Link to home
Start Free TrialLog in
Avatar of readyyyy
readyyyy

asked on

Error 789 RRAS L2TP/IPsec VPN Problem

Hello

When I want to establish a VPN Connection using L2TP/IPsec, the client cannot connect. Aftere about 10 seconds, the following message is displayed:

Error: 789 "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer

After a long time of troubleshooting and investigation of the problem, I came up with the following idea:

I tried to connect inside of the network directly to the RRAS Server using the 192.168.1.XX address - and voila - this works! Which means to me that the Certificate is OK.

Now the big question is: When it works inside of the LAN, why it don't work over the Internet?

I have opened the following ports on the Firewall: 1701, 4500, 500, 50

Would be great if you could give me some help with this. Thanks
Avatar of readyyyy
readyyyy

ASKER

An additional quesion:

Maybe it would be helpful to analyze logfiles, i.E. the isakmp.log

However, i cannot find that logfile, and the folder C:\Program Files\Microsoft IPSec VPN which should contain the file does not even exist
I see this has been not answered. I would like to take a shot:

Here is a step, by step to see what might have been missed.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094687.shtml

#Where it recommends:

Error 789: Security layer encounters a processing error.

Turn on the relevant debugs as explained in the Cisco VPN 3000 Concentrator FAQ. Read through them. You need to see something similar to this output:

    11315 02/15/2002 15:36:32.030 SEV=8 IKEDBG/0 RPT=7686
    Proposal # 1, Transform # 2, Type ESP, Id DES-CBC
    Parsing received transform:
      Phase 2 failure:
      Mismatched attr types for class Encapsulation:
        Rcv'd: Transport
        Cfg'd: Tunnel
     
    11320 02/15/2002 15:36:32.030 SEV=5 IKEDBG/0 RPT=7687
    AH proposal not supported
     
    11321 02/15/2002 15:36:32.030 SEV=4 IKE/0 RPT=27 10.48.66.76
    Group [VPNC_Base_Group]
    All IPSec SA proposals found unacceptable!

ASKER CERTIFIED SOLUTION
Avatar of readyyyy
readyyyy

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
My symptoms were the same that the connection works fine internally. Also, most computers can connect from the outside, but some have the error message above (error 789).

For me this problem was resolved by turning off a software firewall (AVG) on the remote client computer. Turns out that the configuration on the host side was fine (Cisco ASA 5505 with Win 2003 RAS server behind it), so no need for a new router...