Solved

VPN error 691 Access Denied

Posted on 2007-03-21
31
1,289 Views
Last Modified: 2010-04-12
Hello Experts, I have a question. I am trying to set up the VPN. I am using L2TP over IPSec Connection (3Com Firewall to Remote User).
The error that I get is "691: Access Denied. User is not registered on domain."
I have 2003 SBS. I added a user to AD, made sure that the user has a VPN Allow Access.
Firewall , created the L2TP over IPSec Tunnel, set it up for a particular user,created a Key
User: Windows XP SP2, (this user on different location), Entered the login, password and Key.

Firewall can see the connection: Here is what I get from the firewall log:

Mar 20 11:51:24 localhost kernel: L2TP Server: Login for username atadm05 denied: no such user.
I think it has something to do with Certificates, but I am not sure
If you need more info let me know.
Any help will be greatly appreciated, Thanks
0
Comment
Question by:hw_tech
  • 15
  • 12
  • 4
31 Comments
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
Are you using the server as the VPN server or the firewall?
0
 

Author Comment

by:hw_tech
Comment Utility
firewall
0
 
LVL 8

Expert Comment

by:jsvor
Comment Utility
What are you using for a firewall?
0
 

Author Comment

by:hw_tech
Comment Utility
3Com Office Connect VPN Firewall
0
 
LVL 8

Expert Comment

by:jsvor
Comment Utility
Are you seeing the error log on the server or on the firewall?
0
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
You say you added the user to the AD on the server.
Did you add the user to the firewall?
0
 

Author Comment

by:hw_tech
Comment Utility
Everytiem the remote user trying to connect to VPN, he get an error 691 Access Denied.
Mar 20 11:51:24 localhost kernel: L2TP Server: Login for username atadm05 denied: no such user. - I pulled it up from firewall log.
Yes I did add the user on firewall as well.
0
 
LVL 8

Expert Comment

by:jsvor
Comment Utility
I'm not sure that VPN fw will look to the AD for the users to authenticate them.  You will probably have to add each user to the fw in order for them to connect in.
0
 

Author Comment

by:hw_tech
Comment Utility
But I added atadm05 user for fw, and it is not giving access
0
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
Do you have other known working tunnels on the firewall?
0
 

Author Comment

by:hw_tech
Comment Utility
I tried IPSec before, but that was not successful. I couldn't even connect to firewall. And L2TP is easier to configure.
0
 
LVL 8

Expert Comment

by:jsvor
Comment Utility
What are your clients using for an OS to connect in? XP, Vista?
0
 

Author Comment

by:hw_tech
Comment Utility
Windows XP SP2, Windows firewall is OFF, I am using Windows VPN connection
0
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
Have you thought about letting the server do the work and passing through the port on the firewall?
0
 

Author Comment

by:hw_tech
Comment Utility
I am not sure on how to do this. Could you please explain it more. Thanks
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:hw_tech
Comment Utility
I just read the instructions for my firewall and it states that "L2TP/IPSEC - Pass-through is not available to a computer on a LAN when IPSEC/L2TP Servers are enabled"
0
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
SBS 2003 has it's own VPN server capabilities.

You could forward port 1723 on your firewall to your servers ip address. then after running the remote connection wizard from the to do list in the server management console.  Then on the client use your wan ip or domain name pointing to it to connect to the sbs server built in vpn.  Users would have to have the mobile user template to connect so you may need to change their permisions.  This uses windows authentification.  You can even download the connnection manager from RWW.

Have a look at this

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/2436fe9d-338d-47d6-98b6-ffe1eac534ba.mspx?mfr=true
0
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
That would be the case as they will want to handle VPN access.  Can you forward the port if you disable it?
0
 

Author Comment

by:hw_tech
Comment Utility
I did all the steps except the port forwarding on Firewall. Do I have to open port first, or it is not required?. Without opening the ports I get the same error.
0
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
Whats the model number of the firewall?
0
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
The manual for an office connect firewall states that for VPN passthrough you need to add a virtual server to the firewall.  

I have only had a quick glance so I would suggest that you look at this carefully to avoid any problems with firewall config as you do not want to open the network by mistake.  

Possibly it may be worth asking a question in the firewalls section of EE to get a better answer.
0
 

Author Comment

by:hw_tech
Comment Utility
the model number is 3CR870-95. Thanks for all your help
0
 

Author Comment

by:hw_tech
Comment Utility
I was reading this article in microsoft and it says that I need to deploy a certificate infrastructure because it is required for L2TP VPN connection.
http://technet2.microsoft.com/WindowsServer/en/library/7159a5cd-530b-4b8f-b54a-9a8adfdeac1b1033.mspx?mfr=true
any suggestions?
0
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
When you run the CIEW you will create the cert.  As this is part of the process.
Then to connect to the SBS server you will need to install the cert on the client machine.
0
 

Author Comment

by:hw_tech
Comment Utility
How to run the CIEW? and what is it?
0
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
You did say you had a sbs2003 server didn't you?

Its the internet and email config wizzard
0
 

Author Comment

by:hw_tech
Comment Utility
I think the problem is that in firewall settings Address Pool for PPTP clients is entered wrong. Looks like Remote Client can connect to VPN firewall and firewall is not leting the remote user to pass through to LAN.It just denying access.
In instructions it says that these address pool must be within firewall's LAN subnet and must not form part of the DHCP pool.
0
 
LVL 6

Accepted Solution

by:
NeilParbrook earned 500 total points
Comment Utility
What are you using for DHCP?
0
 

Author Comment

by:hw_tech
Comment Utility
the DHCP pool is 10.1.1.10 to 10.1.1.150, but the FIrewall LAN is 192.168.2.1-100. SO they are in a different subnet.
0
 
LVL 6

Expert Comment

by:NeilParbrook
Comment Utility
Mate

You should use SBS for as much as posible as this is how it is designed.  That IP pool is way out for an SBS network you should use 192.168.16.*** for the network using SBS as the DHCP server.  The more you let SBS do the easier it is.  How many machines are you using?  At least make sure that you are using the same subnet etc.    Follow the set up instructions and you will do no harm.  SBS is a 'My First Server' enviroment and therfore is easy to set up and use but you must use the wizards as this is how it is designed.  Have you completed the 'To Do' list?

I don't mean to preach but you should let the server do the work.

Let me know

Neil
0
 

Author Comment

by:hw_tech
Comment Utility
Thank you for all your help NeilParbrook. Looks like that's where I should start.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now