Microsoft KB Archive/929856

= You receive a &quot;741&quot; or a &quot;742&quot; error message when you try to establish a VPN connection by using L2TP/IPsec from a Windows client computer to a VPN server =

Article ID: 929856

Article Last Modified on 3/17/2007

-

APPLIES TO


 * Windows Vista Ultimate
 * Windows Vista Enterprise
 * Windows Vista Business
 * Windows Vista Home Premium
 * Windows Vista Home Basic
 * Windows Vista Ultimate 64-bit edition
 * Windows Vista Enterprise 64-bit edition
 * Windows Vista Business 64-bit edition
 * Windows Vista Home Premium 64-bit edition
 * Windows Vista Home Basic 64-bit edition
 * Windows Vista Starter
 * Microsoft Windows XP Professional
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
You experience one of the following symptoms when you try to establish a virtual private network (VPN) connection by using &quot;Layer Two Tunneling Protocol with IPsec&quot; (L2TP/IPsec) from a Windows client computer to a VPN server.  Symptom 1

The Windows client computer is running Microsoft Windows XP, Microsoft Windows Server 2003, or Microsoft Windows 2000, and you try to connect to a VPN server that is running Microsoft Windows Server Code Name &quot;Longhorn&quot; or Windows Vista. However, you cannot connect to the VPN server. Instead, you receive an error message the resembles the following:

741 The local computer does not support encryption.

 Symptom 2

The Windows client computer is running Windows Server Code Name &quot;Longhorn&quot; or Windows Vista, and you try to connect to a VPN server that is running Windows XP, Windows Server 2003, or Windows 2000. However, you cannot connect to the VPN server. Instead, you receive an error message the resembles the following:

742 The remote server does not support encryption.





CAUSE
This issue occurs if the encryption level that the Windows client computer uses does not match the encryption level that the VPN server uses. For example, this issue occurs if the client computer uses 40-bit or 56-bit RC4 encryption, and the VPN server only supports a 128-bit RC4-based encryption algorithm. Or, this issue occurs if the client computer uses 128-bit RC4 encryption and the server only supports a 40-bit or a 56-bit RC4-based encryption algorithm.



WORKAROUND
To work around this issue, use one of the following procedures, as appropriate for your situation. === The Windows client computer is running Windows XP, Windows Server 2003, or Windows 2000, and you connect to a VPN server that is running Windows Server Code Name &quot;Longhorn&quot; or Windows Vista ===

Use one of the following methods.

Note Method 1 is the recommended method to use in this scenario.

Method 1: Change the encryption setting on the VPN client computer
Change the encryption setting in the VPN connection on the client computer to use maximum strength encryption. After you do this, Triple Data Encryption Standard (3DES) encryption is used to establish the VPN connection. To change the encryption setting in the VPN connection on the client computer, follow these steps:
 * 1) Click Start, click Run, type ncpa.cpl in the Open box, and then click OK.
 * 2) Right-click the VPN connection, and then click Properties.
 * 3) Click the Security tab, click Advanced (custom settings), and then click Settings.
 * 4) In the Data encryption box, click Maximum strength encryption (disconnect if server declines), and then click OK two times.

Method 2: Change the encryption setting on the VPN server
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Add the AllowL2TPWeakCrypto registry entry to the VPN server to change the encryption setting that the Routing and Remote Access service uses. After you do this, the &quot;Message Digest 5&quot; (MD5) algorithm or Data Encryption Standard (DES) encryption is enabled on the VPN server. To change the encryption setting on the VPN server, follow these steps:  Create the AllowL2TPWeakCrypto registry entry, and then set it to a value of 1. To do this, follow these steps:  Click Start, click Run, type regedit, and then click OK. In Registry Editor, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

</li> On the Edit menu, point to New, and then click DWORD Value.</li> Type AllowL2TPWeakCrypto, and then press ENTER.</li> On the Edit menu, click Modify.</li> In the Value data box, type 1, and then click OK.</li> On the File menu, click Exit to exit Registry Editor.</li></ol> </li> Restart the &quot;Routing and Remote Access&quot; service and the Remote Access Connection Manager service. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, right-click My Computer, and then click Manage.</li> Expand Services and Applications, and then click Services.</li> Right-click Routing and Remote Access, and then click Stop.</li> Right-click Remote Access Connection Manager, and then click Stop.</li> Right-click Remote Access Connection Manager, and then click Start.</li> Right-click Routing and Remote Access, and then click Start.</li></ol> </li></ol>

=== The Windows client computer is running Windows Server Code Name &quot;Longhorn&quot; or Windows Vista, and you connect to a VPN server that is running Windows XP, Windows Server 2003, or Windows 2000 ===

Use one of the following methods.

Note Method 1 is the recommended method to use in this scenario.

Method 1: Change the encryption setting on the VPN server
Change the encryption setting in the routing and remote access policy on the VPN server to maximum strength encryption. After you do this, Triple Data Encryption Standard (3DES) encryption is used to establish the VPN connection.

Method 2: Change the encryption setting on the VPN client computer
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Add the AllowL2TPWeakCrypto registry entry to change the encryption setting that the Routing and Remote Access service uses on the client computer. After you do this, MD5 encryption or DES encryption is enabled on the client computer. To change the encryption setting, follow these steps: <ol> Create the AllowL2TPWeakCrypto registry entry, and then set it to a value of 1. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type regedit, and then click OK.</li> In Registry Editor, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters

</li> On the Edit menu, point to New, and then click DWORD Value.</li> <li>Type AllowL2TPWeakCrypto, and then press ENTER.</li> <li>On the Edit menu, click Modify.</li> <li>In the Value data box, type 1, and then click OK.</li> <li>On the File menu, click Exit to exit Registry Editor.</li></ol> </li> <li>Restart the &quot;Routing and Remote Access&quot; service and the Remote Access Connection Manager service. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, right-click My Computer, and then click Manage.</li> <li>Expand Services and Applications, and then click Services.</li> <li>Right-click Routing and Remote Access, and then click Stop.</li> <li>Right-click Remote Access Connection Manager, and then click Stop.</li> <li>Right-click Remote Access Connection Manager, and then click Start.</li> <li>Right-click Routing and Remote Access, and then click Start.</li></ol> </li></ol>

Keywords: kbtshoot kbprb kbexpertiseinter KB929856

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.