You receive a "741" or a "742" error message when you try to establish a VPN connection by using L2TP/IPsec from a Windows client computer to a VPN server

Article translations Article translations
Article ID: 929856 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

You experience one of the following symptoms when you try to establish a virtual private network (VPN) connection by using "Layer Two Tunneling Protocol with IPsec" (L2TP/IPsec) from a Windows client computer to a VPN server.
  • Symptom 1

    The Windows client computer is running Microsoft Windows XP, Microsoft Windows Server 2003, or Microsoft Windows 2000, and you try to connect to a VPN server that is running Windows Server 2008 or Windows Vista. However, you cannot connect to the VPN server. Instead, you receive an error message the resembles the following:
    741 The local computer does not support encryption.
  • Symptom 2

    The Windows client computer is running Windows Server 2008 or Windows Vista, and you try to connect to a VPN server that is running Windows XP, Windows Server 2003, or Windows 2000. However, you cannot connect to the VPN server. Instead, you receive an error message the resembles the following:
    742 The remote server does not support encryption.

CAUSE

This issue occurs if the encryption level that the Windows client computer uses does not match the encryption level that the VPN server uses. For example, this issue occurs if the client computer uses 40-bit or 56-bit RC4 encryption, and the VPN server only supports a 128-bit RC4-based encryption algorithm. Or, this issue occurs if the client computer uses 128-bit RC4 encryption and the server only supports a 40-bit or a 56-bit RC4-based encryption algorithm.

WORKAROUND

To work around this issue, use one of the following procedures, as appropriate for your situation.

The Windows client computer is running Windows XP, Windows Server 2003, or Windows 2000, and you connect to a VPN server that is running Windows Server 2008 or Windows Vista

Use one of the following methods.

Note Method 1 is the recommended method to use in this scenario.

Method 1: Change the encryption setting on the VPN client computer

Change the encryption setting in the VPN connection on the client computer to use maximum strength encryption. After you do this, Triple Data Encryption Standard (3DES) encryption is used to establish the VPN connection. To change the encryption setting in the VPN connection on the client computer, follow these steps:
  1. Click Start, click Run, type ncpa.cpl in the Open box, and then click OK.
  2. Right-click the VPN connection, and then click Properties.
  3. Click the Security tab, click Advanced (custom settings), and then click Settings.
  4. In the Data encryption box, click Maximum strength encryption (disconnect if server declines), and then click OK two times.

Method 2: Change the encryption setting on the VPN server

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


Add the AllowL2TPWeakCrypto registry entry to the VPN server to change the encryption setting that the Routing and Remote Access service uses. After you do this, the "Message Digest 5" (MD5) algorithm or Data Encryption Standard (DES) encryption is enabled on the VPN server. To change the encryption setting on the VPN server, follow these steps:
  1. Create the AllowL2TPWeakCrypto registry entry, and then set it to a value of 1. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type AllowL2TPWeakCrypto, and then press ENTER.
    5. On the Edit menu, click Modify.
    6. In the Value data box, type 1, and then click OK.
    7. On the File menu, click Exit to exit Registry Editor.
  2. Restart the "Routing and Remote Access" service and the Remote Access Connection Manager service. To do this, follow these steps:
    1. Click Start, right-click My Computer, and then click Manage.
    2. Expand Services and Applications, and then click Services.
    3. Right-click Routing and Remote Access, and then click Stop.
    4. Right-click Remote Access Connection Manager, and then click Stop.
    5. Right-click Remote Access Connection Manager, and then click Start.
    6. Right-click Routing and Remote Access, and then click Start.

The Windows client computer is running Windows Server 2008 or Windows Vista, and you connect to a VPN server that is running Windows XP, Windows Server 2003, or Windows 2000

Use one of the following methods.

Note Method 1 is the recommended method to use in this scenario.

Method 1: Change the encryption setting on the VPN server

Change the encryption setting in the routing and remote access policy on the VPN server to maximum strength encryption. After you do this, Triple Data Encryption Standard (3DES) encryption is used to establish the VPN connection.

Method 2: Change the encryption setting on the VPN client computer

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


Add the AllowL2TPWeakCrypto registry entry to change the encryption setting that the Routing and Remote Access service uses on the client computer. After you do this, MD5 encryption or DES encryption is enabled on the client computer. To change the encryption setting, follow these steps:
  1. Create the AllowL2TPWeakCrypto registry entry, and then set it to a value of 1. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type AllowL2TPWeakCrypto, and then press ENTER.
    5. On the Edit menu, click Modify.
    6. In the Value data box, type 1, and then click OK.
    7. On the File menu, click Exit to exit Registry Editor.
  2. Restart the "Routing and Remote Access" service and the Remote Access Connection Manager service. To do this, follow these steps:
    1. Click Start, right-click My Computer, and then click Manage.
    2. Expand Services and Applications, and then click Services.
    3. Right-click Routing and Remote Access, and then click Stop.
    4. Right-click Remote Access Connection Manager, and then click Stop.
    5. Right-click Remote Access Connection Manager, and then click Start.
    6. Right-click Routing and Remote Access, and then click Start.

Properties

Article ID: 929856 - Last Review: March 17, 2007 - Revision: 1.5
APPLIES TO
  • Windows Vista Ultimate
  • Windows Vista Enterprise
  • Windows Vista Business
  • Windows Vista Home Premium
  • Windows Vista Home Basic
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Business 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Starter
  • Microsoft Windows XP Professional
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
Keywords: 
kbtshoot kbprb kbexpertiseinter KB929856

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com