L2TP/IPsec PSK Server 2008 ---Issue---
Hello, I have setup a L2TP/IPsec PSK on my Server 2008 using Routing and Remote Access & Network Policy Server. ---The ISSUE--- I am unable to dial into my server from an XP machine across the WAN. When I try to connect I get the an 'Error678' window saying 'The remote computer did not respond' ---However-- I have successfully setup the same connection type using my Galaxy S2 VPN connection (android mobile phone) which connects ok... so i don't understand why XP wont connect? On the XP 'Virtual Private Network Connection Properties' (VPNCP) window if i set the the 'Type of VPN' drop down menu to either 'Automatic' or 'PPTP VPN' then I can get a connection. The problem is i don't want PPTP connecting alone due to security vulnerablitites The current network policy I am using on server 2008 is setup very simply with very little in the way of conditions or constraints, this is obviously so I dont risk blocking any connections while testing. I am not convinced there is an issue with NPS, if there was I would not be able to connect from my mobile phone. The XP laptop I am using is set to a different work's domain from my own domain I am trying to access, this shouldnt make a difference otherwise I would not be able to connect usisng PPTP which does work for me. Without writing a long list of my setup parameters, does anyone have any suggestions as a starting point for diagnosis? Thanks
December 29th, 2011 11:28am

For NPS queries, post here. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/threads Thanks
Free Windows Admin Tool Kit Click here and download it now
December 29th, 2011 12:52pm

Hi Gagwithgaffer, Thanks for posting here. This is a generic error which thrown when the IPsec negotiation fails for L2TP/IPsec connections. Possible causes for this issue could be: 1. Needed ports are blocked by firewalls or routers. 2. L2TP based VPN client (or VPN server) is behind NAT. 3. Wrong Pre-shared key is set on the VPN server or client. In order to troubleshoot, please make sure that required ports are opened. UDP 500 and 1701 for IPsec negotiations UDP port 4500 NAT-Traversal In addition, if RRAS server is behind a NAT device, we need to install the L2TP/Ipsec NAT Traversal update on the client. For XP client, we need to create a AssumeUDPEncapsulationContextSendRule registry value to allow XP client can initiate and respnse IPsec communication behind NAT. For detailed information, please refernce the below Microsoft KB articles: L2TP/IPsec NAT-T update for windows XP and Windows 2000 http://support.microsoft.com/kb/818043 How to configure an L2TP/IPsec server hehind a NAT-T device in Windows Vista and in Windows Server 2008 http://support.microsoft.com/kb/926179 Best Regards, Aiden
December 30th, 2011 12:01am

Hi Aiden, Thank you for your reply, firstly I am on XP SP3, which from the article above appears that IPsec functionality is already setup on my XP machine. I double checked the whether 'IPSEC Services' appears in my XP list of services, It does and found the service had not been started. I changed the setting to Automatic and manually started it myself. Unfortunately this has not fixed the issue. To avoid any issues with ports blocked on the Server while testing, I also turned off the Server 2008 Windows Firewall. This also has not fixed the issue. The pre-shared key is definitely correct as I re-entered the key on both the server and client side. I am using the one Server 2008 machine for this VPN which is also acting as my Internet facing router using the RRAS role with NAT active on the internet facing Ethernet Card. The client I am using for testing the VPN communicates across the WAN to my serevr machine from a vodaphone mobile internet connection. I cant help but think the issue is from the client side, not the server. This is because I can connect to my server from my Galaxy S2 smart phone (mobile internet) using the L2TP/IPsec PSK service perfectly every time and the log shows a successful connection (the events log in server manager ‘Network Policy and Access Services’) No events come up when I try and connect with the XP machine, usually I would expect to see a denied access message if it was anything to do with the server being the issue. Is there any log system or app I can use on the XP machine to see whether the connection request is actually leaving the machine? Any other ideas would be much appreciated, thanks
Free Windows Admin Tool Kit Click here and download it now
December 30th, 2011 8:42am

Hi, Firstly, use Ping, Tracert or Pathping to verify the basic connectivity between VPN server and XP client. For further troubleshooting steps, please refer to the following article: How to configure a connection to a virtual private network (VPN) in Windows XP http://support.microsoft.com/kb/314076 If still not work, please enable tracing log and Oakley log to capture connected process and identify the problem. To enable tracing for all components, use the following command: netsh ras set tracing * enabled In addition, please note the log files are placed under the %SystemRoot%\Tracing folder. VPN Troubleshooting Tools http://technet.microsoft.com/en-us/library/cc754825(WS.10).aspx Best Regards, Aiden
January 1st, 2012 9:34pm

Hi, Firstly, use Ping, Tracert or Pathping to verify the basic connectivity between VPN server and XP client. For further troubleshooting steps, please refer to the following article: How to configure a connection to a virtual private network (VPN) in Windows XP http://support.microsoft.com/kb/314076 If still not work, please enable tracing log and Oakley log to capture connected process and identify the problem. To enable tracing for all components, use the following command: netsh ras set tracing * enabled In addition, please note the log files are placed under the %SystemRoot%\Tracing folder. VPN Troubleshooting Tools http://technet.microsoft.com/en-us/library/cc754825(WS.10).aspx Best Regards, Aiden
Free Windows Admin Tool Kit Click here and download it now
January 2nd, 2012 5:32am

Hi Aiden, Many thanks for your support and tips, I will try the above an see how I get on.
January 3rd, 2012 3:52pm

Did you ever solve this connection issue from your XP system (error 678) to your Windows 2008 R2 server? I have run into the same problem. I can connect from my Samsung phone using L2TP ipsec (with preshared key) to my Windows 2008 R2 server, but cannot connect from my XP sp3 machine (using same L2TP ipsec with preshared key). Any information would be appreciated. Thanks.
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2012 1:27am

Hi gregsara, Unfortunately the XP machine was my work's laptop which I have replaced now with a W7 Pro. I recently experienced similair issues with connection from the W7 machine too (my mob still connects fine) I can only assume that certificates may be the issue. There is an article for L2TP setup http://araihan.wordpress.com/2009/10/06/configure-l2tp-ipsec-vpn-using-windows-server-2008/ You could try following this post? hope this helps. Regards Oliver
March 25th, 2012 5:57am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics