VPN on Vista
I have Vista workstations trying to access our office VPN from on-site jobs. But despite every setting checking out, we still keep getting error 732 with a PPP conflict. What in the world would be causing this?
February 4th, 2007 10:34am

Hi, Error 732: The PPP negotiation is not converging. Cause: 1. The negotiation of PPP parameters did not succeed because the local and remote computers could not agree on a common set of parameters. 2. This error may be caused by an improper Authentication and encryption setting in the Dial-Up Networking connection. Resolution: 1. Make sure you have good connection. 2. Check both server and client Authentication and encryption setting and make sure both have the same settings.
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2007 4:53pm

I've had a good connection every time. I also even sat down with our network admin to double and triple check that the parameters for the workstation matched the VPN.
February 4th, 2007 6:14pm

hi, did the problem existin WinXP when you use XP to connect from the same location? Also, any error code in the event viewer?
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2007 7:21pm

no...I connected the exact same way in XP...I didn't start having this problem until using Vista...in the event viewer, it keeps on saying code 732 on the errors for that operation...however, after my code 732, then there are 2-3 sets of establishing the connection then the connection being refused
February 4th, 2007 11:55pm

What is that VPN server? Did you check with the vendor so that it support Vista client?
Free Windows Admin Tool Kit Click here and download it now
February 5th, 2007 6:15pm

apparently this looks like it's going to be one of those pitfalls with Vista not supporting the MS-CHAPv1 protocol...because upon further research, that appears to be the issue
February 7th, 2007 12:22am

is there a way in Vista to access a VPN on MS-CHAPv1???
Free Windows Admin Tool Kit Click here and download it now
February 7th, 2007 12:23am

Hi, In Windows Vista, Microsoft has removed MS-CHAP v1 from the list of authentication protocols for dial-up connections, for broadband (PPPoE) connections, and for virtual private network (VPN) connections. This change has been made because MS-CHAP version 2 (MS-CHAP v2) provides better security than the following protocols do: MS-CHAP v1 The Challenge Handshake Authentication Protocol (CHAP)Note CHAP provides an equivalent level of security to MS-CHAP. The Password Authentication Protocol (PAP)Note PAP is less secure than MS-CHAP.Microsoft Windows 2000 and later operating systems support MS-CHAP v2, CHAP and PAP. By default, both CHAP and MS-CHAP v2 are enabled for dial-up and PPPoE connections in Windows Vista.If you used the Set up a connection or network wizard in Windows Vista to create a network connection, you can use the Network Sharing Center to enable or disable PAP, CHAP and MS-CHAP v2. To do this, follow these steps: 1. Open the Network Sharing Center. To do this, click Start, type network sharing center in the Start Search box, and then click Network Sharing Center in the Programs list. 2. Click Manage network connections. 3. In the Network Connections window, right-click the name of the connection that you want to change, and then click Properties. 4. In the User Account Control dialog box, click Continue. 5. In the Connection Properties dialog box, click to select the Security tab, click Advanced (Custom Settings), and then click Settings. 6. In the Advanced Security Settings dialog box, click to either enable or disable the options for PAP, CHAP and MS-CHAP v2, and then click OK.Ref: http://support.microsoft.com/kb/926170/en-us
February 7th, 2007 11:01am

Yes, I too have been bitten by this issue. We use a Cisco PIX firewall (one of the most common firewalls on the planet) as a VPN endpoint. The PIX supports PAP, CHAP, and MS-CHAP v1. We have successfully used Windows 2000 and Windows XP machines with the built-in PPTP client to connect to the PIX for four years. After doing testing with Windows Vista we discovered that MS-CHAP v1 support had been removed from Vista; therefore, we have decided to stick with Windows XP. Yes, it is true that we could change the PIX configuration to allow PAP or CHAP but that would have two very negative consequences: Passwords would be sent in clear text. The VPN tunnel would not be encrypted. While MS-CHAP v1 might not be as good as MS-CHAP v2, at least it supports encryption, which is far better than using PAP or CHAP (which are still supported by Vista.) If they were going to depreciate one of the protocols, why not PAP, since it is the least secure of all. Rather than depreciating the least secure of the four authentication protocols, they depreciated the second most secure one. Not good news for the millions of folks using Cisco PIX firewalls.
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2007 6:10pm

