Routing and Remote Access Blog

VPN articles - straight from Windows development team

Troubleshooting Vista VPN problems

Troubleshooting Vista VPN problems

  • Comments 14
  • Likes

Hello all. There have been quite a few questions/posts on the technet forums about issues you folks have seen with Windows Vista VPN clients. So we thought we would come up with a post on the common configuration issues and some troubleshooting tips. Hope this helps others who are facing the same issues.

If you are seeing an issue different from one of those below, please send a mail to rrasblog@online.microsoft.com** with a description of your issue, the Operating system on the VPN client and the server, and the RAS tracing logs from the VPN client and the VPN server(if you have access to the VPN server). The steps to generate the logs are described in another post in this blog. (http://blogs.technet.com/rrasblog/archive/2006/06/20/437481.aspx)

** Remove the "online." from this email ID to actually mail the logs.

1. Windows Vista VPN client does not support MS-CHAPv1 authentication method

Windows Vista no longer supports MS-CHAPv1 and we strongly recommend that customers move to MS-CHAPv2, which is more secure. MS-CHAPv2 has been available since Windows 2000 and is widely supported. Note that if your server is configured to accept connections only using MS-CHAPv1 as the authentication method, then Windows Vista clients will be unable to connect to your server.

VPN client errors that might indicate that this is potentially the issue you are seeing:

  • 732 Your computer and the remote computer could not agree on PPP control protocols.
  • 718 The connection timed out waiting for a valis response from the remote computer
  • 734 The PPP link control protocol was terminated
  • 736 The remote computer terminated the control protocol
  • 919 The connection could not be established because the authentication protocol used by the RAS/VPN server to verify your username and password could not be matched with the settings in your connection profile

Resolution

Configure your server to allow clients to connect with MS-CHAPv2 as the authentication method. Update your VPN client connection settings to use MSCHAPv2 as the authentication method.

If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.

Steps to follow for resolution

(1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2

[These steps apply if you are using Microsoft Windows Server only. If using any other server, you will need to follows steps appropriate to the server]

a. Open RRAS console on the VPN server. Start --> Run --> rrasmgmt.msc

b. Rightclick on the Servername --> Properties --> Security tab --> Click on 'Authentication methods'

c. Verify that MSCHAPv2 checkbox is checked. If not, check the checkbox next to MSCHAPv2 and click on Apply. Click on OK.

(2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)

a. Open IAS console on the Radius server. Start --> Run --> ias.msc

b. Navigate to the 'Remote Access Policies' Node.

c. Doubleclick on the remote access policy - Connections to Microsoft Routing and  Remote Access servers --> Click on 'Edit profile' --> 'Authentication' tab

d. Ensure that MS-CHAPv2 is selected in the list of authentication methods.

e. Click on OK.

 2. Connection issues due to encryption mismatch

There have been some issues seen where the Vista VPN client experiences issues with connection due to encryption mismatch. You may face this issue if you are using Windows Vista VPN client to connect to a VPN server running an earlier version of Windows viz. Microsoft Windows 2003 Server and Microsoft Windows 2000 Server. This happens because Windows Vista does not support 40-bit and 56-bit encryption levels under the RC4 algorithm for PPTP and by default supports obly 128-bit encryption. This change is due to the security enhancements in Windows Vista. There is another post dedicated to these changes in this blog which describes this nicely (http://blogs.technet.com/rrasblog/archive/2006/11/01/vista-lh-security-changes-for-remote-access-scenarios.aspx).

VPN client errors that might indicate that this is potentially the issue you are seeing:

  • 741 The local computer does not support the required data encryption type
  • 829 The modem (or other connecting device) was disconnected due to link failure.

Resolution

Configure the remote access policy on your VPN server to accept 'Strongest encryption (MPPE 128 bit)'. Also make sure that encryption is selected to be negotiated in the client connection.

Steps to follow for resolution

The detailed steps to follow are given in the below KB article.

