L2TP VPN connection between XP Pro and Win 2003 RRAS

I set up RRAS on Win 2003 Small Business server to accept
L2TP and PPPTP VPN connections. Win 2003 is running
Active Directory. The L2TP connection is set up to use
preshared key.

I have also used XP Pro new connection wizzard to set up
PPTP and L2TP (separate) connections to the Win 2003 RRAS.

Both, client and server are behind Linksys Routers. I
forwarded all appropriate ports.

When I monitor server Security event log, I see following
error message when I try to establish L2TP connection:

- IKE security negotiation failed because server expected
Kerberous and received preshared key from the client
instead.

Kerberous is most like expected because Win 2003 server
is running active domain. The PC from which I am trying
to establish a connection is not part of the domain and
is part of the workgroup.

Does anyone know how to solve this without taking the PC
over to the LAN with Win 2003 server, connecting it and
joining the domain?

Hi,

If I understand correctly, when you setup the client in XP for L2TP, you
changed the IPSec settings under security and added a preshared key. If
this is correct, then I believe you need to add this key on the server as
well.

If you have not done this, you can open up the properties of the server in
RRAS and select the security tab. At the bottom, there is a check box and
a space to place the preshared key.




Thank you,
Matthew Fresoli
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

I had added the same preshared keys both on the client
and RRAS server and am getting the error I described:
mismatch in IKE negotiation protocol.
Server expects Kerberous and Client send preshared key.


>-----Original Message-----
>Hi,
>
>If I understand correctly, when you setup the client in
XP for L2TP, you
>changed the IPSec settings under security and added a
preshared key. If
>this is correct, then I believe you need to add this key
on the server as
>well.
>
>If you have not done this, you can open up the
properties of the server in
>RRAS and select the security tab. At the bottom, there
is a check box and
>a space to place the preshared key.
>
>
>
>
>Thank you,
>Matthew Fresoli
>Microsoft Network Support
>--
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>Use of included script samples are subject to the terms
specified at
>http://www.microsoft.com/info/cpyright.htm
>
>Note: For the benefit of the community-at-large, all
responses to this
>message are best directed to the newsgroup/thread from
which they
>originated.
>
>
>.
>

Than is how I set it up.

>-----Original Message-----
>Hi,
>
>If I understand correctly, when you setup the client in
XP for L2TP, you
>changed the IPSec settings under security and added a
preshared key. If
>this is correct, then I believe you need to add this key
on the server as
>well.
>
>If you have not done this, you can open up the
properties of the server in
>RRAS and select the security tab. At the bottom, there
is a check box and
>a space to place the preshared key.
>
>
>
>
>Thank you,
>Matthew Fresoli
>Microsoft Network Support
>--
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>Use of included script samples are subject to the terms
specified at
>http://www.microsoft.com/info/cpyright.htm
>
>Note: For the benefit of the community-at-large, all
responses to this
>message are best directed to the newsgroup/thread from
which they
>originated.
>
>
>.
>

Getting the same error still.

Hi Len,

I setup a test scenario and performed the configuration as described
earlier. After setting the preshared key on the RRAS server security tab I
had to restart the services. After this I was able to connect with a
preshared key.

However, I did not use a domain account for this connection, only a local
account on the RRAS server. I used the default RRAS access policy for VPN
access.

See if you can use a local account on the server to make the connection to
see if it is an issue with domain users.

I do need to add that the use of preshared keys for client to server L2TP
connections is not recommended by Microsoft due to the security risks.
This is documented in the following article:

324258 HOW TO: Configure a Preshared Key for Use with Layer 2 Tunneling
http://support.microsoft.com/?id=324258





Thank you,
Matthew Fresoli
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.