VPN L2TP [Error 786: The L2TP connection failed bec...]

VPN L2TP [Error 786: The L2TP connection failed bec...]

Post by James_pata » Mon, 20 Sep 2004 09:08:08

Hello people,

I have a Windows 2003 server enterprise ans i would like to run a VPN server
based on L2TP technologie
This server is placed after a gateway USR sure connect (9106)

So this is the step that i have made

-> Install of IIS

-> Install of CA

here i dont know what is must put in common name & distinguished
name suffix and i dont know if this is important for the next...

i dont know which provider crypto & algorithm haching i must to take

i have enter nothing in the distinguished name suffix because when
i try to enter something he say that's not good syntaxe..

-> Asking a certificate from the Browser (certsrv)

here i have follow this way
request a certificat / advanced certificate request / create and
submit a request to this CA

then here i have put the computer name (client(not the win2k3) in
the field name/ (may be i must the fill a account name and not the computer
name ?)

inside type of certificate i have choose: client Authtification
Certificate / may be i have to choose IPSec Certificate ??

after that i have let turned on create new key set
CSP: microsoft enhanced Cryptographic Provider V1.0
key usage: Both
Key size: 1024

i have checked
Automatic key container name
Store certificate in the local computer certificate store

request format: CMC
hash algo: SHA-1

-> Issued certificate from the CA

-> Install certificat (on the client computer)

the certificat was installed under the account of computer inside

-> Activated Routing & remote acces

here i have choose VPN & NAT (because i need the NAT )
basic firewall is on
ip adresse assignement via ip range
enable basic name & adress services is on (for the nat)

So, now when i try to connect on this VPN with my client (win XP) i'have got
this error:

Error 786: The L2TP connection failed because there is no valid machine
certificate on your computer for security authentication

But when i let do the client in auto mode he select the PPTP and then IS
WORK but is not L2TP like i need :-(

So i think the "bug" is in the process of CA (because i'm a real noob in
this section)


thank a lot to have take the time for read this post (and maybe answer it ?)

VPN L2TP [Error 786: The L2TP connection failed bec...]

Post by Steven L U » Mon, 20 Sep 2004 10:27:20

irst off L2TP will not work over regular NAT. Windows 2003 can use NAT-T and if you
install the NAT-T upgrade on the clients then it should work if you have the proper
ports and protocols open on your firewall. L2TP requires port 1701 and 500 UDP and
protocol 50/ESP and also port 4500 UDP. The link below explains the need for NAT-T
client, where to get it , and the ports and protocols used.


Windows 2003 and XP Pro computers can use preshared key [PSK] authentication which
you may want to try as it is great for testing out your connection before the need
for certificate authentication.

The other concern is that both the VPN server and the client need computer
certificates in there certificate store personal folder for computers. So use the mmc
snapin for certificates to verify such. Then both computers need to have the issuing
CA certificate in their trusted root folder in the computer store. In an Active
Directory domain that should happen automatically for domain computers but you can
verify it by looking in the trusted root certificate folder for the CA certificate on
both the VPN server and VPN clients. If you need a CA certificate you can logon to
the CA as an administrator, go to its computer certificate store, find the CA
certificate and export it to a .cer file that you can copy to the computer that need
it. The .cer file contains a computers "public key" and can be freely distributed.
Often looking in the Event Viewer of the VPN server and in the remote access logs in
the system folder\system32\logfiles can give helpful information to VPN connect
problems. You may need to enable remote access logging first on your rras server in
the Remote Access Management Console. Computer certificates work fine for L2TP. If
you are doing requests through Web Enrollment from an Enterprise CA in an Active
Directory domain you will need to configure your CA to issue the ipsec offline
template which remote computers can use for L2TP. --- Steve

"James_patageul" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...