I recently set up a VPN access for my company employees. I chose L2TP/IPSec
for the tunneling protocol and EAP-TLS for the authentication protocol for
maximum security. The VPN access works pretty well, but sometimes, when a
user tries to connect, he receives the message : "Error 792 - The L2TP
connection attempt failed because security negociation timed out". A entry
is also written in the security event log :
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
User: NT AUTHORITY\NETWORK SERVICE
IKE security association negotiation failed.
Key Exchange Mode (Main Mode)
Source IP Address 192.168.2.25
Source IP Address Mask 255.255.255.255
Destination IP Address 126.96.36.199
Destination IP Address Mask 255.255.255.255
Source Port 0
Destination Port 0
IKE Local Addr 192.168.2.25
IKE Peer Addr 188.8.131.52
Certificate based Identity.
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject CN=titus.aliantiz.org
My SHA Thumbprint 381ed26a335e9fe1a56d4f119e7bd4fdf2565986
Peer IP Address: 184.108.40.206
Negotiation timed out
So it seems that the VPN server does not send a correct computer certificate
(Peer SHA Thumbprint 0000000000000000000000000000000000000000).
If the user waits for several minutes before attempting to connect again,
then it works. The problem seems to occur only with the Windows XP VPN
client (not with the Windows Server 2003 VPN client).
The VPN server is an ISA Server 2004 server, directly connected to the
Internet (there is no server between the Internet network and the ISA
server). We use RADIUS for authentication (the ISA computer is not part of
How can I troubleshot this error ? Any help would be appreciated !