VPN error 691 Access Denied

Hello Experts, I have a question. I am trying to set up the VPN. I am using L2TP over IPSec Connection (3Com Firewall to Remote User).
The error that I get is "691: Access Denied. User is not registered on domain."
I have 2003 SBS. I added a user to AD, made sure that the user has a VPN Allow Access.
Firewall , created the L2TP over IPSec Tunnel, set it up for a particular user,created a Key
User: Windows XP SP2, (this user on different location), Entered the login, password and Key.

Firewall can see the connection: Here is what I get from the firewall log:

Mar 20 11:51:24 localhost kernel: L2TP Server: Login for username atadm05 denied: no such user.
I think it has something to do with Certificates, but I am not sure
If you need more info let me know.
Any help will be greatly appreciated, Thanks
hw_techAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NeilParbrookCommented:
Are you using the server as the VPN server or the firewall?
0
hw_techAuthor Commented:
firewall
0
jsvorCommented:
What are you using for a firewall?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

hw_techAuthor Commented:
3Com Office Connect VPN Firewall
0
jsvorCommented:
Are you seeing the error log on the server or on the firewall?
0
NeilParbrookCommented:
You say you added the user to the AD on the server.
Did you add the user to the firewall?
0
hw_techAuthor Commented:
Everytiem the remote user trying to connect to VPN, he get an error 691 Access Denied.
Mar 20 11:51:24 localhost kernel: L2TP Server: Login for username atadm05 denied: no such user. - I pulled it up from firewall log.
Yes I did add the user on firewall as well.
0
jsvorCommented:
I'm not sure that VPN fw will look to the AD for the users to authenticate them.  You will probably have to add each user to the fw in order for them to connect in.
0
hw_techAuthor Commented:
But I added atadm05 user for fw, and it is not giving access
0
NeilParbrookCommented:
Do you have other known working tunnels on the firewall?
0
hw_techAuthor Commented:
I tried IPSec before, but that was not successful. I couldn't even connect to firewall. And L2TP is easier to configure.
0
jsvorCommented:
What are your clients using for an OS to connect in? XP, Vista?
0
hw_techAuthor Commented:
Windows XP SP2, Windows firewall is OFF, I am using Windows VPN connection
0
NeilParbrookCommented:
Have you thought about letting the server do the work and passing through the port on the firewall?
0
hw_techAuthor Commented:
I am not sure on how to do this. Could you please explain it more. Thanks
0
hw_techAuthor Commented:
I just read the instructions for my firewall and it states that "L2TP/IPSEC - Pass-through is not available to a computer on a LAN when IPSEC/L2TP Servers are enabled"
0
NeilParbrookCommented:
SBS 2003 has it's own VPN server capabilities.

You could forward port 1723 on your firewall to your servers ip address. then after running the remote connection wizard from the to do list in the server management console.  Then on the client use your wan ip or domain name pointing to it to connect to the sbs server built in vpn.  Users would have to have the mobile user template to connect so you may need to change their permisions.  This uses windows authentification.  You can even download the connnection manager from RWW.

Have a look at this

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/2436fe9d-338d-47d6-98b6-ffe1eac534ba.mspx?mfr=true
0
NeilParbrookCommented:
That would be the case as they will want to handle VPN access.  Can you forward the port if you disable it?
0
hw_techAuthor Commented:
I did all the steps except the port forwarding on Firewall. Do I have to open port first, or it is not required?. Without opening the ports I get the same error.
0
NeilParbrookCommented:
Whats the model number of the firewall?
0
NeilParbrookCommented:
The manual for an office connect firewall states that for VPN passthrough you need to add a virtual server to the firewall.  

I have only had a quick glance so I would suggest that you look at this carefully to avoid any problems with firewall config as you do not want to open the network by mistake.  

Possibly it may be worth asking a question in the firewalls section of EE to get a better answer.
0
hw_techAuthor Commented:
the model number is 3CR870-95. Thanks for all your help
0
hw_techAuthor Commented:
I was reading this article in microsoft and it says that I need to deploy a certificate infrastructure because it is required for L2TP VPN connection.
http://technet2.microsoft.com/WindowsServer/en/library/7159a5cd-530b-4b8f-b54a-9a8adfdeac1b1033.mspx?mfr=true
any suggestions?
0
NeilParbrookCommented:
When you run the CIEW you will create the cert.  As this is part of the process.
Then to connect to the SBS server you will need to install the cert on the client machine.
0
hw_techAuthor Commented:
How to run the CIEW? and what is it?
0
NeilParbrookCommented:
You did say you had a sbs2003 server didn't you?

Its the internet and email config wizzard
0
hw_techAuthor Commented:
I think the problem is that in firewall settings Address Pool for PPTP clients is entered wrong. Looks like Remote Client can connect to VPN firewall and firewall is not leting the remote user to pass through to LAN.It just denying access.
In instructions it says that these address pool must be within firewall's LAN subnet and must not form part of the DHCP pool.
0
NeilParbrookCommented:
What are you using for DHCP?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hw_techAuthor Commented:
the DHCP pool is 10.1.1.10 to 10.1.1.150, but the FIrewall LAN is 192.168.2.1-100. SO they are in a different subnet.
0
NeilParbrookCommented:
Mate

You should use SBS for as much as posible as this is how it is designed.  That IP pool is way out for an SBS network you should use 192.168.16.*** for the network using SBS as the DHCP server.  The more you let SBS do the easier it is.  How many machines are you using?  At least make sure that you are using the same subnet etc.    Follow the set up instructions and you will do no harm.  SBS is a 'My First Server' enviroment and therfore is easy to set up and use but you must use the wizards as this is how it is designed.  Have you completed the 'To Do' list?

I don't mean to preach but you should let the server do the work.

Let me know

Neil
0
hw_techAuthor Commented:
Thank you for all your help NeilParbrook. Looks like that's where I should start.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.