Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

You receive a "741" or a "742" error message when you try to establish a VPN connection by using L2TP/IPsec from a Windows client computer to a VPN server


View products that this article applies to.

Symptoms

You experience one of the following symptoms when you try to establish a virtual private network (VPN) connection by using "Layer Two Tunneling Protocol with IPsec" (L2TP/IPsec) from a Windows client computer to a VPN server.
  • Symptom 1

    The Windows client computer is running Microsoft Windows XP, Microsoft Windows Server 2003, or Microsoft Windows 2000, and you try to connect to a VPN server that is running Windows Server 2008 or Windows Vista. However, you cannot connect to the VPN server. Instead, you receive an error message the resembles the following:
    741 The local computer does not support encryption.
  • Symptom 2

    The Windows client computer is running Windows Server 2008 or Windows Vista, and you try to connect to a VPN server that is running Windows XP, Windows Server 2003, or Windows 2000. However, you cannot connect to the VPN server. Instead, you receive an error message the resembles the following:
    742 The remote server does not support encryption.

↑ Back to the top


Cause

This issue occurs if the encryption level that the Windows client computer uses does not match the encryption level that the VPN server uses. For example, this issue occurs if the client computer uses 40-bit or 56-bit RC4 encryption, and the VPN server only supports a 128-bit RC4-based encryption algorithm. Or, this issue occurs if the client computer uses 128-bit RC4 encryption and the server only supports a 40-bit or a 56-bit RC4-based encryption algorithm.

↑ Back to the top


Workaround

To work around this issue, use one of the following procedures, as appropriate for your situation.

The Windows client computer is running Windows XP, Windows Server 2003, or Windows 2000, and you connect to a VPN server that is running Windows Server 2008 or Windows Vista

Use one of the following methods.

Note Method 1 is the recommended method to use in this scenario.

Method 1: Change the encryption setting on the VPN client computer

Change the encryption setting in the VPN connection on the client computer to use maximum strength encryption. After you do this, Triple Data Encryption Standard (3DES) encryption is used to establish the VPN connection. To change the encryption setting in the VPN connection on the client computer, follow these steps:
  1. Click Start, click Run, type ncpa.cpl in the Open box, and then click OK.
  2. Right-click the VPN connection, and then click Properties.
  3. Click the Security tab, click Advanced (custom settings), and then click Settings.
  4. In the Data encryption box, click Maximum strength encryption (disconnect if server declines), and then click OK two times.

Method 2: Change the encryption setting on the VPN server

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


Add the AllowL2TPWeakCrypto registry entry to the VPN server to change the encryption setting that the Routing and Remote Access service uses. After you do this, the "Message Digest 5" (MD5) algorithm or Data Encryption Standard (DES) encryption is enabled on the VPN server. To change the encryption setting on the VPN server, follow these steps:
  1. Create the AllowL2TPWeakCrypto registry entry, and then set it to a value of 1. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type AllowL2TPWeakCrypto, and then press ENTER.
    5. On the Edit menu, click Modify.
    6. In the Value data box, type 1, and then click OK.
    7. On the File menu, click Exit to exit Registry Editor.
  2. Restart the "Routing and Remote Access" service and the Remote Access Connection Manager service. To do this, follow these steps:
    1. Click Start, right-click My Computer, and then click Manage.
    2. Expand Services and Applications, and then click Services.
    3. Right-click Routing and Remote Access, and then click Stop.
    4. Right-click Remote Access Connection Manager, and then click Stop.
    5. Right-click Remote Access Connection Manager, and then click Start.
    6. Right-click Routing and Remote Access, and then click Start.

The Windows client computer is running Windows Server 2008 or Windows Vista, and you connect to a VPN server that is running Windows XP, Windows Server 2003, or Windows 2000

Use one of the following methods.

Note Method 1 is the recommended method to use in this scenario.

Method 1: Change the encryption setting on the VPN server

Change the encryption setting in the routing and remote access policy on the VPN server to maximum strength encryption. After you do this, Triple Data Encryption Standard (3DES) encryption is used to establish the VPN connection.

Method 2: Change the encryption setting on the VPN client computer

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


Add the AllowL2TPWeakCrypto registry entry to change the encryption setting that the Routing and Remote Access service uses on the client computer. After you do this, MD5 encryption or DES encryption is enabled on the client computer. To change the encryption setting, follow these steps:
  1. Create the AllowL2TPWeakCrypto registry entry, and then set it to a value of 1. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type AllowL2TPWeakCrypto, and then press ENTER.
    5. On the Edit menu, click Modify.
    6. In the Value data box, type 1, and then click OK.
    7. On the File menu, click Exit to exit Registry Editor.
  2. Restart the "Routing and Remote Access" service and the Remote Access Connection Manager service. To do this, follow these steps:
    1. Click Start, right-click My Computer, and then click Manage.
    2. Expand Services and Applications, and then click Services.
    3. Right-click Routing and Remote Access, and then click Stop.
    4. Right-click Remote Access Connection Manager, and then click Stop.
    5. Right-click Remote Access Connection Manager, and then click Start.
    6. Right-click Routing and Remote Access, and then click Start.

↑ Back to the top


Keywords: kbtshoot, kbprb, kbexpertiseinter, KB929856

↑ Back to the top

Article Info
Article ID : 929856
Revision : 6
Created on : 3/17/2007
Published on : 3/17/2007
Exists online : False
Views : 787