KB 929857 - You receive error code 741 when you try to make a PPTP-based VPN connection on a computer that is running Windows Vista

http://support.microsoft.com/kb/929857 

3. VPN Client connections created on Windows Vista show up as Dial-up connections

Some people have been facing this issue in their Windows Vista VPN client installations. When a VPN client connection is created using the 'Get Connected wizard' or rasphone.exe, it shows up as a 'Dial-up connection' in the network connections folder. When you right click on the client connection created, click on Properties, it says 'Connect using Modem (removed)'

This might happen if the virtual WAN miniports for PPTP/L2TP are not installed. Also, these miniports might be uninstalled after installation due to one of the below several reasons:

·         3rd party VPN adapter or software install/uninstall

·         3rd party firewall software install/uninstall.

·         System backup that didn’t restore properly.

·         Corrupted or missing bindings.

·         Manual or 3rd party software's improperly manipulation of registry values in the registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}.

You can verify if this is the issue by following the below steps:

a. Open Device Manager (Start -> Run -> devmgmt.msc)

b. Click on 'View' in the toolbar and select 'Show hidden devices'

c. Expand the machine name node.

d. Under 'Network Adapters' node, see if WAN Miniport (PPTP) and WAN Miniport (L2TP) are present. If they are not present then you are facing the issue mentioned above and you need to follow the resolution steps specified below.

Resolution

The resolution is to uninstall and install the miniports manually.

Steps to follow for resolution 

Type the following commands in order from an elevated command prompt on the Windows Vista client.

Netcfg –u MS_PPTP

Netcfg –u MS_L2TP

 

Netcfg -l %windir%\inf\netrast.inf –c p –i MS_PPTP

Netcfg –l %windir%\inf\netrast.inf –c p –i MS_L2TP

 

4. Connection failure due to Windows Live OneCare Firewall blocking VPN traffic

 

Some Vista users have reported this issue where their VPN connection fails to go through when Windows Live OneCare is installed. The firewall from Windows Live OneCare by default blocks VPN traffic. You need to configure OneCare firewall to allow VPN traffic.

 

VPN client errors that might indicate that this is potentially the issue you are seeing:

  • 800 Unable to establish the VPN connection.  The VPN server may be unreachable, or security parameters may not be configured properly for this connection
  • 809 The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem

Resolution

   

Configure Windows Live OneCare Firewall to allow VPN traffic by enabling the exception already present there.

 

Steps to follow for resolution 

     

Go into Change One Care Settings à then open the Firewall Connection Tool from the Firewall tab à Check the box for “VPN” which is present there.

 

 

Signing off hoping this information helps you to troubleshoot your VPN client issues!

Janani Vasudevan
Software Design Engineer/Test
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]

Comments
  • I've been running Vista on my two work machines since RTM. My work requires me to VPN to my customers. I see that the VPN client in Vista now puts the DNS address of the VPN connection as the preferred one.

    That's fine for our own VPN connection but this creates problems when connecting to customers. Since the DNS now queries their DNS server I get locked out of network drives mapped to DFS shares, Outlook starts prompting me for a password (RPC over HTTP) etc.

    This probably happens because we're utilizing split DNS and use the same internal and external domain name.

    But I've not been able to find a way to revert this behaviour to the way XP worked.

  • When you are connected over VPN, the DNS address of the VPN is preferred one. But if name resolution fails with this DNS server, then the DNS server of the next available network adapter should be tried.

    Have you enabled Split tunneling on the VPN connection to customer? If not, then you wont be able to access your network drives when connected to the customer.

    Also, can you please elaborate on the below statement?

    >>This probably happens because we're utilizing split DNS >>and use the same internal and external domain name.

    -Deepti

  • I found a very very strange thing in vista.

    Everyone can Replicate the problem in his vista machine.

    1, repare a clean vista, and add two vista firewall rules which says ALLOW ALL PROTOCOL ALL IP IN and OUT

    2, start the RemoteAccess service or create a incomming connection, add a user

    3, create a pptp connection and set the server ip to 127.0.0.1

    4, dial the pptp connection

    5, the dial dialog is hang on the "verify the username and passwd", and at the end, you will get a 628 error.

    6, if dail through calling RasDial, you will get a 806 error.

    7, if vista firewall is disabled, everything works fine.

    BTW: I do same thing in win2k, winxp,win2k3, everything works fine, in these platform, I can establish a pptp connection to self (127.0.0.1), but in vista, I can't if the vista firewall is enabled (even ALLOW all traffic).

    I also used the pptpsrv.exe and pptpclnt.exe to test 127.0.0.1 to 127.0.0.1. The result is:

    1, Run pptpsrv.exe and then run pptpclnt.exe, everything works fine.

