Microsoft KB Archive/247231

= Event ID 20111, Error 792 or Error 781 When Establishing an L2TP/IPSec Connection =

Article ID: 247231

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q247231





SYMPTOMS
When you attempt to manually establish a Layer 2 Tunneling Protocol (L2TP)/IP Security Protocol (IPSec) connection with a Windows 2000-based server by using the Routing and Remote Access snap-in, you may be unable to do so, and the initiator computer may display the following error message:

Routing and Remote Access

An error occurred during connection of the interface.

The L2TP connection attempt failed because security negotiation timed out.

In addition, the following event is logged in the System event log of the initiator computer:

Source: RemoteAccess

Event ID: 20111

Description: A Demand Dial connection to the remote interface on port VPNx-y was successfully initiated but failed to complete successfully because of the following error: The L2TP connection attempt failed because security negotiation timed out.

NOTE: If the connection is triggered by demand-dial traffic, then only Event 20111 is logged.

When you attempt to establish an L2TP/IPSec connection by using Network and Dial-up Connections, you are unable to do so, and the initiator computer may display the following error message:

Error Connecting to 

Connecting to ...

Error 792: The L2TP connection attempt failed because security negotiation timed out.

-or-

Error Connecting to 

Connecting to ...

Error 781: Encryption failed because no valid certificate was found.

NOTE: That Event 20111 is not logged at either the client or server when you attempt to establish the connection by using Network and Dial-up Connections.



CAUSE
This issue can occur because of one of the following reasons:
 * The certificate on the virtual private networking (VPN) server is not a valid machine certificate or is missing. If the VPN server got a certificate during the Certificate Authority installation, this certificate is not valid for IPSec machine authentication.
 * The IPSec Policy Agent service is stopped and started without stopping and starting the Routing and Remote Access service on the remote computer.
 * The IPSec Policy Agent service is not running when you start the Routing and Remote Access service.



RESOLUTION
To resolve this issue, do one of the following:  Install a valid machine certificate on the VPN server.  Stop and start the IPSec Policy Agent service, and then stop and start the Routing and Remote Access service on the remote computer. To do so, use one of the following methods.

Method 1
 Click Start, point to Programs, point to Administrative Tools, and then click Computer Management. Double-click Services and Applications, double-click Services, double-click IPSEC Policy Agent, click Stop, click Start, and then click OK.</li> Double-click Routing and Remote Access, click Stop, click Start, and then click OK.</li></ol>

Method 2
At a command prompt, type the following commands pressing ENTER after each command:

net stop policyagent

net start policyagent

net stop remoteaccess

net start remoteaccess

NOTE: The IPSec Policy Agent service must be started when the Routing and Remote Access service initializes. </li></ul>

<div class="moreinformation_section">

MORE INFORMATION
When you stop and start the IPSec Policy Agent service without stopping and starting the Routing and Remote Access service, the automatic IPSec policy that is usually created for the L2TP/IPSec connection is not created and the connections are not successful.

If you stop the IPSec Policy Agent service while you have active tunnel connections without first stopping the Routing and Remote Access service, the tunnels are unsecured, and data is exposed in the clear. It is recommended that you stop active tunnel connections before you stop the IPSec Policy Agent service.

Note that stopping the IPSec Policy Agent and the Routing and Remote Access services may remove filters that are critical to protecting your computers, and to prevent this downtime in security, it is recommended that you disconnect the network cable.

Keywords: kberrmsg kbipsec kbnetwork kbprb kbtunneling KB247231

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.