AR2240 Fails to Establish an L2TP Tunnel with the PC Running Windows 8

Publication Date:  2015-11-02 Views:  478 Downloads:  0
Issue Description
As shown in Figure 1-1, the AR2240 used as the LNS fails to establish an L2TP tunnel with PC1 running Windows 8. As a result, the dialup on PC1 fails and the message "VPN Error 628" is displayed.

Figure 1-1 Networking where the AR2240 fails to establish an L2TP tunnel with the PC running Windows 8



Device and version: AR2240 V200R003C01SPC900

Configuration file of the AR2240


l2tp enable 
#  
aaa 
local-user vpn password cipher %$%$bE%\WX_E<>dY/T7UiW1KTG8x%$%$ 
local-user vpn service-type ppp 

interface Virtual-Template1 
ppp authentication-mode chap 
remote address pool l2tp 
ppp ipcp dns 202.103.24.68 202.103.44.150 
ip address 10.18.0.1 255.255.255.0 

#                                         
ip pool l2tp 
gateway-list 10.18.0.1 
network 10.18.0.0 mask 255.255.255.0 

l2tp-group 1 
undo tunnel authentication 
allow l2tp virtual-template 1 
#
Handling Process
1. Check whether the link or interface of the AR2240 is normal.

Run the ping command and the display interface brief command to check the link and interface of the AR2240. The command output shows that the link and interface of the AR2240 are normal.

2. Check whether the AR2240 is correctly configured.

Check configurations of the AR2240. The IPSec and route configurations are correct.

3. Check whether PC1 is normal.

PC1 is normal.

4. Run the debugging ppp all command and the debugging l2tp control command to view debugging information.

Through analysis, the user name entered on the PC is inconsistent with that configured on the AR2240.

After verification of Windows 8, the backslash (\) needs to be prefixed to the input user name. The backslash (\) was not added originally. In this situation, Windows 8 automatically prefixes the domain name to the user name. Therefore, the authentication fails, and the system displays an error message. Add the backslash (\) to solve the problem, for example: \vpn.
Root Cause
The user's PC runs Windows 8. Prefix the backslash (\) to the input user name, for example: \vpn. Otherwise, Windows 8 automatically prefixes the domain name to the user name, causing a login authentication failure.
Solution
Prefix the backslash (\) to the input user name on PC1, for example: \vpn. Then the dialup on PC1 succeeds.
Suggestions
When the PC running Windows 8 establishes an L2TP tunnel with the AR, the backslash (\) needs to be prefixed to the input user name. Otherwise, Windows 8 automatically prefixes the domain name to the user name, causing a login authentication failure.

END