L2TP/IPSec VPN: Error 791

M

moses

Hi Y'all. I'm a newbie here, so a quick "how u doin to
all?", and then down to business!
Hope it aint too long...just bare with me...
Here's the deal,
I'm testing an L2TP/IPSec router-router VPN with Win2k
advanced server. Trying to simulate a MAIN_OFFICE-
BRANCH_OFFICE kind of VPN.

My setup:
MAIN OFFICE LAN :
1. A firewall (2 Nics-one Both public IPs...no NAT)

2. A VPN-server behind the firewall.
(running Win2k adv.server, Active Directory installed,
its a Domain Controller).
Its also my root Enterprise CA
Gat a demand dial interface, and static routes, I/O
filters configured, etc.

3. A client(Win 2k proffessional), has the VPN server as
its gateway.

BRANCH OFFICE LAN:
Basically the same setup as main office, only that VPN
server is not a CA.

Have installed machine certificate on MAIN Office VPN-
server, and also installed router certificates for both
demand dial interfaces (on both servers that is), also
configured MAIN OFFICE VPN server as calling and
answering router, the branch office Server as calling
only (has no machine certificate yet).....

LANS working well, can ping each other both internally
and externally, etc...

PROBLEM: on trying to connect, "Error 791: The L2TP
connection attempt failed because security policy for the
connection was not found."

Been on this for 2 days already...goin nuts! Help guyz...
thanks alot....
Mo
 
S

Sharoon Shetty K [MSFT]

Is the client behind a NAT device? If yes, the system needs to have the
update from KB article 818043.
 
P

Priya Raghavan [MSFT]

Error 791: The L2TP connection attempt failed because security policy for
the connection was not found."

Can you check if IPSec Services is started on both machines ?
Command is: "net start policyagent"
 
J

Johannes R.

try this:

Von: "TD" <[email protected]>
Betreff: Re: L2TP + NAT-T (SOLUTION)
Datum: Dienstag, 24. August 2004 23:39

Once you get it figured out for WinXP SP1, it will stop working when
SP2 gets installed. So here's some advance info to remember for when
you do that upgrade.


The fix to this problem is discussed here
http://zdnet.com.com/2100-1105-5321783.html

Basically, Microsoft considers L2TP/IPSEC via NAT insecure. So
they've added a key and made it default to killing the functionality
of the SP1 NAT-T patch. And they don't give you any place to modify
this key value. So you have to import it by hand. And you MUST
reboot after installing this key.

Here's the regedit patch.
-------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top