    2, Run pptpsrv.exe and then dial pptp connection to 127.0.0.1, the pptpsrv.exe can't receive any GRE packet.

    So, it seems that the vista's pptp client can't send any GRE packet to 127.0.0.1 if the vista firewall enabled. But in the same Env. the pptpclnt.exe can send (through socket(raw,GRE_PROTOCOL) and sendto(...)) GRE packet to 127.0.0.1.

  • Another limit in vista.

    I found vista can only establish 2 pptp connections to outer

    (uncheck default gateway)

    When establish the 3rd pptp connection, the pptp dialer will report 800 error.

  • >>I found vista can only establish 2 pptp connections to >>outer (uncheck default gateway)

    >>When establish the 3rd pptp connection, the pptp dialer >>will report 800 error.

    Yuguang, you can establish only two simultaneous PPTP connections from the same machine. This is same for L2TP also. This has been the behaviour with Windows XP too.

    -Janani

  • Very thanks for your reply!

    How can I establish more two simultaneous PPTP connections in vista or winxp?

    Is there a work around for this problem?

    BTW: I tested in win2k3, win2k3 can establish more than two simultaneous PPTP connections from the same machine.

  • Janani:

      Could you please take a look at the vista pptp client and vista firewall?

      Why vista can't dial pptp to 127.0.0.1 when vista firewall is enabled?

      Is there any work around solution?

    BTW: I have known how to establish more than 2 connections in winxp/vista (I modify the registry HLM\system\controlclass\net_guid\0001\WanEndpoints).

  • I have a pptp-vpn on my m0n0wall gateway. When i used Windows XP on my laptop it worked flawless to connect to the VPN where ever i was. Now im on Vista and when i connect to my VPN i get a dedicated ip (v4) from the vpn-server, but then my local network connection that connects me to the internet dies somehow...and that makes the vpn connection die too...i have noooo idea why it behaves like this and it drives me nuts :(

    Please help me :/

  • I can estabilish the VPN connection, but it drops all internet capabilities and the status shows local only.  What is the .inf file that needs to be selected if you want to install IPv4?

  • yaay...problem solved...it was my FON-router that screwed the network my VPN was on :)

  • >>I can estabilish the VPN connection, but it drops all >>internet capabilities and the status shows local only.  >>What is the .inf file that needs to be selected if you want >> to install IPv4?

    Donna, please check if you have enabled the "Use remote default gateway" on your VPN connection. If you want to continue to use internet and use the VPN connection only for corp traffic, then this setting should be unchecked.

    If I understand your question correctly, you can install IPv4 using the command "netsh interface ipv4 install" and uninstall using "netsh interface ipv4 uninstall"

    -Janani

  • I got the reason about "why vista pptp client can't dial itself when vista firewall is enabled"

    There are two registry keys in

    Service\SharedAccess\Defaults\FirewallPolicy\DisableStatefulPPTP

    Service\SharedAccess\Parameters\FirewallPolicy\DisableStatefulPPTP

    the default value is 0, change them to 1 will make everything works fine.

    I don't know if it's firewall's bug or MS don't want users establish PPTP connections to 127.0.0.1.

    Anyway, it provide a  workaround solution.

  • I've enabled split tunneling on the VPN entry. Doesn't seem to fallback to our DNS server.

    Regardings Split DNS. We have the same server names for both external and internal. So for example my Outlook client connects to the same DNS name for both internal and external requests.

  • I've recently installed Vista Ultimate on one of my laptops, XP Pro is still on another.  Using the native VPN client (IPSec) on the XP laptop I'm able to connect with no problems to a Linksys BEFVP41 endpoint.  Unfortunately I've had no such luck with Vista.  I'm this }{ close to getting it to work...looking at the VPN log on the Linksys I can see negotiations beginning, but then I get an error to the effect of "check Perfect Forward Secrecy settings" (PFS is enabled on the endpoint).  I can't find where in the Consec rule to enable PFS...in fact I can't seem to find it anywhere in AdvFirewall Configuration.  Can someone help me out?  What reg key do I need to hack, what little-known menu do I need to access?  I've about worn out Google looking for the solution.

    Love Vista so far, but this may be a deal-breaker for me.  Help me MS!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment