Microsoft PPTP VPN

ld · External Since: Aug 01, 2006 Posts: 2

I'm trying to connect a machine to work with a PPTP VPN. Of course this
works with the XP Pro machine, but I can't get connected with the Vista box.
Same setup, same VPN endpoint, no luck.

I start the VPN connection, I get the username/password verified, and then:
"Error 732: Your computer and the remote computer could not agree on PPP
contol protocols." I'm trying to connect to a PIX 501, no dice. Funny
thing is I can connect the Vista laptop with PPTP to a Cisco 3005
concentrator.

Did Microsoft change something in the PPTP protocol negotiation? I have the
VPN logs, but before I go wading through a few hundred lines of that, I
wanted to check and see if anyone had any helpful info. Thanks

Jimmy Brush · External Since: Jun 23, 2006 Posts: 1214

I think they changed the MSCHAP protocol to only use version 2.0 and not
allow version 1.0. You could try changing the setting on Vista and allowing
it to use version 1.0 protocol.

You can get to the individual network connections by clicking "Manage
Network Connections" in the sidebar in the network map control panel, i
believe.

The setting should be in one of the advanced options of the properties
dialog.

- JB

Vista Support FAQ
http://www.jimmah.com/vista/

ld · External Since: Aug 01, 2006 Posts: 2

I think that's the ticket. The PIX in question is running 6.4 and supports
MS-CHAP, but not v2. The VPN concentrator is specifically designed for VPNs
and allows a whole host of authentication methods.

I'm going to upgrade the PIX to version 7 and play around with that. Thanks
for pointing me in the right direction.

"Jimmy Brush" wrote:

> I think they changed the MSCHAP protocol to only use version 2.0 and not
> allow version 1.0. You could try changing the setting on Vista and allowing
> it to use version 1.0 protocol.
>
> You can get to the individual network connections by clicking "Manage
> Network Connections" in the sidebar in the network map control panel, i
> believe.
>
> The setting should be in one of the advanced options of the properties
> dialog.
>
> - JB
>
> Vista Support FAQ
> http://www.jimmah.com/vista/
>

Dave · External Since: Jun 17, 2006 Posts: 126

I have the same problem with a VPN connection to my PIX 506E. The
username/password verified message is displayed and then failure. It would
be nice if a Microsoft rep could provide some clarification on their position
with respect to MS-CHAP v1 suport in Vista.

I would rather not have to revert to PAP and I like the idea of using the MS
VPN client as it makes VPN connections to the office easy for my users to
make from any Windows computer since they don't have to install the Cisco VPN
client.

Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
software, but their are 4 PIX 500 series firewalls, including the 506E, that
cannot use the 7.0 software. I need to know if I need to make a significant
investment in new Cisco hardware, on top of my Microsoft Volume License
Agreement, prior to rolling out Vista.

"ld" wrote:

> I'm trying to connect a machine to work with a PPTP VPN. Of course this
> works with the XP Pro machine, but I can't get connected with the Vista box.
> Same setup, same VPN endpoint, no luck.
>
> I start the VPN connection, I get the username/password verified, and then:
> "Error 732: Your computer and the remote computer could not agree on PPP
> contol protocols." I'm trying to connect to a PIX 501, no dice. Funny
> thing is I can connect the Vista laptop with PPTP to a Cisco 3005
> concentrator.
>
> Did Microsoft change something in the PPTP protocol negotiation? I have the
> VPN logs, but before I go wading through a few hundred lines of that, I
> wanted to check and see if anyone had any helpful info. Thanks

Dave · External Since: Jun 17, 2006 Posts: 126

I have the same problem with a VPN connection to my PIX 506E. The
username/password verified message is displayed and then failure. It would
be nice if a Microsoft rep could provide some clarification on their position
with respect to MS-CHAP v1 suport in Vista.

I would rather not have to revert to PAP and I like the idea of using the MS
VPN client as it makes VPN connections to the office easy for my users to
make from any Windows computer since they don't have to install the Cisco VPN
client.

Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
software, but their are 4 PIX 500 series firewalls, including the 506E, that
cannot use the 7.0 software. I need to know if I need to make a significant
investment in new Cisco hardware, on top of my Microsoft Volume License
Agreement, prior to rolling out Vista.

"ld" wrote:

> I'm trying to connect a machine to work with a PPTP VPN. Of course this
> works with the XP Pro machine, but I can't get connected with the Vista box.
> Same setup, same VPN endpoint, no luck.
>
> I start the VPN connection, I get the username/password verified, and then:
> "Error 732: Your computer and the remote computer could not agree on PPP
> contol protocols." I'm trying to connect to a PIX 501, no dice. Funny
> thing is I can connect the Vista laptop with PPTP to a Cisco 3005
> concentrator.
>
> Did Microsoft change something in the PPTP protocol negotiation? I have the
> VPN logs, but before I go wading through a few hundred lines of that, I
> wanted to check and see if anyone had any helpful info. Thanks

Dave · External Since: Jun 17, 2006 Posts: 126

I have the same problem with a VPN connection to my PIX 506E. The
username/password verified message is displayed and then failure. It would
be nice if a Microsoft rep could provide some clarification on their position
with respect to MS-CHAP v1 suport in Vista.

I would rather not have to revert to PAP and I like the idea of using the MS
VPN client as it makes VPN connections to the office easy for my users to
make from any Windows computer since they don't have to install the Cisco VPN
client.

Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
software, but their are 4 PIX 500 series firewalls, including the 506E, that
cannot use the 7.0 software. I need to know if I need to make a significant
investment in new Cisco hardware, on top of my Microsoft Volume License
Agreement, prior to rolling out Vista.

