none
How to establish VPN authentication protocol

    Question

  • Server 2012R2 Std (Hyper-V)

    I  installed role of VPN only  on a single NIC. I also forwarded the inbound protocols from the router to this host. 

    When I attempt to access the VPN from the hotel I am staying at, I get the below:

    The logon & PW is correct in the WIn10 Pro system and the AD account has dial allow access. How do I set up protocol?


    John Lenz

    Monday, April 23, 2018 3:31 PM

All replies

  • Hi,

    Have a nice day! Thanks for your question.

    To have a better understanding about this issue, please help me to collect more information:

    1)What’s the configuration of PAT(Port Address Translation) for VPN server on your Router?

    2)Please check if there is any ACL setup on the router to block this PAT traffic?

    3)For testing purpose, please turn off the windows firewall and other third party anti-virus software on the VPN server.

    4)Check if there is windows NPS (Network Policy Service) server configured on your AD domain, check its connection policy and network policy to restrict the VPN connection.

    5)Please check GPO on your AD domain if it is configured to restrict the VPN connection.

    6)Is error code 691 when VPN connection? Was previous VPN connection successful?

    7)Which protocol did you configure for VPN connection and authentication?

    8)Please check which authentication method is configured on RRAS MMC > VPN server > Properties > Security Tab as the following figure.

           

    Based on the specific situation, this issue may be caused by the factor that L2TP/IPsec VPN connections to a Windows RAS Server fail when using the MS-CHAPv2 authentication method. The end VPN user would typically receive this error message “The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.”

                       

    Please try the following tests you can perform to confirm this is the issue include:

    1.Test a clear text method such as PAP.  As the password is not hashed authentication should succeed.

    2.You can also test MS-CHAPv2 using credentials configured locally on the RAS server.  Because there is no request sent to the DC in this scenario, authentication should succeed. 

    More information please refer to the following link:

    https://support.microsoft.com/en-us/help/2811487/lt2p-ipsec-ras-vpn-connections-fail-when-using-ms-chapv2

    Hope above information can help you.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards, 

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, April 24, 2018 3:08 AM
  • Hi,

    How are things going on? Was your issue resolved?

    Please let me know if you would like further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 26, 2018 12:37 PM
  • Please give me one more week. I am at a client for the last week before GoLive of an ERP system. Back in office after that.

    John Lenz

    Sunday, April 29, 2018 6:15 PM
  • Hi John,

    I'll follow and stand by with you. I look forward hearing your good news.

    Thanks for your update and support. 

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Monday, April 30, 2018 9:01 AM
  • Hi John,

    How are things going on? Was your issue resolved?

    Please let me know if you would like further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Sunday, May 06, 2018 10:31 AM
  • Hi,
    Could the above reply be of help? If yes, you may mark it as answer, if not, feel free to feed back


    Best Regards,
    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, May 08, 2018 2:52 PM
  • Just finished Client ERP GoLive but now off to hospital for surgery (not interconnected). Will be back in a week.

    John Lenz

    Wednesday, May 09, 2018 6:27 PM
  • Hi John,

    Never mind. Your health is the most important point. 

    Hope you'll be well soon. 

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 10, 2018 2:02 AM
  • Back from hospital and recuperating. Light duty for a few weeks gives me time to clean up these issues.

    I mad the changes above and am going to oldest granddaughter's high school gradation this weekend . I will test VPN from that end and get back to you next week.

    Thanks for your help.


    John Lenz

    Friday, May 18, 2018 3:25 PM
  • OK, I set both server and client to the above "allow protocols".  Still get denied. Since I am in authentication, I presume all the appropriate ports are sent to the RAS server (if you would like to see, I'll send a picture of the router port forwarding).

    I did not check your link before the test. Looking now, I do not see LmCompatatibiltyLevel in the DC registry. I am at Server2012 R2.

    I will add the registry entry on the RAS server as indicated in the link and try again.

    What really frustrates me is that in the mid 80's I used a USRobitics 56KB dial up modem which had a feature that if you dialed in and gave a code, you were connected to the internal network. Can do it with primitive but not current. 

    Al I want is to gain remote access to the server folders when traveling.

    Is there anything else I should be trying?

    Thanks


    John Lenz

    Monday, May 21, 2018 6:31 PM
  • Hi,

    Thanks for your detailed reply.

    Was the error message denied in this connection same as last time? If possible, please drop me a screenshot for it. At your convenience, with the picture for the configuration of the router port forwarding.

    It is very appreciated your successive effort and time. If you have any question and concern, please feel free to let me know.

    Have a nice day!

    Best regards,

    Michael

     


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, May 22, 2018 8:54 AM
  • Error message is the same as above.

    Here is my server IP addressing: 192.168.16.x

    .3 - Hyper-V host ; file/print store

    .4 - DC, DNS, DHCP

    .6 - SharePoint

    .8 - Exchange

    .9 - SQL Server

    .10 - VPN server

    .11 - Certificate server

    Below are my router port forwarding

    Also here is the Remote Access Management Console screen shot:

    Thanks for your help.

    BTW, I use the Microsoft Firewall on al servers. Does anything have to bet there?


    John Lenz

    Tuesday, May 22, 2018 7:51 PM
  • Any update? Enjoy the weekend holiday

    John Lenz

    Saturday, May 26, 2018 5:41 PM