Vista can't authenticate on VPN connection

Hello,

I've read up quite a bit about VPN problems with Vista, but can't seem to
find a solution to my issues. We have VPN setup to our Cisco PIX 515E
(which doesn't support MS-CHAP V2). Of course, since Microsoft was nice
enough to remove MS-CHAP V1 in Vista, this now prevents any of our users
from upgrading to Vista, and I'm trying to find a workaround.

Right now, I've made changes to our PIX to allow authentication over PAP,
CHAP or MSCHAPV1. The PIX has always required 128bit encryption. (This
according to the MS KB article discussing the death of MSCHAP V1, should
work).

In my VPN connection security , I've tried every combination of PAP, CHAP
and the various data encryption options, but can't get beyond the dreaded
"Error 732: Your computer and the remote computer could not agree on PPP
control protocols". I don't see anything interesting in the PIX logs or in
the Windows Vista client event logs.

User authentication is being done by an IAS server that the PIX connects to
just fine. Clients running XP, 2000 and OS X can all VPN in without any
problems at all.

Has ANYONE gotten Vista <---> PIX VPN working at all with the Vista VPN
client?

You may want to disable PAP, CHAP and MS-CHAP v2. This post may help,

VPN works with all OS except Vista
http://www.chicagotech.net/netforums...opic.php?t=729

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Daniel Peterson" <pythas@hotmail.com> wrote in message news:2903CE86-9E79-4EBB-BA12-AD4EFA568289@microsoft.com...
Hello,

I've read up quite a bit about VPN problems with Vista, but can't seem to
find a solution to my issues. We have VPN setup to our Cisco PIX 515E
(which doesn't support MS-CHAP V2). Of course, since Microsoft was nice
enough to remove MS-CHAP V1 in Vista, this now prevents any of our users
from upgrading to Vista, and I'm trying to find a workaround.

Right now, I've made changes to our PIX to allow authentication over PAP,
CHAP or MSCHAPV1. The PIX has always required 128bit encryption. (This
according to the MS KB article discussing the death of MSCHAP V1, should
work).

In my VPN connection security , I've tried every combination of PAP, CHAP
and the various data encryption options, but can't get beyond the dreaded
"Error 732: Your computer and the remote computer could not agree on PPP
control protocols". I don't see anything interesting in the PIX logs or in
the Windows Vista client event logs.

User authentication is being done by an IAS server that the PIX connects to
just fine. Clients running XP, 2000 and OS X can all VPN in without any
problems at all.

Has ANYONE gotten Vista <---> PIX VPN working at all with the Vista VPN
client?

Hello,

As I said, I've tried every combination of PAP, CHAP and data encryption.

Other than an email address to send trace logs to for debugging, I didn't see anything new in that link.

Any other suggestions?
"Robert L [MVP - Networking]" <noreply@hotmail.com> wrote in message news:eEbeMoOtHHA.4796@TK2MSFTNGP04.phx.gbl...
You may want to disable PAP, CHAP and MS-CHAP v2. This post may help,

VPN works with all OS except Vista
http://www.chicagotech.net/netforums...opic.php?t=729

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Daniel Peterson" <pythas@hotmail.com> wrote in message news:2903CE86-9E79-4EBB-BA12-AD4EFA568289@microsoft.com...
Hello,

I've read up quite a bit about VPN problems with Vista, but can't seem to
find a solution to my issues. We have VPN setup to our Cisco PIX 515E
(which doesn't support MS-CHAP V2). Of course, since Microsoft was nice
enough to remove MS-CHAP V1 in Vista, this now prevents any of our users
from upgrading to Vista, and I'm trying to find a workaround.

Right now, I've made changes to our PIX to allow authentication over PAP,
CHAP or MSCHAPV1. The PIX has always required 128bit encryption. (This
according to the MS KB article discussing the death of MSCHAP V1, should
work).

