No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
If an Administrator Selects Require encryption on the Security Tab Page During L2TP Connection Authentication Parameter Configuration, Encryption Negotiation Fails When a PC Running Windows 7 Establishes Connections with an AR Through Dial-up

If an Administrator Selects Require encryption on the Security Tab Page During L2TP Connection Authentication Parameter Configuration, Encryption Negotiation Fails When a PC Running Windows 7 Establishes Connections with an AR Through Dial-up

This section provides a troubleshooting case for the following fault: If an administrator selects Require encryption on the Security tab page during L2TP connection authentication parameter configuration, encryption negotiation fails when a PC running Windows 7 establishes connections with an AR through dial-up.

Networking

Figure 25-23  Configuring remote users to initiate dial-up connections through an L2TP tunnel

LNS configurations:

#
 sysname LNS
#
 l2tp enable    
#
acl number 2001           
 rule 5 permit source 192.168.1.0 0.0.0.255
#
ip pool lns      
 gateway-list 192.168.1.1
 network 192.168.1.0 mask 255.255.255.0
#
aaa        
 authentication-scheme lmt                                                      
 domain huawei.com
  authentication-scheme lmt
 local-user 123456789@huawei.com password cipher %^%#_<`.CO&(:LeS/$#F\H0Qv8B]KAZja3}3q'RNx;VI%^%#
 local-user 123456789@huawei.com privilege level 0  
 local-user 123456789@huawei.com service-type ppp
#
interface GigabitEthernet1/0/0
 ip address 202.1.1.1 255.255.255.0
 nat outbound 2001           
#
interface Virtual-Template1           
 ppp authentication-mode chap domain huawei.com  
 remote address pool lns
 ppp ipcp dns 10.10.10.10          
 ip address 192.168.1.1 255.255.255.0
#
l2tp-group 1                     
 undo tunnel authentication           
 allow l2tp virtual-template 1
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
#
return

Fault Description

If an administrator selects Require encryption on the Security tab page during L2TP connection authentication parameter configuration, encryption negotiation fails when a PC running Windows 7 establishes connections with an AR through dial-up.

Fault Analysis

On PCs running Windows 7, IPSec is the default mode for enabling the L2TP function certificate. However, on the LNS, only L2TP is configured, and IPSec encryption is not configured. Therefore, if the administrator selects Require encryption, the encryption negotiation will fail and PCs cannot establish L2TP connections with the LNS. The fault can be rectified using any of the following methods: Modify the registry of the Windows operating system to disable the digital certificate authentication function. Or change the value of Data encryption to Optional encryption (connect even if no encryption) in the VPN Properties window.

Procedure

  • Method 1: Modify the registry of the Windows operating system to disable the digital certificate authentication function.

    Choose Start > Run, enter regedit to open the registry, and access the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters directory. Right-click in the blank area on the right and choose New > DWORD (32–bit) Value from the shortcut menu. Set ProhibitIpSec to 1 and select Hexadecimal for Base, as shown in Figure 2. Restart the PC after the modification.

    Figure 25-24  Registry editor
  • Method 2: On the PC, access the Network and Sharing Center page, click Connect to a network, and check the L2TP created. Right-click L2TP and choose Properties from the shortcut menu. On the Security tab page, select Auto or Layer 2 Tunneling Protocol with IPSec(L2TP/IPSec) for Type of VPN, and Optional encryption (connect even if no encryption) for Data encryption, as shown in Figure 3.
    Figure 25-25  Setting L2TP connection authentication parameters

Conclusions and Suggestions

On PCs running Windows 7, IPSec is the default mode for enabling the L2TP function certificate. Therefore, if remote users need to establish dial-up connections with the AR through L2TP tunnels, IPSec needs to be disabled in the registry. If the registry of the Windows operating system is not modified, Optional encryption (connect even if no encryption) needs to be selected for Data encryption in the VPN Properties window for proper negotiation.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 449259

Downloads: 4305

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next