Vista - Vista can't authenticate on VPN connection

Hello,

I've read up quite a bit about VPN problems with Vista, but can't seem to
find a solution to my issues. We have VPN setup to our Cisco PIX 515E
(which doesn't support MS-CHAP V2). Of course, since Microsoft was nice
enough to remove MS-CHAP V1 in Vista, this now prevents any of our users
from upgrading to Vista, and I'm trying to find a workaround.

Right now, I've made changes to our PIX to allow authentication over PAP,
CHAP or MSCHAPV1. The PIX has always required 128bit encryption. (This
according to the MS KB article discussing the death of MSCHAP V1, should
work).

In my VPN connection security , I've tried every combination of PAP, CHAP
and the various data encryption options, but can't get beyond the dreaded
"Error 732: Your computer and the remote computer could not agree on PPP
control protocols". I don't see anything interesting in the PIX logs or in
the Windows Vista client event logs.

User authentication is being done by an IAS server that the PIX connects to
just fine. Clients running XP, 2000 and OS X can all VPN in without any
problems at all.

Has ANYONE gotten Vista <---> PIX VPN working at all with the Vista VPN
client?

You may want to disable PAP, CHAP and MS-CHAP v2. This post may help,

VPN works with all OS except Vista
http://www.chicagotech.net/netforums...opic.php?t=729

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Daniel Peterson" <pythas@hotmail.com> wrote in message news:2903CE86-9E79-4EBB-BA12-AD4EFA568289@microsoft.com...
Hello,

I've read up quite a bit about VPN problems with Vista, but can't seem to
find a solution to my issues. We have VPN setup to our Cisco PIX 515E
(which doesn't support MS-CHAP V2). Of course, since Microsoft was nice
enough to remove MS-CHAP V1 in Vista, this now prevents any of our users
from upgrading to Vista, and I'm trying to find a workaround.

Right now, I've made changes to our PIX to allow authentication over PAP,
CHAP or MSCHAPV1. The PIX has always required 128bit encryption. (This
according to the MS KB article discussing the death of MSCHAP V1, should
work).

In my VPN connection security , I've tried every combination of PAP, CHAP
and the various data encryption options, but can't get beyond the dreaded
"Error 732: Your computer and the remote computer could not agree on PPP
control protocols". I don't see anything interesting in the PIX logs or in
the Windows Vista client event logs.

User authentication is being done by an IAS server that the PIX connects to
just fine. Clients running XP, 2000 and OS X can all VPN in without any
problems at all.

Has ANYONE gotten Vista <---> PIX VPN working at all with the Vista VPN
client?

Hello,

As I said, I've tried every combination of PAP, CHAP and data encryption.

Other than an email address to send trace logs to for debugging, I didn't see anything new in that link.

Any other suggestions?
"Robert L [MVP - Networking]" <noreply@hotmail.com> wrote in message news:eEbeMoOtHHA.4796@TK2MSFTNGP04.phx.gbl...
You may want to disable PAP, CHAP and MS-CHAP v2. This post may help,

VPN works with all OS except Vista
http://www.chicagotech.net/netforums...opic.php?t=729

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Daniel Peterson" <pythas@hotmail.com> wrote in message news:2903CE86-9E79-4EBB-BA12-AD4EFA568289@microsoft.com...
Hello,

I've read up quite a bit about VPN problems with Vista, but can't seem to
find a solution to my issues. We have VPN setup to our Cisco PIX 515E
(which doesn't support MS-CHAP V2). Of course, since Microsoft was nice
enough to remove MS-CHAP V1 in Vista, this now prevents any of our users
from upgrading to Vista, and I'm trying to find a workaround.

Right now, I've made changes to our PIX to allow authentication over PAP,
CHAP or MSCHAPV1. The PIX has always required 128bit encryption. (This
according to the MS KB article discussing the death of MSCHAP V1, should
work).

In my VPN connection security , I've tried every combination of PAP, CHAP
and the various data encryption options, but can't get beyond the dreaded
"Error 732: Your computer and the remote computer could not agree on PPP
control protocols". I don't see anything interesting in the PIX logs or in
the Windows Vista client event logs.

User authentication is being done by an IAS server that the PIX connects to
just fine. Clients running XP, 2000 and OS X can all VPN in without any
problems at all.

Has ANYONE gotten Vista <---> PIX VPN working at all with the Vista VPN
client?

