F
Franz Schenk
We have the following configurations:
- workstation1 with Windows XP SP2, member of domain1, user has local
administrator rights
- workstation2 with Windows XP SP1a and IPSec NAT-T traversal update
installed, member of domain1, user has local administrator rights
- Windows 2003 VPN RRAS Server, member server of domain1
- Other Windows 2003 VPN RRAS Server, member server of another domain2
What does work:
- IPSec VPN connection with workstation1 to RRAS Server of domain1
- IPSec VPN connection with workstation2 to RRAS Server of domain1
- IPSec VPN connection with workstation2 to RRAS Server of domain2
What doesn't work anymore:
- IPSec VPN connection with workstation1 to RRAS Server of domain2! This
connection doesn't work anymore since the SP2 upgrade. The client produces
"Error 792: The L2TP connection attempt failed because security negotiations
timed out". On the VPN Server, there is a failure audit in the security
eventlog, described at the end of this message. We verified that the
Computer Client Certificate from domain2 on the Windows XP SP2 Client is
still ok, including the certification path. The problem is defenetaly on the
XP SP2 Client side, a L2TP/IPSec connection with workstation2 to the same
VPN server works fine. I completely deactivated the Windows firewall on the
XP SP2 client, restartet the PC, no success: Still no IPSec VPN connection
to the VPN Server of domain2.
Thank you all in advance for any advice
Franz
-------------------------------
Eventlog entry on VPN server of domain2 after unsuccessfull connection
request of XP SP2 client "workstation1":
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 12.08.2004
Time: 14:13:43
User: NT AUTHORITY\NETWORK SERVICE
Computer: BETA
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)
Filter:
Source IP Address 193.135.215.141
Source IP Address Mask 255.255.255.255
Destination IP Address 194.230.199.139
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 193.135.215.141
IKE Peer Addr 194.230.199.139
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject
My SHA Thumbprint 0000000000000000000000000000000000000000
Peer IP Address: 194.230.199.139
Failure Point:
Me
Failure Reason:
IKE authentication credentials are unacceptable
Extra Status:
Processed second (KE) payload
Responder. Delta Time 1
0x0 0x0
- workstation1 with Windows XP SP2, member of domain1, user has local
administrator rights
- workstation2 with Windows XP SP1a and IPSec NAT-T traversal update
installed, member of domain1, user has local administrator rights
- Windows 2003 VPN RRAS Server, member server of domain1
- Other Windows 2003 VPN RRAS Server, member server of another domain2
What does work:
- IPSec VPN connection with workstation1 to RRAS Server of domain1
- IPSec VPN connection with workstation2 to RRAS Server of domain1
- IPSec VPN connection with workstation2 to RRAS Server of domain2
What doesn't work anymore:
- IPSec VPN connection with workstation1 to RRAS Server of domain2! This
connection doesn't work anymore since the SP2 upgrade. The client produces
"Error 792: The L2TP connection attempt failed because security negotiations
timed out". On the VPN Server, there is a failure audit in the security
eventlog, described at the end of this message. We verified that the
Computer Client Certificate from domain2 on the Windows XP SP2 Client is
still ok, including the certification path. The problem is defenetaly on the
XP SP2 Client side, a L2TP/IPSec connection with workstation2 to the same
VPN server works fine. I completely deactivated the Windows firewall on the
XP SP2 client, restartet the PC, no success: Still no IPSec VPN connection
to the VPN Server of domain2.
Thank you all in advance for any advice
Franz
-------------------------------
Eventlog entry on VPN server of domain2 after unsuccessfull connection
request of XP SP2 client "workstation1":
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 12.08.2004
Time: 14:13:43
User: NT AUTHORITY\NETWORK SERVICE
Computer: BETA
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)
Filter:
Source IP Address 193.135.215.141
Source IP Address Mask 255.255.255.255
Destination IP Address 194.230.199.139
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 193.135.215.141
IKE Peer Addr 194.230.199.139
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject
My SHA Thumbprint 0000000000000000000000000000000000000000
Peer IP Address: 194.230.199.139
Failure Point:
Me
Failure Reason:
IKE authentication credentials are unacceptable
Extra Status:
Processed second (KE) payload
Responder. Delta Time 1
0x0 0x0