Passing this along in case someone else hits this:

“We implemented a new IPSec VPN using ISA Server 2004.  Cool
idea – our PPT VPN just wan’t cutting it.

I gladly installed the requisite certificates on my machine to gain
access to the new VPN.  Had to battle with the box for a while as my
Cisco VPN client was blocking my MS VPN client from functioning.  After
hours of battle, I got them installed in the proper order so I can use
both on my system.

To test the new VPN, I plugged into a DMZ port outside of our firewall,
received a public IP address, then launched the IPSec VPN.  Worked

Went home, looking forward to the new connection.  No go.  Error msgs at
the starting gate.

(Error says —

Error 791:  The L2TP connection attempt failed error because security policy
for the connection was not found.

Stupid me, I followed the context of the error msg.  Found my certs.
All looked good.  Deleted certs and re-installed certs.  No luck.
Searched google.  Hundreds of copies of the error msg, but not one post
about a solution.

Went back to work.  Operates fine at work.  Back home, no go.

Sent the issue to our lan admin – he tries it on his system – works fine
from work and home.

We configured a router at work and had me plugin to a NAT’d connection
at work outside the firewall.  This did it – the connection failed.

More research, no answers.

Last night I pulled up the help files for my actiontec DSL modem.  At
the very bottom of that page was a reference to a Microsoft KB article
about VPN connections and NAT routers.  Read that KB and it pointed to
two other articles.  One article nailed it:

“Microsoft has released an update package to enhance the current
functionality of Layer Two Tunneling Protocol (L2TP) and Internet
Protocol security (IPsec) on computers that run Microsoft Windows 2000,
Microsoft Windows XP without service packs installed, and Windows XP
with Service Pack 1 (SP1).This functionality is included in Windows XP
Service Pack 2 (SP2). Computers that run Windows XP with a service pack
do not have to install this update package.

This update includes improvements to IPsec to better support virtual
private network (VPN) clients that are behind network address
translation (NAT) devices. If you apply this update to a computer that
is running Windows XP, and if the IPsec service encounters a runtime
error and cannot start for any reason, the IPsec driver operates in
block mode because it cannot secure network traffic.”

Sounds good, right?  I’m running XP SP1 (I don’t want to limit my
outbound half-open tcp connections), so I figure maybe this is it, and
I’m eager to try the patch.  KB article includes information on
obtaining Win2K SP4 patch.  However, there is no patch for XP SP1.
Instead, it says to install XP SP2.  Right.  Not gonna go there.
Stymied again.

Turns out that KB 842933 ( is
applicable to XP SP1 and includes ipsec.sys.  Wouldn’t ya know, it’s the patch for “The following
entry in the [strings] section is too long and has been truncated” error
message when you try to modify or to view GPOs in Windows Server 2003,
Windows XP Professional, or Windows 2000″

Installed that this morning.  Rebooted.  Connected through NAT’d router
at work.  Launched VPN.  Bingo.  Connection succeeded.

I’m a happy camper.

Thanks MS for not mentioning in the 818043 article that this is solved
for XP SP1 in 842933.”


Comments are closed.