Hi Daniel
Both PAP and CHAP do not support encryption. In order to use them you
would have to turn off 128-bit encryption on the server.

thanks
Aanand

"Daniel Peterson" <pythas@hotmail.com> wrote in message
news:2903CE86-9E79-4EBB-BA12-AD4EFA568289@microsoft.com...
> Hello,
>
> I've read up quite a bit about VPN problems with Vista, but can't seem to
> find a solution to my issues. We have VPN setup to our Cisco PIX 515E
> (which doesn't support MS-CHAP V2). Of course, since Microsoft was nice
> enough to remove MS-CHAP V1 in Vista, this now prevents any of our users
> from upgrading to Vista, and I'm trying to find a workaround.
>
> Right now, I've made changes to our PIX to allow authentication over PAP,
> CHAP or MSCHAPV1. The PIX has always required 128bit encryption. (This
> according to the MS KB article discussing the death of MSCHAP V1, should
> work).
>
> In my VPN connection security , I've tried every combination of PAP, CHAP
> and the various data encryption options, but can't get beyond the dreaded
> "Error 732: Your computer and the remote computer could not agree on PPP
> control protocols". I don't see anything interesting in the PIX logs or
> in the Windows Vista client event logs.
>
> User authentication is being done by an IAS server that the PIX connects
> to just fine. Clients running XP, 2000 and OS X can all VPN in without
> any problems at all.
>
> Has ANYONE gotten Vista <---> PIX VPN working at all with the Vista VPN
> client?

Hello,

Thank you, that's what I was starting to wonder.

Well, that pretty much kills that solution.

THANKS MICROSOFT FOR DEPRECATING MSCHAP V1.

"Aanand Ramachandran" <aanandr@microsoft.com> wrote in message
news:467eaac0$1@news.microsoft.com...
> Hi Daniel
> Both PAP and CHAP do not support encryption. In order to use them you
> would have to turn off 128-bit encryption on the server.
>
> thanks
> Aanand
>
> "Daniel Peterson" <pythas@hotmail.com> wrote in message
> news:2903CE86-9E79-4EBB-BA12-AD4EFA568289@microsoft.com...
>> Hello,
>>
>> I've read up quite a bit about VPN problems with Vista, but can't seem to
>> find a solution to my issues. We have VPN setup to our Cisco PIX 515E
>> (which doesn't support MS-CHAP V2). Of course, since Microsoft was nice
>> enough to remove MS-CHAP V1 in Vista, this now prevents any of our users
>> from upgrading to Vista, and I'm trying to find a workaround.
>>
>> Right now, I've made changes to our PIX to allow authentication over PAP,
>> CHAP or MSCHAPV1. The PIX has always required 128bit encryption. (This
>> according to the MS KB article discussing the death of MSCHAP V1, should
>> work).
>>
>> In my VPN connection security , I've tried every combination of PAP, CHAP
>> and the various data encryption options, but can't get beyond the dreaded
>> "Error 732: Your computer and the remote computer could not agree on PPP
>> control protocols". I don't see anything interesting in the PIX logs or
>> in the Windows Vista client event logs.
>>
>> User authentication is being done by an IAS server that the PIX connects
>> to just fine. Clients running XP, 2000 and OS X can all VPN in without
>> any problems at all.
>>
>> Has ANYONE gotten Vista <---> PIX VPN working at all with the Vista VPN
>> client?
>

I have been able to connect to one of our clients Cisco PIX firewalls with the Vista VPN client. Im not sure what version they are running but here is how I made it happen.

After setting up the connection go into Properties

Go to the Options tab and click the PPP Settings button

Make sure all of these check boxes are NOT selected

hit ok.

While on the Options tab make sure that the Include Windows logon domain check box is NOT selected

Next go to the Security Tab

select the Advanced (custom settings) radio button

Then click the settings button

in the Advanced security settings form select Optional Encryption from the Data Encryption drop down

select the Allow these protocols radio button and make sure that only Challenge Handshake Authentication Protocol(CHAP) is selected

hit ok.

Now head over to the Networking tab

on the networking tab select L2TP IPsec VPN from the Type of VPN dropdown

click the IPsec Settings button

make sure that the Use certificate for authentication radio button is selected and the check box underneath it is checked

hit ok

Back on the Networking tab I disabled all protocols except for TCP/IPv4 , Im not sure that this is necessary but I didn't want any silly protocols getting in the way.

after that hit ok and try to connect

Im not sure if all of these changes were necessary but this is the only way I have been able to get a connection to a PIX firewall from vista. Maybe next time Microsoft will consider the rest of the industry when they decide to start dropping protocols (prolly not). I wonder what kind of firewall Bill uses?!?