none
VPN on Vista

    Question

  • I have Vista workstations trying to access our office VPN from on-site jobs.  But despite every setting checking out, we still keep getting error 732 with a PPP conflict.  What in the world would be causing this?
    Sunday, February 04, 2007 7:34 AM

Answers

  • Hi,

    In Windows Vista, Microsoft has removed MS-CHAP v1 from the list of authentication protocols for dial-up connections, for broadband (PPPoE) connections, and for virtual private network (VPN) connections. This change has been made because MS-CHAP version 2 (MS-CHAP v2) provides better security than the following protocols do:

    MS-CHAP v1
    The Challenge Handshake Authentication Protocol (CHAP)

    Note CHAP provides an equivalent level of security to MS-CHAP.
    The Password Authentication Protocol (PAP)

    Note PAP is less secure than MS-CHAP.
    Microsoft Windows 2000 and later operating systems support MS-CHAP v2, CHAP and PAP. By default, both CHAP and MS-CHAP v2 are enabled for dial-up and PPPoE connections in Windows Vista.

    If you used the Set up a connection or network wizard in Windows Vista to create a network connection, you can use the Network Sharing Center to enable or disable PAP, CHAP and MS-CHAP v2. To do this, follow these steps:
    1. Open the Network Sharing Center. To do this, click Start, type network sharing center in the Start Search box, and then click Network Sharing Center in the Programs list.
    2. Click Manage network connections.
    3. In the Network Connections window, right-click the name of the connection that you want to change, and then click Properties.
    4. In the User Account Control dialog box, click Continue.
    5. In the Connection Properties dialog box, click to select the Security tab, click Advanced (Custom Settings), and then click Settings.
    6. In the Advanced Security Settings dialog box, click to either enable or disable the options for PAP, CHAP and MS-CHAP v2, and then click OK.

    Ref: http://support.microsoft.com/kb/926170/en-us
    Wednesday, February 07, 2007 8:01 AM
  • To summarize, we can have only two options now:

     

    1. Wait MS to add back support of MS-CHAP v1 to Vista. (But I think it's less chance).

    2. Update to lates Cisco IOS or change the firewall to a model which support MS-CHAP v2.

     

     

    Wednesday, March 28, 2007 12:07 PM

All replies

  • Hi,

    Error 732: The PPP negotiation is not converging.

    Cause:

    1. The negotiation of PPP parameters did not succeed because the local and remote computers could not agree on a common set of parameters.

    2. This error may be caused by an improper Authentication and encryption setting in the Dial-Up Networking connection.

    Resolution:

    1. Make sure you have good connection.

    2. Check both server and client Authentication and encryption setting and make sure both have the same settings.

    Sunday, February 04, 2007 1:53 PM
  • I've had a good connection every time.  I also even sat down with our network admin to double and triple check that the parameters for the workstation matched the VPN.
    Sunday, February 04, 2007 3:14 PM
  • hi, did the problem exist in WinXP when you use XP to connect from the same location?

    Also, any error code in the event viewer?

    Sunday, February 04, 2007 4:21 PM
  • no...I connected the exact same way in XP...I didn't start having this problem until using Vista...in the event viewer, it keeps on saying code 732 on the errors for that operation...however, after my code 732, then there are 2-3 sets of establishing the connection then the connection being refused
    Sunday, February 04, 2007 8:55 PM
  • What is that VPN server? Did you check with the vendor so that it support Vista client?
    Monday, February 05, 2007 3:15 PM
  • apparently this looks like it's going to be one of those pitfalls with Vista not supporting the MS-CHAPv1 protocol...because upon further research, that appears to be the issue
    Tuesday, February 06, 2007 9:22 PM
  • is there a way in Vista to access a VPN on MS-CHAPv1???
    Tuesday, February 06, 2007 9:23 PM
  • Hi,

    In Windows Vista, Microsoft has removed MS-CHAP v1 from the list of authentication protocols for dial-up connections, for broadband (PPPoE) connections, and for virtual private network (VPN) connections. This change has been made because MS-CHAP version 2 (MS-CHAP v2) provides better security than the following protocols do:

    MS-CHAP v1
    The Challenge Handshake Authentication Protocol (CHAP)

    Note CHAP provides an equivalent level of security to MS-CHAP.
    The Password Authentication Protocol (PAP)

    Note PAP is less secure than MS-CHAP.
    Microsoft Windows 2000 and later operating systems support MS-CHAP v2, CHAP and PAP. By default, both CHAP and MS-CHAP v2 are enabled for dial-up and PPPoE connections in Windows Vista.

    If you used the Set up a connection or network wizard in Windows Vista to create a network connection, you can use the Network Sharing Center to enable or disable PAP, CHAP and MS-CHAP v2. To do this, follow these steps:
    1. Open the Network Sharing Center. To do this, click Start, type network sharing center in the Start Search box, and then click Network Sharing Center in the Programs list.
    2. Click Manage network connections.
    3. In the Network Connections window, right-click the name of the connection that you want to change, and then click Properties.
    4. In the User Account Control dialog box, click Continue.
    5. In the Connection Properties dialog box, click to select the Security tab, click Advanced (Custom Settings), and then click Settings.
    6. In the Advanced Security Settings dialog box, click to either enable or disable the options for PAP, CHAP and MS-CHAP v2, and then click OK.