In my VPN connection security , I've tried every combination of PAP, CHAP
and the various data encryption options, but can't get beyond the dreaded
"Error 732: Your computer and the remote computer could not agree on PPP
control protocols". I don't see anything interesting in the PIX logs or in
the Windows Vista client event logs.

User authentication is being done by an IAS server that the PIX connects to
just fine. Clients running XP, 2000 and OS X can all VPN in without any
problems at all.

Has ANYONE gotten Vista <---> PIX VPN working at all with the Vista VPN
client?

Hi Daniel
Both PAP and CHAP do not support encryption. In order to use them you
would have to turn off 128-bit encryption on the server.

thanks
Aanand

"Daniel Peterson" <pythas@hotmail.com> wrote in message
news:2903CE86-9E79-4EBB-BA12-AD4EFA568289@microsoft.com...

Quote:

> Hello,
>
> I've read up quite a bit about VPN problems with Vista, but can't seem to
> find a solution to my issues. We have VPN setup to our Cisco PIX 515E
> (which doesn't support MS-CHAP V2). Of course, since Microsoft was nice
> enough to remove MS-CHAP V1 in Vista, this now prevents any of our users
> from upgrading to Vista, and I'm trying to find a workaround.
>
> Right now, I've made changes to our PIX to allow authentication over PAP,
> CHAP or MSCHAPV1. The PIX has always required 128bit encryption. (This
> according to the MS KB article discussing the death of MSCHAP V1, should
> work).
>
> In my VPN connection security , I've tried every combination of PAP, CHAP
> and the various data encryption options, but can't get beyond the dreaded
> "Error 732: Your computer and the remote computer could not agree on PPP
> control protocols". I don't see anything interesting in the PIX logs or
> in the Windows Vista client event logs.
>
> User authentication is being done by an IAS server that the PIX connects
> to just fine. Clients running XP, 2000 and OS X can all VPN in without
> any problems at all.
>
> Has ANYONE gotten Vista <---> PIX VPN working at all with the Vista VPN
> client?

Hello,

Thank you, that's what I was starting to wonder.

Well, that pretty much kills that solution.

THANKS MICROSOFT FOR DEPRECATING MSCHAP V1.

"Aanand Ramachandran" <aanandr@microsoft.com> wrote in message
news:467eaac0$1@news.microsoft.com...

Quote:

> Hi Daniel
> Both PAP and CHAP do not support encryption. In order to use them you
> would have to turn off 128-bit encryption on the server.
>
> thanks
> Aanand
>
> "Daniel Peterson" <pythas@hotmail.com> wrote in message
> news:2903CE86-9E79-4EBB-BA12-AD4EFA568289@microsoft.com...

Quote:

>

I have been able to connect to one of our clients Cisco PIX firewall
with the Vista VPN client. Im not sure what version they are running bu
here is how I made it happen

After setting up the connection go into Propertie

Go to the Options tab and click the PPP Settings butto

Make sure all of these check boxes are NOT selecte

hit ok

While on the Options tab make sure that the Include Windows logo
domain check box is NOT selecte

Next go to the Security Ta

select the Advanced (custom settings) radio butto

Then click the settings butto

in the Advanced security settings form select Optional Encryption fro
the Data Encryption drop dow

select the Allow these protocols radio button and make sure that onl
Challenge Handshake Authentication Protocol(CHAP) is selecte

hit ok

Now head over to the Networking ta

on the networking tab select L2TP IPsec VPN from the Type of VP
dropdow

click the IPsec Settings butto

make sure that the Use certificate for authentication radio button i
selected and the check box underneath it is checke

hit o

Back on the Networking tab I disabled all protocols except for TCP/IPv
, Im not sure that this is necessary but I didn't want any sill
protocols getting in the way

after that hit ok and try to connec

Im not sure if all of these changes were necessary but this is the onl
way I have been able to get a connection to a PIX firewall from vista
Maybe next time Microsoft will consider the rest of the industry whe
they decide to start dropping protocols (prolly not). I wonder wha
kind of firewall Bill uses?!

--
dmaselbas