Hello all. There have been quite a few questions/posts on the technet forums about issues you folks have seen with Windows Vista VPN clients. So we thought we would come up with a post on the common configuration issues and some troubleshooting tips. Hope this helps others who are facing the same issues.
If you are seeing an issue different from one of those below, please send a mail to rrasblog@online.microsoft.com** with a description of your issue, the Operating system on the VPN client and the server, and the RAS tracing logs from the VPN client and the VPN server(if you have access to the VPN server). The steps to generate the logs are described in another post in this blog. (http://blogs.technet.com/rrasblog/archive/2006/06/20/437481.aspx)
** Remove the "online." from this email ID to actually mail the logs.
1. Windows Vista VPN client does not support MS-CHAPv1 authentication method
Windows Vista no longer supports MS-CHAPv1 and we strongly recommend that customers move to MS-CHAPv2, which is more secure. MS-CHAPv2 has been available since Windows 2000 and is widely supported. Note that if your server is configured to accept connections only using MS-CHAPv1 as the authentication method, then Windows Vista clients will be unable to connect to your server.
VPN client errors that might indicate that this is potentially the issue you are seeing:
Resolution
Configure your server to allow clients to connect with MS-CHAPv2 as the authentication method. Update your VPN client connection settings to use MSCHAPv2 as the authentication method.
If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.
Steps to follow for resolution
(1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2
[These steps apply if you are using Microsoft Windows Server only. If using any other server, you will need to follows steps appropriate to the server]
a. Open RRAS console on the VPN server. Start --> Run --> rrasmgmt.msc
b. Rightclick on the Servername --> Properties --> Security tab --> Click on 'Authentication methods'
c. Verify that MSCHAPv2 checkbox is checked. If not, check the checkbox next to MSCHAPv2 and click on Apply. Click on OK.
(2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)
a. Open IAS console on the Radius server. Start --> Run --> ias.msc
b. Navigate to the 'Remote Access Policies' Node.
c. Doubleclick on the remote access policy - Connections to Microsoft Routing and Remote Access servers --> Click on 'Edit profile' --> 'Authentication' tab
d. Ensure that MS-CHAPv2 is selected in the list of authentication methods.
e. Click on OK.
2. Connection issues due to encryption mismatch
There have been some issues seen where the Vista VPN client experiences issues with connection due to encryption mismatch. You may face this issue if you are using Windows Vista VPN client to connect to a VPN server running an earlier version of Windows viz. Microsoft Windows 2003 Server and Microsoft Windows 2000 Server. This happens because Windows Vista does not support 40-bit and 56-bit encryption levels under the RC4 algorithm for PPTP and by default supports obly 128-bit encryption. This change is due to the security enhancements in Windows Vista. There is another post dedicated to these changes in this blog which describes this nicely (http://blogs.technet.com/rrasblog/archive/2006/11/01/vista-lh-security-changes-for-remote-access-scenarios.aspx).
Configure the remote access policy on your VPN server to accept 'Strongest encryption (MPPE 128 bit)'. Also make sure that encryption is selected to be negotiated in the client connection.
The detailed steps to follow are given in the below KB article.
KB 929857 - You receive error code 741 when you try to make a PPTP-based VPN connection on a computer that is running Windows Vista
http://support.microsoft.com/kb/929857
3. VPN Client connections created on Windows Vista show up as Dial-up connections
Some people have been facing this issue in their Windows Vista VPN client installations. When a VPN client connection is created using the 'Get Connected wizard' or rasphone.exe, it shows up as a 'Dial-up connection' in the network connections folder. When you right click on the client connection created, click on Properties, it says 'Connect using Modem (removed)'
This might happen if the virtual WAN miniports for PPTP/L2TP are not installed. Also, these miniports might be uninstalled after installation due to one of the below several reasons:
· 3rd party VPN adapter or software install/uninstall
· 3rd party firewall software install/uninstall.
· System backup that didn’t restore properly.
· Corrupted or missing bindings.
· Manual or 3rd party software's improperly manipulation of registry values in the registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}.
You can verify if this is the issue by following the below steps:
a. Open Device Manager (Start -> Run -> devmgmt.msc)
b. Click on 'View' in the toolbar and select 'Show hidden devices'
c. Expand the machine name node.
d. Under 'Network Adapters' node, see if WAN Miniport (PPTP) and WAN Miniport (L2TP) are present. If they are not present then you are facing the issue mentioned above and you need to follow the resolution steps specified below.
The resolution is to uninstall and install the miniports manually.
Type the following commands in order from an elevated command prompt on the Windows Vista client.
Netcfg –u MS_PPTP
Netcfg –u MS_L2TP
Netcfg -l %windir%\inf\netrast.inf –c p –i MS_PPTP
Netcfg –l %windir%\inf\netrast.inf –c p –i MS_L2TP
4. Connection failure due to Windows Live OneCare Firewall blocking VPN traffic
Some Vista users have reported this issue where their VPN connection fails to go through when Windows Live OneCare is installed. The firewall from Windows Live OneCare by default blocks VPN traffic. You need to configure OneCare firewall to allow VPN traffic.
Configure Windows Live OneCare Firewall to allow VPN traffic by enabling the exception already present there.
Go into Change One Care Settings à then open the Firewall Connection Tool from the Firewall tab à Check the box for “VPN” which is present there.
Signing off hoping this information helps you to troubleshoot your VPN client issues!
Janani VasudevanSoftware Design Engineer/TestRRAS, Windows Enterprise Networking
[This posting is provided "AS IS" with no warranties, and confers no rights.]