    Ref: http://support.microsoft.com/kb/926170/en-us
    Wednesday, February 07, 2007 8:01 AM
  • Yes, I too have been bitten by this issue.  We use a Cisco PIX firewall (one of the most common firewalls on the planet) as a VPN endpoint.  The PIX supports PAP, CHAP, and MS-CHAP v1.  We have successfully used Windows 2000 and Windows XP machines with the built-in PPTP client to connect to the PIX for four years.  After doing testing with Windows Vista we discovered that MS-CHAP v1 support had been removed from Vista; therefore, we have decided to stick with Windows XP.  Yes, it is true that we could change the PIX configuration to allow PAP or CHAP but that would have two very negative consequences:

    1. Passwords would be sent in clear text.
    2. The VPN tunnel would not be encrypted.

    While MS-CHAP v1 might not be as good as MS-CHAP v2, at least it supports encryption, which is far better than using PAP or CHAP (which are still supported by Vista.)  If they were going to depreciate one of the protocols, why not PAP, since it is the least secure of all.  Rather than depreciating the least secure of the four authentication protocols, they depreciated the second most secure one.  Not good news for the millions of folks using Cisco PIX firewalls.

    Wednesday, February 28, 2007 3:10 PM
  • I m thinking whehther Cisco can release the support of MS-CHAP v2.
    Friday, March 02, 2007 1:58 AM
  • Cisco has released support for MS-CHAP v2.. Version 7 of thier OS supports it. However, I can't update my Pix 506 to V7... Microsoft should be the one to release a fix for this... NOT CISCO.... I will not upgrade my users to VISTA UNTIL MICROSOFT HAS RESOLVED THIS PROBLEM
    Friday, March 02, 2007 6:54 AM
  •  I think it's by design.
    Saturday, March 03, 2007 8:55 AM
  • I agree with Rasoghall. Microsoft have "designed" this problem but expect Cisco to resolve it with a PIX Software update.

    I am sure that the most organisations would rather see an update or patch for Vista instead of having to totally update all thier firewalls.

    We purchased a laptop with Vista last week and can't get it working with the VPN solution in operation for all our other employees. We certainly won't be investing in any more Vista machines or licenses for a while after this!

    Friday, March 16, 2007 3:57 PM
  • To summarize, we can have only two options now:

     

    1. Wait MS to add back support of MS-CHAP v1 to Vista. (But I think it's less chance).

    2. Update to lates Cisco IOS or change the firewall to a model which support MS-CHAP v2.

     

     

    Wednesday, March 28, 2007 12:07 PM
  • THIS SUCKS!  MICROSOFT NEEDS TO FIX THE PROBLEM THEY CREATED OR I WANT XP FOR THIS COMPUTER I PURCHASED WITH VISTA ALREADY INSTALLED AND THE $300 OR SO DOLLARS A UPGRADE FROM XP TO VISTA WOULD COST.  TOO MUCH IN-BREEDING WITH ALL THOSE PROGRAMMERS AT MICROSOFT.  NEW SETTING FOR DELIVERANCE 2 !  WHAT IS MICROSOFT DOING ABOUT THIS AND THE ANSWER NEEDS TO BE BETTER THAN NOTHING.  I WILL INITIATE A CLASS ACTION SUITE FOR NON SUPPORT OF A SUPPOSEDLY NEW PRODUCT THAT DOESN'T WORK.  MAYBE APPLE DOES HAVE A BETTER IDEA.

    Saturday, October 20, 2007 4:36 AM
  • This is outragous. Microsoft should have fixed this issue by a hot fix the moment somebody noticed. I just bought myself a new laptop with Vista that I planned to use to access my work computer. The fact that I will not be able to connect to my workplace using Vista is almost enough reason to return it to the shop ( or at least to install an OS that works on it ( linux ? ). Is MS at the very least planning to fix this for SP1 or are they really against workplaces using Vista ?

     

     

    Monday, December 17, 2007 10:14 PM
  • had the same 732 error as above. We have been using the built in Windows XP VPN client to connect to our Cisco PIX 506e for years. We got our first Vista laptop a few weeks ago and tried to VPN in...no dice. Tried every setting (PAP, CHAP, MSCHAP) and scoured the internet for a solution. Finally paid the $259 and contacted Microsoft support. After four hours of trying every setting, scouring the internet, and consulting with his mentor the MS tech said I would have to upgrade my PIX IOS to version 7 because it supports MSCHAP version 2. I went to the Cisco site to download IOS 7 and learned that the PIX 506e does not support IOS 7.(cisco site: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q1). So to sum it up...if you have a PIX 506e and try to connect with VPN using Vista your out of luck. 

     

    Friday, December 28, 2007 3:30 PM
  • Mordrid, don't use the pix to VPN into your network - do what I do, bypass the PIX and port forward 1723 so you can use your server as VPN - this way VPN accounts are integrated into your Directory Service ... one user and password for getting into the system ... and you can enable or disable users VPN capability from "dial-in" - VPN tab...

     

    Friday, December 28, 2007 6:32 PM
  • Vista business

    Cisco VPN client 5.0.01.0600

     

    Had same issue talking to PIX 501 until I added UseLegacyIKEPort=1 to each profile.

     

    Monday, January 21, 2008 3:35 PM
  • Has anyone else tested this?

     

    I'll run my own tests on my 605e sometime tonight.

    I downloaded the latest vpn client for vista and will be modifying the pcf on my vista ultimate machine.

     

    Here is an old KB that discusses the modification in better detail.

    http://support.microsoft.com/kb/928310

     

    Thursday, February 21, 2008 5:43 PM