"ld" wrote:

> I'm trying to connect a machine to work with a PPTP VPN. Of course this
> works with the XP Pro machine, but I can't get connected with the Vista box.
> Same setup, same VPN endpoint, no luck.
>
> I start the VPN connection, I get the username/password verified, and then:
> "Error 732: Your computer and the remote computer could not agree on PPP
> contol protocols." I'm trying to connect to a PIX 501, no dice. Funny
> thing is I can connect the Vista laptop with PPTP to a Cisco 3005
> concentrator.
>
> Did Microsoft change something in the PPTP protocol negotiation? I have the
> VPN logs, but before I go wading through a few hundred lines of that, I
> wanted to check and see if anyone had any helpful info. Thanks

Lucas · External Since: Jul 30, 2006 Posts: 7

Dear Dave, and all others using Cisco PIX 500 series Firewalls,

I have just installed Windows Vista RC2 and there seems to be no support for
MSCAP (V1). There is however a sollution that might be satisfactory. Both
Windows Vista and the Cisco PIX support CHAP. Although this is a one-way
authentication, it is encrypted and therefore better then PAP.

In both your PIX and the Windows PPTP connection you must only select CHAP
authentication. In Windows you must also select "Optional Data Encryption".

If you are using Microsoft IAS as a RADIUS server to authenticate your
Active Directory users, you must turn on "Store password using reversible
encryption" on the specified user account, or in a GPO. Don't forget to reset
the passwords of all users who must authenticate through CHAP.

Kind regards,

Lucas de Wal
De Wal ICT
The Netherlands

"Dave" wrote:

> I have the same problem with a VPN connection to my PIX 506E. The
> username/password verified message is displayed and then failure. It would
> be nice if a Microsoft rep could provide some clarification on their position
> with respect to MS-CHAP v1 suport in Vista.
>
> I would rather not have to revert to PAP and I like the idea of using the MS
> VPN client as it makes VPN connections to the office easy for my users to
> make from any Windows computer since they don't have to install the Cisco VPN
> client.
>
> Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
> software, but their are 4 PIX 500 series firewalls, including the 506E, that
> cannot use the 7.0 software. I need to know if I need to make a significant
> investment in new Cisco hardware, on top of my Microsoft Volume License
> Agreement, prior to rolling out Vista.
>
>
> "ld" wrote:
>
> > I'm trying to connect a machine to work with a PPTP VPN. Of course this
> > works with the XP Pro machine, but I can't get connected with the Vista box.
> > Same setup, same VPN endpoint, no luck.
> >
> > I start the VPN connection, I get the username/password verified, and then:
> > "Error 732: Your computer and the remote computer could not agree on PPP
> > contol protocols." I'm trying to connect to a PIX 501, no dice. Funny
> > thing is I can connect the Vista laptop with PPTP to a Cisco 3005
> > concentrator.
> >
> > Did Microsoft change something in the PPTP protocol negotiation? I have the
> > VPN logs, but before I go wading through a few hundred lines of that, I
> > wanted to check and see if anyone had any helpful info. Thanks

Dave · External Since: Jun 17, 2006 Posts: 126

Thanks Lucas. This looks promising. I'll give it a try.

"Lucas" wrote:

> Dear Dave, and all others using Cisco PIX 500 series Firewalls,
>
> I have just installed Windows Vista RC2 and there seems to be no support for
> MSCAP (V1). There is however a sollution that might be satisfactory. Both
> Windows Vista and the Cisco PIX support CHAP. Although this is a one-way
> authentication, it is encrypted and therefore better then PAP.
>
> In both your PIX and the Windows PPTP connection you must only select CHAP
> authentication. In Windows you must also select "Optional Data Encryption".
>
> If you are using Microsoft IAS as a RADIUS server to authenticate your
> Active Directory users, you must turn on "Store password using reversible
> encryption" on the specified user account, or in a GPO. Don't forget to reset
> the passwords of all users who must authenticate through CHAP.
>
> Kind regards,
>
> Lucas de Wal
> De Wal ICT
> The Netherlands
>
> "Dave" wrote:
>
> > I have the same problem with a VPN connection to my PIX 506E. The
> > username/password verified message is displayed and then failure. It would
> > be nice if a Microsoft rep could provide some clarification on their position
> > with respect to MS-CHAP v1 suport in Vista.
> >
> > I would rather not have to revert to PAP and I like the idea of using the MS
> > VPN client as it makes VPN connections to the office easy for my users to
> > make from any Windows computer since they don't have to install the Cisco VPN
> > client.
> >
> > Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
> > software, but their are 4 PIX 500 series firewalls, including the 506E, that
> > cannot use the 7.0 software. I need to know if I need to make a significant
> > investment in new Cisco hardware, on top of my Microsoft Volume License
> > Agreement, prior to rolling out Vista.
> >
> >
> > "ld" wrote:
> >
> > > I'm trying to connect a machine to work with a PPTP VPN. Of course this
> > > works with the XP Pro machine, but I can't get connected with the Vista box.
> > > Same setup, same VPN endpoint, no luck.
> > >
> > > I start the VPN connection, I get the username/password verified, and then:
> > > "Error 732: Your computer and the remote computer could not agree on PPP
> > > contol protocols." I'm trying to connect to a PIX 501, no dice. Funny
> > > thing is I can connect the Vista laptop with PPTP to a Cisco 3005
> > > concentrator.
> > >
> > > Did Microsoft change something in the PPTP protocol negotiation? I have the
> > > VPN logs, but before I go wading through a few hundred lines of that, I
> > > wanted to check and see if anyone had any helpful info. Thanks

alexnewman · Joined: Aug 13, 2007 Posts: 2

I have just come accross the same problem when trying to connect to a cisco firewall (not sure of the model) works fine on XP same settings (although I can't find MSCHAPv1 on the Vsita VPN settings.

Have you managed to fix this yet? Can you offer any help