    | > Virtual Private Networking with Windows Server 2003: Deploying Remote
    | > Access VPNs
    | >
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
    | > networking/vpndeplr.mspx
    | >
    | > Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab
    | >
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
    | > networking/rmotevpn.mspx
    | >
    | > 259335 Basic L2TP/IPSec troubleshooting in Windows 2000
    | > http://support.microsoft.com/?id=259335
    | >
    | > I just wanted to stress the following:
    | >
    | > To use L2TP in Windows Server 2003, you must have a public key
    | > infrastructure (PKI) to issue computer certificates to the VPN server
    and
    | > to clients so that the IKE authentication process can occur.
    | >
    | > With Windows Server 2003, although you can use a preshared key for IKE
    | > authentication, we don't encourage the use of preshared keys, because
    it
    | > is
    | > a less secure method of authentication than certificates. Preshared keys
    | > are not meant to replace the use of certificates; instead, preshared
    keys
    | > are another method for testing and internal operations.
    | >
    | > In order to create an L2TP/IPSec connection using the computer
    certificate
    | > authentication method, you must install a certificate in the local
    | > computer
    | > certificate store on the VPN client and VPN server computer. To install
    a
    | > computer certificate, a certification authority must be present to issue
    | > certificates. Once the certification authority is configured, you can
    | > install a certificate in three different ways:
    | >
    | > - By configuring the automatic enrollment, or auto-enrollment, of
    computer
    | > certificates to computers in a Windows Server 2003 domain.
    | >
    | > - By using the Certificates snap-in to obtain a computer certificate.
    | >
    | > - By using your browser to connect to the CA Web enrollment pages to
    | > install a certificate on the local computer or to a floppy disk for
    | > installation on another computer, such as a user's home computer.
    | >
    | > Please note that the autoenrollment of remote access clients with the
    | > appropriate certificate requires the creation and usage of a Version 2
    | > certificate template. Version 2 certificates are not available on or
    | > distributable by Windows Server 2003, Standard Edition, but they are
    | > distributable by Windows Server 2003, Enterprise Edition. SBS 2003 is
    | > built
    | > on Windows Server 2003 Standard Edition, therefore, version 2
    certificates
    | > are not supported.
    | >
    | > You can add an additional member server running Windows Server 2003
    | > Enterprise as the CA server, so that you can allow for autoenrollment.
    Or
    | > else you have to enroll certificates through the Web enrollment method.
    | >
    | > Windows 98 does not support virtual private networking (VPN) protocols,
    | > like Internet Protocol security (IPSec) or Layer 2 Tunneling Protocol
    | > (L2TP). You should install the Microsoft L2TP/IPSec VPN Client at:
    | >
    | > Microsoft L2TP/IPSec VPN Client
    | >
    http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpcl
    | > ient.asp
    | >
    | > Also, I provide some general steps below to configure VPN access on an
    SBS
    | > environment?
    | >
    | > 1. Run CEICW, follow the wizard and select Enable firewall and then make
    | > sure Virtual Private Networking (VPN) is selected in the Services
    | > Configuration page. And make sure you have typed the public FQDN of the
    | > SBS
    | > server on the Web Server Certificate page.
    | > 2. Run Remote Access Wizard in Server Management\Internet and
    | > E-mail\Configure Remote Access, and select VPN access in the Remote
    Access
    | > Method page. After finishing this wizard, RRAS is configured to allow
    | > inbound VPN access, and it can assign IP addresses to the VPN clients by
    | > using DHCP.
    | >
    | > Note: When we run the remote access wizard to set up the VPN service, we
    | > need to input the public IP address or the public FQDN of the SBS
    server.
    | > We need to make sure that the address can be accessed from the internet.
    | >
    | > 3. On the VPN client, go to https://publicFQDN/remote, clear I'm using a
    | > public or shared computer, log in and download Connection Manager.
    | > 4. Install Connection Manager on the VPN client.
    | > 5. Is there a hardware router installed in front of the SBS server? If
    so,
    | > ensure that the port forwarding for TCP 1723 and GRE port (protocol
    number
    | > 47) are opened. PPTP VPN is negotiating a connection on TCP port 1723
    and
    | > send data to and from the PPTP server using the GRE protocol (IP
    Protocol
    | > 47, 0x2F if you are looking in Network Monitor). You should open port
    1723
    | > on the router and also make sure IP Protocol 47 is allowed.
    | >
    | > For detailed information, you can refer to the following KB articles:
    | >
    | > 323441 How To Install and Configure a Virtual Private Network Server in
    | > Windows
    | > http://support.microsoft.com/?id=323441
    | >
    | > 305550 How to configure a VPN connection to your corporate network in
    | > Windows
    | > http://support.microsoft.com/?id=305550
    | >
    | > I am appreciated your time and look forward to hearing from you.
    | >
    | > Best regards,
    | >
    | > Crina Li (MSFT)
    | >
    | > Microsoft CSS Online Newsgroup Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > This newsgroup only focuses on SBS technical issues. If you have issues
    | > regarding other Microsoft products, you'd better post in the
    corresponding
    | > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > You can locate the newsgroup here:
    | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | >
    | > When opening a new thread via the web interface, we recommend you check
    | > the
    | > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > any updates in your thread. When responding to posts via your
    newsreader,
    | > please "Reply to Group" so that others may learn and benefit from your
    | > issue.
    | >
    | > Microsoft engineers can only focus on one issue per thread. Although we
    | > provide other information for your reference, we recommend you post
    | > different incidents in different threads to keep the thread clean. In
    | > doing
    | > so, it will ensure your issues are resolved in a timely manner.
    | >
    | > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > check http://support.microsoft.com for regional support phone numbers.
    | >
    | > Any input or comments in this thread are highly appreciated.
    | >
    | > =====================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    | > rights.
    | > --------------------
    | > | From: "Roger" <>
    | > | Subject: VPN Problem, PC not Authenticating with Server
    | > | Date: Thu, 9 Feb 2006 11:24:09 -0000
    | > | | Newsgroups: microsoft.public.windows.server.sbs
    | > | |
    | > | I have a client that has a SBS2003 Server, they also have a hardware
    | > based
    | > | firewall which all works.
    | > | The problem is that we are trying to use the L2TP IPSec Windows XP VPN
    | > | Client to VPN to the firewall so they can get to their server, the
    | > remote
    | > PC
    | > | can ping the server but it will not authenticate to allow access to
    | > shares
    | > | and email.
    | > |
    | > | If you log onto the local pc as the administrator and give it the same
    | > | password as the server it all works ?!!
    | > |
    | > |
    | > |
    | >
    |
    |
    |
     
    Crina Li, Feb 13, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.