I m thinking whehther Cisco can release the support of MS-CHAP v2.
March 2nd, 2007 4:58am

Cisco has released support for MS-CHAP v2.. Version 7 of thier OS supports it. However, I can't update my Pix 506 to V7... Microsoft should be the one to release a fix for this... NOT CISCO.... I will not upgrade my users to VISTA UNTILMICROSOFT HAS RESOLVED THIS PROBLEM
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2007 9:54am

I think it's by design.
March 3rd, 2007 11:55am

I agree with Rasoghall. Microsoft have "designed" this problem but expect Cisco to resolve it with a PIX Software update. I am sure that the most organisations would rather see an update or patch for Vista instead of having to totally update all thier firewalls. We purchased a laptop with Vista last week and can't get it working with the VPN solution in operation for all our other employees. We certainly won't be investing in any more Vista machines or licenses for a while after this!
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2007 6:57pm

To summarize, we can have only two options now: 1. Wait MS to add back support of MS-CHAP v1 to Vista. (But I think it's less chance). 2. Update to lates Cisco IOS or change the firewall to a model which support MS-CHAP v2.
March 28th, 2007 3:07pm

THIS SUCKS! MICROSOFT NEEDS TO FIX THE PROBLEM THEY CREATED OR I WANT XP FOR THIS COMPUTER I PURCHASED WITH VISTA ALREADY INSTALLED AND THE $300 OR SO DOLLARS A UPGRADE FROM XP TO VISTA WOULD COST. TOO MUCH IN-BREEDING WITH ALL THOSE PROGRAMMERS AT MICROSOFT. NEW SETTING FOR DELIVERANCE 2 ! WHAT IS MICROSOFT DOING ABOUT THIS AND THE ANSWER NEEDS TO BE BETTER THAN NOTHING. I WILL INITIATE A CLASS ACTION SUITE FOR NON SUPPORT OF A SUPPOSEDLY NEW PRODUCT THAT DOESN'T WORK. MAYBE APPLE DOES HAVE A BETTER IDEA.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2007 7:36am

This is outragous. Microsoft should have fixed this issue by a hot fix the moment somebody noticed. I just bought myself a new laptop with Vista that I planned to use to access my work computer. The fact that I will not be able to connect to my workplace using Vista is almost enough reason to return it to the shop( or at least to install an OS that works on it ( linux ? ). Is MS at the very least planning to fix this for SP1 or are they really against workplaces using Vista ?
December 18th, 2007 1:14am

had the same 732 error as above. We have been using the built in Windows XPVPN client to connect to ourCisco PIX 506e for years. We got our first Vista laptop a few weeks ago and tried to VPN in...no dice. Tried every setting (PAP, CHAP, MSCHAP)and scoured the internet for a solution.Finallypaid the $259 andcontacted Microsoft support. After four hours of trying every setting, scouring the internet, and consulting with hismentor the MS tech said I would have to upgrademy PIX IOS to version 7 because it supports MSCHAP version 2. I went to the Cisco site to download IOS 7 and learned that the PIX 506e does not support IOS 7.(cisco site: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1). So to sum it up...if you have a PIX 506e and try to connect with VPN using Vista your out of luck.
Free Windows Admin Tool Kit Click here and download it now
December 28th, 2007 6:30pm

Mordrid, don't use the pix to VPN into your network - do what I do, bypass the PIX and port forward 1723 so you can use your server as VPN - this way VPN accounts are integrated into your Directory Service ... one user and password for getting into the system ... and you can enable or disable users VPN capability from "dial-in" - VPN tab...
December 28th, 2007 9:32pm

Vista business Cisco VPN client 5.0.01.0600 Had same issue talking to PIX 501 until I added UseLegacyIKEPort=1 to each profile.
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2008 6:35pm

Has anyone else tested this? I'll run my own tests on my 605e sometime tonight. I downloaded the latest vpn client for vistaand will be modifying the pcf on my vista ultimate machine. Here is an old KB that discusses the modification in better detail. http://support.microsoft.com/kb/928310
February 21st, 2008 8:43pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics