none
VPN connection fails with "795 - tunnel type being used is not allowed"

    Question

  • I'm getting this error, "Error 795: The remote connection request was denied because the VPN tunnel type being used is not allowed" when I try to connect to a newly created connection on Server 2008 Foundation. 

    I've tried about half a dozen times to recreate the RRAS, but it makes no difference. I only have one network card in the machine, but I've read that that's OK, but it means that I can't use the wizard. The server is behind a basic ADSL router, which is also the DHCP server. This router (Bipac 7800N) has some VPN settings, but they are all disabled - I am certainly connecting to the server, and I have ports 500, 1701, 1723 and 4500 open and pointing to the server.  

    I've got IPv4 enabled as a LAN and Demand Dial router, and also as remote access server, Windows Authentication with EAP and MS_CHAP_v2. I've enabled IPv4 forwarding, using DHCP address assignment. Under "Ports", I've got IKEv2, L2TP, PPTP and SSTP as Used By RAS for 50 ports (though there's only two users on the server). 

    My user account has Network Access allowed for Dial-In, and I can connect using RDP. 

    I can't connect from anything, even another PC on the same LAN (7 Pro), or even from the server itself. iPhone, work PC (7 Enterprise), or laptop (8.1 Pro) all fail. 

    Any ideas anyone?? Thanks!

    Friday, October 25, 2013 2:22 PM

Answers

All replies

  • Hi,

    According to your description, the issue is due to the VPN tunnel protocol mismatched. Sorry to say that I am still a little confused about your VPN tunnel protocol configured on the RRAS server.

    If you are interested in PPTP, please make sure TCP 1723 port and IP Protocol ID of 47 (for GRE) which are required for PPTP tunnel protocol is not blocking. (Note: Protocol IDs are not port numbers. You need to refer to your firewall/router documentation to open these.)

    If you want to use L2TP, make sure UDP port 1701 is opened between the server and client, the correct pre-shared key or machine certificate are present both on client and server.

    If you are interested in IKEv2 based VPN tunnel, please make sure UDP port 500, UDP port 4500 are not blocked and the correct machine certificate for IKE are present both on client and server.

    If you want to use SSTP, please make sure the correct machine certificate is installed on the server and correct trusted root certificate is installed on the client machine.

    Best regards,

    Susie

    Tuesday, October 29, 2013 5:24 AM
    Moderator
  • HI Susie, and thanks for your response. I'm still working on this and have limited progress. The firewall settings on the server are "presets" and I can't change them, but they seem to be doing all you state. I've enabled "GRE" on my router, but that hasn't made much appreciable difference, so I'm working through each type in turn, and PPTP is now either tells me my username/password is incorrect, or that I need to change some network settings. 

    The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile.

    Is it necessary to enable configurations using NPS? I've added and removed most options to no avail.

    Wednesday, October 30, 2013 11:19 AM
  • Hi,

    Sorry for replying so late.

    According to your description, the error message you recieved is related to error code 812. It may be due to the authentication protocol is set via NPS. You can configure a more secured authentication protocol like MS-CHAPv2 or EAP based authentication on the server to match the settings on the client side to see if the issue persists.

    More detailed information, please refer to the link below:

    Troubleshooting common VPN related errors

    http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx

    Best regards,

    Susie

    Tuesday, November 05, 2013 8:15 AM
    Moderator
  • For those that arrived here expecting answer, I'm not sure! There isn't any useful help anywhere for a simple "make it work on an out of the box server", so I ended up checking and unchecking every check box to see if it worked - it never did, and then suddenly it did. So here's what I did after this post: 

    First I uninstalled/disabled NPS, and removed all of the conditions. I disabled all of the VPN configuration on my router, leaving just the port forwarding to the server for the relevant ports (as detailed above). I removed the "automatic" option from the clients VPN connector, and started with PPTP, making sure everything was matching on both sides, but it always was. Although I always had MS-CHAPv2 enabled everywhere, it never worked.

    The magic bullet was enabling IP addresses to be assigned from a static address pool, and not by DHCP. I also have DHCP relay agent enabled, and pointing to my router, (the DHCP server). I got to this setting by right clicking on the Routing and Remote Access node in server manager, clicking properties, and choosing the IPv4 tab. 

    If I try to connect with anything other than PPTP I still get errors, but this one works.

    If I try to get it to work with any other protocol, I still get errors

    Thursday, November 07, 2013 8:11 PM