次の方法で共有

Troubleshooting Vista VPN problems

  • [アーティクル]

Hello all. There have been quite a few questions/posts on the technet forums about issues you folks have seen with Windows Vista VPN clients. So we thought we would come up with a post on the common configuration issues and some troubleshooting tips. Hope this helps others who are facing the same issues.

If you are seeing an issue different from one of those below, please send a mail to rrasblog@online.microsoft.com** with a description of your issue, the Operating system on the VPN client and the server, and the RAS tracing logs from the VPN client and the VPN server(if you have access to the VPN server). The steps to generate the logs are described in another post in this blog. (https://blogs.technet.com/rrasblog/archive/2006/06/20/437481.aspx)

** Remove the "online." from this email ID to actually mail the logs.

1. Windows Vista VPN client does not support MS-CHAPv1 authentication method

Windows Vista no longer supports MS-CHAPv1 and we strongly recommend that customers move to MS-CHAPv2, which is more secure. MS-CHAPv2 has been available since Windows 2000 and is widely supported. Note that if your server is configured to accept connections only using MS-CHAPv1 as the authentication method, then Windows Vista clients will be unable to connect to your server.

VPN client errors that might indicate that this is potentially the issue you are seeing:

  • 732 Your computer and the remote computer could not agree on PPP control protocols.
  • 718 The connection timed out waiting for a valis response from the remote computer
  • 734 The PPP link control protocol was terminated
  • 736 The remote computer terminated the control protocol
  • 919 The connection could not be established because the authentication protocol used by the RAS/VPN server to verify your username and password could not be matched with the settings in your connection profile

Resolution

Configure your server to allow clients to connect with MS-CHAPv2 as the authentication method. Update your VPN client connection settings to use MSCHAPv2 as the authentication method.

If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.

Steps to follow for resolution

(1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2

[These steps apply if you are using Microsoft Windows Server only. If using any other server, you will need to follows steps appropriate to the server]

a. Open RRAS console on the VPN server. Start --> Run --> rrasmgmt.msc

b. Rightclick on the Servername --> Properties --> Security tab --> Click on 'Authentication methods'

c. Verify that MSCHAPv2 checkbox is checked. If not, check the checkbox next to MSCHAPv2 and click on Apply. Click on OK.

(2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)

a. Open IAS console on the Radius server. Start --> Run --> ias.msc

b. Navigate to the 'Remote Access Policies' Node.

c. Doubleclick on the remote access policy - Connections to Microsoft Routing and  Remote Access servers --> Click on 'Edit profile' --> 'Authentication' tab

d. Ensure that MS-CHAPv2 is selected in the list of authentication methods.

e. Click on OK.

 2. Connection issues due to encryption mismatch

There have been some issues seen where the Vista VPN client experiences issues with connection due to encryption mismatch. You may face this issue if you are using Windows Vista VPN client to connect to a VPN server running an earlier version of Windows viz. Microsoft Windows 2003 Server and Microsoft Windows 2000 Server. This happens because Windows Vista does not support 40-bit and 56-bit encryption levels under the RC4 algorithm for PPTP and by default supports obly 128-bit encryption. This change is due to the security enhancements in Windows Vista. There is another post dedicated to these changes in this blog which describes this nicely (https://blogs.technet.com/rrasblog/archive/2006/11/01/vista-lh-security-changes-for-remote-access-scenarios.aspx).

VPN client errors that might indicate that this is potentially the issue you are seeing:

  • 741 The local computer does not support the required data encryption type
  • 829 The modem (or other connecting device) was disconnected due to link failure.

Resolution

Configure the remote access policy on your VPN server to accept 'Strongest encryption (MPPE 128 bit)'. Also make sure that encryption is selected to be negotiated in the client connection.

Steps to follow for resolution

The detailed steps to follow are given in the below KB article.

KB 929857 - You receive error code 741 when you try to make a PPTP-based VPN connection on a computer that is running Windows Vista

https://support.microsoft.com/kb/929857 

3. VPN Client connections created on Windows Vista show up as Dial-up connections

Some people have been facing this issue in their Windows Vista VPN client installations. When a VPN client connection is created using the 'Get Connected wizard' or rasphone.exe, it shows up as a 'Dial-up connection' in the network connections folder. When you right click on the client connection created, click on Properties, it says 'Connect using Modem (removed)'

This might happen if the virtual WAN miniports for PPTP/L2TP are not installed. Also, these miniports might be uninstalled after installation due to one of the below several reasons:

· 3rd party VPN adapter or software install/uninstall

· 3rd party firewall software install/uninstall.

· System backup that didn’t restore properly.

· Corrupted or missing bindings.

· Manual or 3rd party software's improperly manipulation of registry values in the registry key HKEY_LOCAL_MACHINESYSTEMControlSet001ControlClass{4D36E972-E325-11CE-BFC1-08002BE10318}.

You can verify if this is the issue by following the below steps:

a. Open Device Manager (Start -> Run -> devmgmt.msc)

b. Click on 'View' in the toolbar and select 'Show hidden devices'

c. Expand the machine name node.

d. Under 'Network Adapters' node, see if WAN Miniport (PPTP) and WAN Miniport (L2TP) are present. If they are not present then you are facing the issue mentioned above and you need to follow the resolution steps specified below.

Resolution

The resolution is to uninstall and install the miniports manually.

