VPN Troubleshooting

From ITwiki

Revision as of 17:45, 21 March 2014 by Rbenson (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Stevens VPN is known to work with

  1. FiOS
  2. Comcast
  3. Roadrunner
  4. Optimum Online
  5. Verizon Broadband

From

  1. Windows XP, 7, 8
  2. Linux
  3. Mac OS X
  4. Android
  5. iOS

Common Troubleshooting Tips

Follow these steps if you have attempted to connect to the VPN and you have failed.

Confirm your Password

Please make sure you are using the correct password. You should be using your Stevens password.

Restart your PC

Do not standby or hibernate your PC. Instead make sure you restart/reboot the computer before attempting to connect again.

If using FiOS check your router settings

Make sure it's at Typical Security. Maximum Security is known to prevent a successful VPN connection

Disable your PC's firewall

As a test, disable your PC's firewall and see if you can connect to the VPN. If you are able to establish a working VPN connection, consult your firewall vendors documentation on how to configure it to allow VPN connections. Make sure you re-enable your firewall.

Enable IPSEC passthrough on your router

The Stevens VPN uses the IPSEC suite of protocols for authenticating and encrypting user traffic. If you are using a NAT router at home, you must make sure that the router supports IPSEC Passthrough and that it is enabled. If the router does not support IPSEC passthrough, or it is not enabled, your VPN traffic will never reach Stevens and you will not be able to connect. You should consult your router's vendors' documentation on how to enable IPSEC passthrough.

Configure your router to use your IP as the DMZ

As a test configure the local IP address your PC is using (typlically 192.168.1.something) as the DMZ address in your router. You will need to consult your routers documentation for the exact procedure. If you are unable to establish a working VPN connection, consult your router's vendors' documentation on how to configure it to allow VPN connections.

Make sure you aren't behind 2 NAT routers

Double NATing can cause problems depending on how each NAT router is configured. Move your PC to the first NAT router to test.

Must Use IPSEC L2TP

Windows

For machines that are having problems, change the automatic selecting of the VPN type to IPSEC. Within the VPN profile, change the following:

If you have your "Type of VPN" set to automatic:

Change it to L2TP IPSec VPN:

Try to connect, if you get Error 768 when connecting, keep reading.

ENABLE IPSec on Microsoft Windows

XP

The Machine must have "IPSEC Services" Enabled in the services area of the "Computer Management" application. This should be enabled by default, however some applications can disable it.

Error Message 768: "The connection attempt failed because of failure to encrypt data. For customized troubleshooting information for this connection click Help." Resolution: Start the IPSec Services by using the following steps to Open the Services Control Panel:

  1. Open the Control Panel
  2. Click on Administrative Tools
  3. Click on Services
  4. Locate IPSec Services
  5. Verify service has started, if not,
  6. Right click IPSec Services
  7. Select Start
  8. Verify service startup type is Automatic

[1]

7 / 8

  1. Open the Control Panel
  2. Click on Administrative Tools
  3. Click on Services
  4. Locate IKE and AuthIP IPsec Keying Modules
  5. Verify service has started, if not,
  6. Right click IKE and AuthIP IPsec Keying Modules
  7. Select Start
  8. Verify service startup type is Automatic
  9. Locate IPsec Policy Agent
  10. Verify service has started, if not,
  11. Right click IPsec Policy Agent
  12. Select Start
  13. Verify service startup type is Automatic

L2TP/IPsec NAT-T update for Windows XP

Microsoft has released an update package to enhance the current functionality of Layer Two Tunneling Protocol (L2TP) and Internet Protocol security (IPsec) on computers that run Microsoft Windows 2000, Microsoft Windows XP without service packs installed, and Windows XP with Service Pack 1 (SP1).This functionality is included in Windows XP Service Pack 2 (SP2). http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043

Error Codes

There are some common error codes that you may encounter. For a complete list of Microsoft Error Codes, please see List of Error Codes that you may receive when you try to make a dial-up connection or a VPN connection in Windows Vista

691: Access denied because username and/or password is invalid on the domain

  • Cause: This error occurs when you have entered the incorrect username or password.
  • Solution:

721: The remote computer is not responding

  • Cause: This issue can occur if the network firewall does not permit GRE traffic (IP protocol 47). PPTP uses GRE for tunneled data.
  • Solution: Configure the network firewall between the VPN client and the server to permit GRE. In addition, make sure that the network firewall permits TCP traffic on port 1723. Both of these conditions must be met to establish VPN connectivity by using PPTP. For more information, see article 888201, "You receive an "Error 721" error message when you try to establish a VPN connection through your Windows Server-based remote access server" in the Microsoft Knowledge Base.

738: The server did not assign an address.

  • Cause: Typically indicates a server-side problem.
  • Solution: Please contact the Helpdesk by email or by calling 1.201.216.5500 and ask for further assistance.

741/742: There is an encryption mismatch error

  • Cause: These errors occur if the VPN client requests an encryption level that is not valid, or if the VPN server does not support the encryption type requested by the client.
  • Solution:
    • Check the properties (Security tab) of the VPN connection on the VPN client. If Require data encryption (disconnect if none) is selected, clear the selection and retry the connection.
    • If you are using Internet Authentication Service (IAS), check the encryption level in the remote access policy in the IAS console or policies on other RADIUS servers. Ensure that the encryption level requested by the VPN client is selected on the VPN server.

789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer

  • Cause: Your operating system is not correctly configured to connect to an L2TP server. The connection attempt is failing before a connection to the server is ever attempted. This error is caused entirely by a misconfiguration of the user's operating system. Location, or connection type have no bearing on receiving this error message.
  • Solution:
    • Windows 7
    1. Open Control Panel >> Administrative Tools >> Services
    2. Make sure the IKE and AuthIP IPsec Keying Modules service is started and configured to start automatically at startup. If the service is already started, restart it.
    3. Make sure the IPsec Policy Agent service is started and configured to start automatically at startup. If the service is already started, restart it.
    4. Attempt to connect to the VPN server again, if the connection is still unsucessful, please contact the Helpdesk and notify them of the steps you have already taken to resolve the issue.

800: Unable to establish the VPN connection

  • Cause: The VPN server may be unreachable, or security parameters may not be configured properly for this connection.
  • Solution:
    1. Restart your computer.
    2. Please go through the configuration step by step and ensure that all the settings are correct.
    3. Make sure you are using your Stevens password.
    4. Check your router or modem settings.
    5. Try turning off your firewall.
    6. Change your password by visiting http://www.stevens.edu/password

806: A connection between your computer and the VPN server has been started, but the VPN connection cannot be completed

  • Cause: The most common cause for this is that at least one Internet device (for example, a firewall or a router) between your computer and the VPN server is not configured to allow Generic Routing Encapsulation (GRE) protocol packets. If the problem persists, contact your network administrator or Internet service provider.
  • Solution: Disable your firewall or configure your router to allow VPN connections.
Personal tools