Microsoft KB Archive/247231
Article ID: 247231
Article Last Modified on 2/28/2007
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q247231
When you attempt to manually establish a Layer 2 Tunneling Protocol (L2TP)/IP Security Protocol (IPSec) connection with a Windows 2000-based server by using the Routing and Remote Access snap-in, you may be unable to do so, and the initiator computer may display the following error message:
In addition, the following event is logged in the System event log of the initiator computer:
NOTE: If the connection is triggered by demand-dial traffic, then only Event 20111 is logged.
When you attempt to establish an L2TP/IPSec connection by using Network and Dial-up Connections, you are unable to do so, and the initiator computer may display the following error message:
NOTE: That Event 20111 is not logged at either the client or server when you attempt to establish the connection by using Network and Dial-up Connections.
This issue can occur because of one of the following reasons:
- The certificate on the virtual private networking (VPN) server is not a valid machine certificate or is missing. If the VPN server got a certificate during the Certificate Authority installation, this certificate is not valid for IPSec machine authentication.
- The IPSec Policy Agent service is stopped and started without stopping and starting the Routing and Remote Access service on the remote computer.
- The IPSec Policy Agent service is not running when you start the Routing and Remote Access service.
To resolve this issue, do one of the following:
- Install a valid machine certificate on the VPN server.
Stop and start the IPSec Policy Agent service, and then stop and start the Routing and Remote Access service on the remote computer. To do so, use one of the following methods.
- Click Start, point to Programs, point to Administrative Tools, and then click Computer Management.
- Double-click Services and Applications, double-click Services, double-click IPSEC Policy Agent, click Stop, click Start, and then click OK.
- Double-click Routing and Remote Access, click Stop, click Start, and then click OK.
At a command prompt, type the following commands pressing ENTER after each command:
net stop policyagent
net start policyagent
net stop remoteaccess
net start remoteaccess
NOTE: The IPSec Policy Agent service must be started when the Routing and Remote Access service initializes.
When you stop and start the IPSec Policy Agent service without stopping and starting the Routing and Remote Access service, the automatic IPSec policy that is usually created for the L2TP/IPSec connection is not created and the connections are not successful.
If you stop the IPSec Policy Agent service while you have active tunnel connections without first stopping the Routing and Remote Access service, the tunnels are unsecured, and data is exposed in the clear. It is recommended that you stop active tunnel connections before you stop the IPSec Policy Agent service.
Note that stopping the IPSec Policy Agent and the Routing and Remote Access services may remove filters that are critical to protecting your computers, and to prevent this downtime in security, it is recommended that you disconnect the network cable.
Keywords: kberrmsg kbipsec kbnetwork kbprb kbtunneling KB247231