Start Free Trial

asked on

VPN error 691 Access Denied

Hello Experts, I have a question. I am trying to set up the VPN. I am using L2TP over IPSec Connection (3Com Firewall to Remote User).
The error that I get is "691: Access Denied. User is not registered on domain."
I have 2003 SBS. I added a user to AD, made sure that the user has a VPN Allow Access.
Firewall , created the L2TP over IPSec Tunnel, set it up for a particular user,created a Key
User: Windows XP SP2, (this user on different location), Entered the login, password and Key.

Firewall can see the connection: Here is what I get from the firewall log:

Mar 20 11:51:24 localhost kernel: L2TP Server: Login for username atadm05 denied: no such user.
I think it has something to do with Certificates, but I am not sure
If you need more info let me know.
Any help will be greatly appreciated, Thanks

Are you using the server as the VPN server or the firewall?

ASKER

firewall

What are you using for a firewall?

ASKER

3Com Office Connect VPN Firewall

Are you seeing the error log on the server or on the firewall?

You say you added the user to the AD on the server.
Did you add the user to the firewall?

ASKER

Everytiem the remote user trying to connect to VPN, he get an error 691 Access Denied.
Mar 20 11:51:24 localhost kernel: L2TP Server: Login for username atadm05 denied: no such user. - I pulled it up from firewall log.
Yes I did add the user on firewall as well.

I'm not sure that VPN fw will look to the AD for the users to authenticate them. You will probably have to add each user to the fw in order for them to connect in.

ASKER

But I added atadm05 user for fw, and it is not giving access

Do you have other known working tunnels on the firewall?

ASKER

I tried IPSec before, but that was not successful. I couldn't even connect to firewall. And L2TP is easier to configure.

What are your clients using for an OS to connect in? XP, Vista?

ASKER

Windows XP SP2, Windows firewall is OFF, I am using Windows VPN connection

Have you thought about letting the server do the work and passing through the port on the firewall?

ASKER

I am not sure on how to do this. Could you please explain it more. Thanks

ASKER

I just read the instructions for my firewall and it states that "L2TP/IPSEC - Pass-through is not available to a computer on a LAN when IPSEC/L2TP Servers are enabled"

SBS 2003 has it's own VPN server capabilities.

You could forward port 1723 on your firewall to your servers ip address. then after running the remote connection wizard from the to do list in the server management console. Then on the client use your wan ip or domain name pointing to it to connect to the sbs server built in vpn. Users would have to have the mobile user template to connect so you may need to change their permisions. This uses windows authentification. You can even download the connnection manager from RWW.

Have a look at this

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/2436fe9d-338d-47d6-98b6-ffe1eac534ba.mspx?mfr=true

That would be the case as they will want to handle VPN access. Can you forward the port if you disable it?

ASKER

I did all the steps except the port forwarding on Firewall. Do I have to open port first, or it is not required?. Without opening the ports I get the same error.

Whats the model number of the firewall?

The manual for an office connect firewall states that for VPN passthrough you need to add a virtual server to the firewall.

I have only had a quick glance so I would suggest that you look at this carefully to avoid any problems with firewall config as you do not want to open the network by mistake.

Possibly it may be worth asking a question in the firewalls section of EE to get a better answer.

ASKER

the model number is 3CR870-95. Thanks for all your help

ASKER

I was reading this article in microsoft and it says that I need to deploy a certificate infrastructure because it is required for L2TP VPN connection.
http://technet2.microsoft.com/WindowsServer/en/library/7159a5cd-530b-4b8f-b54a-9a8adfdeac1b1033.mspx?mfr=true
any suggestions?

When you run the CIEW you will create the cert. As this is part of the process.
Then to connect to the SBS server you will need to install the cert on the client machine.

ASKER

How to run the CIEW? and what is it?

You did say you had a sbs2003 server didn't you?

Its the internet and email config wizzard

ASKER

I think the problem is that in firewall settings Address Pool for PPTP clients is entered wrong. Looks like Remote Client can connect to VPN firewall and firewall is not leting the remote user to pass through to LAN.It just denying access.
In instructions it says that these address pool must be within firewall's LAN subnet and must not form part of the DHCP pool.

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

the DHCP pool is 10.1.1.10 to 10.1.1.150, but the FIrewall LAN is 192.168.2.1-100. SO they are in a different subnet.

Mate

You should use SBS for as much as posible as this is how it is designed. That IP pool is way out for an SBS network you should use 192.168.16.*** for the network using SBS as the DHCP server. The more you let SBS do the easier it is. How many machines are you using? At least make sure that you are using the same subnet etc. Follow the set up instructions and you will do no harm. SBS is a 'My First Server' enviroment and therfore is easy to set up and use but you must use the wizards as this is how it is designed. Have you completed the 'To Do' list?

I don't mean to preach but you should let the server do the work.

Let me know

Neil

ASKER

Thank you for all your help NeilParbrook. Looks like that's where I should start.