locked
setting up VPN - anything required on the network or ASDK host? RRS feed

  • Question

  • I've been working on setting up the VPN access - took the script from here: https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-connect-azure-stack#connect-with-vpn 

    my ASDK (20171020.1) is the latest, and up and running well...  

    when I configure the script I've modified:

    # Configure Windows Remote Management (WinRM), if it's not already configured.
    winrm quickconfig  

    Set-ExecutionPolicy RemoteSigned

    # Import the Connect module.
    Import-Module .\Connect\AzureStack.Connect.psm1 

    # Add the development kit computer’s host IP address and certificate authority (CA) to the list of trusted hosts. Make sure you update the IP address and password values for your environment. 

    $hostIP = "my ASDK public IP address>"

    $Password = ConvertTo-SecureString `
      "my setup password" `
      -AsPlainText `
      -Force

    Set-Item wsman:\localhost\Client\TrustedHosts `
      -Value $hostIP `
      -Concatenate

    # Create a VPN connection entry for the local user.
    Add-AzsVpnConnection `
      -ServerAddress $hostIP `
      -Password $Password

    I get the error:  "the L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

    to me - this sounds like a network issue or something in ASDK isn't responding to the initial request

    are there other 'assumptions' not documented in what the network needs? and/or ASDK side setup for VPN?



    • Edited by Todd Christ Wednesday, November 8, 2017 11:55 PM
    Wednesday, November 8, 2017 7:04 PM

Answers

  • You may review the suggestions outlined in the blog Troubleshooting common VPN related errors which outlines possible causes/solutions for fixing a similar issue.

     

    Just to isolate, if feasible you may test this on another system to see if you receive the same behavior/error.

     

    Also, ensure that the password/credentials are correct and that you are invoking the cmdlets on Windows PowerShell “as an administrator” on your local Windows-based computer.

    ---------------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Friday, November 10, 2017 1:10 PM
  • You may review the suggestions outlined in the blog Troubleshooting common VPN related errors which outlines possible causes/solutions for fixing a similar issue.

     

    Just to isolate, if feasible you may test this on another system to see if you receive the same behavior/error.

     

    Also, ensure that the password/credentials are correct and that you are invoking the cmdlets on Windows PowerShell “as an administrator” on your local Windows-based computer.

    ---------------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    this looks to be the issue:  

    5) Error Code: 789, 835

    Error Description:

    789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

    835: The L2TP connection attempt failed because the security layer could not authenticate the remote computer. This could be because one or more fields of the certificate presented by the remote server could not be validated as belonging to the target destination.

    Possible Causes: This is a generic error which is thrown when the IPSec negotiation fails for L2TP/IPSec connections.

    Possible causes for this issue could be:

    a> L2TP based VPN client (or VPN server) is behind NAT.

    b> Wrong certificate or pre-shared key is set on the VPN server or client

    c> Machine certificate or trusted root machine certificate is not present on the VPN server.

    d> Machine Certificate on VPN Server does not have 'Server Authentication' as the EKU

    Possible Solution: Make sure correct certificate is used both on client and server side – for further details refer to this blog. In case Pre Shared Key (PSK) is used, make sure the same PSK is configured on the client and the VPN server machine.

    I believe my ASDK connection has blocked inbound access - i will have to remedy with our IT department - thanks!

    • Marked as answer by Todd Christ Thursday, January 4, 2018 7:46 PM
    Wednesday, November 15, 2017 8:59 PM

All replies

  • You may review the suggestions outlined in the blog Troubleshooting common VPN related errors which outlines possible causes/solutions for fixing a similar issue.

     

    Just to isolate, if feasible you may test this on another system to see if you receive the same behavior/error.

     

    Also, ensure that the password/credentials are correct and that you are invoking the cmdlets on Windows PowerShell “as an administrator” on your local Windows-based computer.

    ---------------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Friday, November 10, 2017 1:10 PM
  • You may review the suggestions outlined in the blog Troubleshooting common VPN related errors which outlines possible causes/solutions for fixing a similar issue.

     

    Just to isolate, if feasible you may test this on another system to see if you receive the same behavior/error.

     

    Also, ensure that the password/credentials are correct and that you are invoking the cmdlets on Windows PowerShell “as an administrator” on your local Windows-based computer.

    ---------------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    this looks to be the issue:  

    5) Error Code: 789, 835

    Error Description:

    789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

    835: The L2TP connection attempt failed because the security layer could not authenticate the remote computer. This could be because one or more fields of the certificate presented by the remote server could not be validated as belonging to the target destination.

    Possible Causes: This is a generic error which is thrown when the IPSec negotiation fails for L2TP/IPSec connections.

    Possible causes for this issue could be:

    a> L2TP based VPN client (or VPN server) is behind NAT.

    b> Wrong certificate or pre-shared key is set on the VPN server or client

    c> Machine certificate or trusted root machine certificate is not present on the VPN server.

    d> Machine Certificate on VPN Server does not have 'Server Authentication' as the EKU

    Possible Solution: Make sure correct certificate is used both on client and server side – for further details refer to this blog. In case Pre Shared Key (PSK) is used, make sure the same PSK is configured on the client and the VPN server machine.

    I believe my ASDK connection has blocked inbound access - i will have to remedy with our IT department - thanks!

    • Marked as answer by Todd Christ Thursday, January 4, 2018 7:46 PM
    Wednesday, November 15, 2017 8:59 PM
  • Glad to know that you have narrowed down the issue and thank you for sharing the possible solution with the community.

    --------------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Thursday, November 16, 2017 10:45 AM