Microsoft PPTP VPN

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm trying to connect a machine to work with a PPTP VPN. Of course this
works with the XP Pro machine, but I can't get connected with the Vista box.
Same setup, same VPN endpoint, no luck.

I start the VPN connection, I get the username/password verified, and then:
"Error 732: Your computer and the remote computer could not agree on PPP
contol protocols." I'm trying to connect to a PIX 501, no dice. Funny
thing is I can connect the Vista laptop with PPTP to a Cisco 3005
concentrator.

Did Microsoft change something in the PPTP protocol negotiation? I have the
VPN logs, but before I go wading through a few hundred lines of that, I
wanted to check and see if anyone had any helpful info. Thanks
 
I think they changed the MSCHAP protocol to only use version 2.0 and not
allow version 1.0. You could try changing the setting on Vista and allowing
it to use version 1.0 protocol.

You can get to the individual network connections by clicking "Manage
Network Connections" in the sidebar in the network map control panel, i
believe.

The setting should be in one of the advanced options of the properties
dialog.

- JB

Vista Support FAQ
http://www.jimmah.com/vista/
 
I think that's the ticket. The PIX in question is running 6.4 and supports
MS-CHAP, but not v2. The VPN concentrator is specifically designed for VPNs
and allows a whole host of authentication methods.

I'm going to upgrade the PIX to version 7 and play around with that. Thanks
for pointing me in the right direction.
 
I have the same problem with a VPN connection to my PIX 506E. The
username/password verified message is displayed and then failure. It would
be nice if a Microsoft rep could provide some clarification on their position
with respect to MS-CHAP v1 suport in Vista.

I would rather not have to revert to PAP and I like the idea of using the MS
VPN client as it makes VPN connections to the office easy for my users to
make from any Windows computer since they don't have to install the Cisco VPN
client.

Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
software, but their are 4 PIX 500 series firewalls, including the 506E, that
cannot use the 7.0 software. I need to know if I need to make a significant
investment in new Cisco hardware, on top of my Microsoft Volume License
Agreement, prior to rolling out Vista.
 
I have the same problem with a VPN connection to my PIX 506E. The
username/password verified message is displayed and then failure. It would
be nice if a Microsoft rep could provide some clarification on their position
with respect to MS-CHAP v1 suport in Vista.

I would rather not have to revert to PAP and I like the idea of using the MS
VPN client as it makes VPN connections to the office easy for my users to
make from any Windows computer since they don't have to install the Cisco VPN
client.

Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
software, but their are 4 PIX 500 series firewalls, including the 506E, that
cannot use the 7.0 software. I need to know if I need to make a significant
investment in new Cisco hardware, on top of my Microsoft Volume License
Agreement, prior to rolling out Vista.
 
I have the same problem with a VPN connection to my PIX 506E. The
username/password verified message is displayed and then failure. It would
be nice if a Microsoft rep could provide some clarification on their position
with respect to MS-CHAP v1 suport in Vista.

I would rather not have to revert to PAP and I like the idea of using the MS
VPN client as it makes VPN connections to the office easy for my users to
make from any Windows computer since they don't have to install the Cisco VPN
client.

Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
software, but their are 4 PIX 500 series firewalls, including the 506E, that
cannot use the 7.0 software. I need to know if I need to make a significant
investment in new Cisco hardware, on top of my Microsoft Volume License
Agreement, prior to rolling out Vista.
 
Dear Dave, and all others using Cisco PIX 500 series Firewalls,

I have just installed Windows Vista RC2 and there seems to be no support for
MSCAP (V1). There is however a sollution that might be satisfactory. Both
Windows Vista and the Cisco PIX support CHAP. Although this is a one-way
authentication, it is encrypted and therefore better then PAP.

In both your PIX and the Windows PPTP connection you must only select CHAP
authentication. In Windows you must also select "Optional Data Encryption".

If you are using Microsoft IAS as a RADIUS server to authenticate your
Active Directory users, you must turn on "Store password using reversible
encryption" on the specified user account, or in a GPO. Don't forget to reset
the passwords of all users who must authenticate through CHAP.

Kind regards,

Lucas de Wal
De Wal ICT
The Netherlands
 
Back
Top