Steps to follow for resolution 

Type the following commands in order from an elevated command prompt on the Windows Vista client.

Netcfg –u MS_PPTP

Netcfg –u MS_L2TP

Netcfg -l %windir%infnetrast.inf –c p –i MS_PPTP

Netcfg –l %windir%infnetrast.inf –c p –i MS_L2TP

 

4. Connection failure due to Windows Live OneCare Firewall blocking VPN traffic

 

Some Vista users have reported this issue where their VPN connection fails to go through when Windows Live OneCare is installed. The firewall from Windows Live OneCare by default blocks VPN traffic. You need to configure OneCare firewall to allow VPN traffic.

 

VPN client errors that might indicate that this is potentially the issue you are seeing:

  • 800 Unable to establish the VPN connection.  The VPN server may be unreachable, or security parameters may not be configured properly for this connection
  • 809 The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem

Resolution

   

Configure Windows Live OneCare Firewall to allow VPN traffic by enabling the exception already present there.

 

Steps to follow for resolution 

     

Go into Change One Care Settings à then open the Firewall Connection Tool from the Firewall tab à Check the box for “VPN” which is present there.

 

 

Signing off hoping this information helps you to troubleshoot your VPN client issues!

Janani Vasudevan
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    >>I can estabilish the VPN connection, but it drops all >>internet capabilities and the status shows local only.  >>What is the .inf file that needs to be selected if you want >> to install IPv4? Donna, please check if you have enabled the "Use remote default gateway" on your VPN connection. If you want to continue to use internet and use the VPN connection only for corp traffic, then this setting should be unchecked. If I understand your question correctly, you can install IPv4 using the command "netsh interface ipv4 install" and uninstall using "netsh interface ipv4 uninstall" -Janani

  • Anonymous
    January 01, 2003
    >>I found vista can only establish 2 pptp connections to >>outer (uncheck default gateway) >>When establish the 3rd pptp connection, the pptp dialer >>will report 800 error. Yuguang, you can establish only two simultaneous PPTP connections from the same machine. This is same for L2TP also. This has been the behaviour with Windows XP too. -Janani

  • Anonymous
    April 10, 2007
    The comment has been removed

  • Anonymous
    April 11, 2007
    I found a very very strange thing in vista. Everyone can Replicate the problem in his vista machine. 1, repare a clean vista, and add two vista firewall rules which says ALLOW ALL PROTOCOL ALL IP IN and OUT 2, start the RemoteAccess service or create a incomming connection, add a user 3, create a pptp connection and set the server ip to 127.0.0.1 4, dial the pptp connection 5, the dial dialog is hang on the "verify the username and passwd", and at the end, you will get a 628 error. 6, if dail through calling RasDial, you will get a 806 error. 7, if vista firewall is disabled, everything works fine. BTW: I do same thing in win2k, winxp,win2k3, everything works fine, in these platform, I can establish a pptp connection to self (127.0.0.1), but in vista, I can't if the vista firewall is enabled (even ALLOW all traffic). I also used the pptpsrv.exe and pptpclnt.exe to test 127.0.0.1 to 127.0.0.1. The result is: 1, Run pptpsrv.exe and then run pptpclnt.exe, everything works fine. 2, Run pptpsrv.exe and then dial pptp connection to 127.0.0.1, the pptpsrv.exe can't receive any GRE packet. So, it seems that the vista's pptp client can't send any GRE packet to 127.0.0.1 if the vista firewall enabled. But in the same Env. the pptpclnt.exe can send (through socket(raw,GRE_PROTOCOL) and sendto(...)) GRE packet to 127.0.0.1.

  • Anonymous
    April 12, 2007
    Another limit in vista. I found vista can only establish 2 pptp connections to outer (uncheck default gateway) When establish the 3rd pptp connection, the pptp dialer will report 800 error.

  • Anonymous
    April 13, 2007
    Very thanks for your reply! How can I establish more two simultaneous PPTP connections in vista or winxp? Is there a work around for this problem? BTW: I tested in win2k3, win2k3 can establish more than two simultaneous PPTP connections from the same machine.

  • Anonymous
    April 15, 2007
    Janani:   Could you please take a look at the vista pptp client and vista firewall?   Why vista can't dial pptp to 127.0.0.1 when vista firewall is enabled?   Is there any work around solution? BTW: I have known how to establish more than 2 connections in winxp/vista (I modify the registry HLMsystemcontrolclassnet_guid�001WanEndpoints).

  • Anonymous
    April 16, 2007
    The comment has been removed

  • Anonymous
    April 16, 2007
    I can estabilish the VPN connection, but it drops all internet capabilities and the status shows local only.  What is the .inf file that needs to be selected if you want to install IPv4?

  • Anonymous
    April 16, 2007
    The comment has been removed

  • Anonymous
    April 17, 2007
    I got the reason about "why vista pptp client can't dial itself when vista firewall is enabled" There are two registry keys in ServiceSharedAccessDefaultsFirewallPolicyDisableStatefulPPTP ServiceSharedAccessParametersFirewallPolicyDisableStatefulPPTP the default value is 0, change them to 1 will make everything works fine. I don't know if it's firewall's bug or MS don't want users establish PPTP connections to 127.0.0.1. Anyway, it provide a  workaround solution.

  • Anonymous
    April 21, 2007
    The comment has been removed

  • Anonymous
    April 22, 2007
    The comment has been removed