I have the same problem with a VPN connection to my PIX 506E. The
username/password verified message is displayed and then failure. It would
be nice if a Microsoft rep could provide some clarification on their position
with respect to MS-CHAP v1 suport in Vista.

I would rather not have to revert to PAP and I like the idea of using the MS
VPN client as it makes VPN connections to the office easy for my users to
make from any Windows computer since they don't have to install the Cisco VPN
client.

Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
software, but their are 4 PIX 500 series firewalls, including the 506E, that
cannot use the 7.0 software. I need to know if I need to make a significant
investment in new Cisco hardware, on top of my Microsoft Volume License
Agreement, prior to rolling out Vista.


"ld" wrote:

I'm trying to connect a machine to work with a PPTP VPN. Of course this
works with the XP Pro machine, but I can't get connected with the Vista box.
Same setup, same VPN endpoint, no luck.

I start the VPN connection, I get the username/password verified, and then:
"Error 732: Your computer and the remote computer could not agree on PPP
contol protocols." I'm trying to connect to a PIX 501, no dice. Funny
thing is I can connect the Vista laptop with PPTP to a Cisco 3005
concentrator.

Did Microsoft change something in the PPTP protocol negotiation? I have the
VPN logs, but before I go wading through a few hundred lines of that, I
wanted to check and see if anyone had any helpful info. Thanks

Dear Dave, and all others using Cisco PIX 500 series Firewalls,

I have just installed Windows Vista RC2 and there seems to be no support for
MSCAP (V1). There is however a sollution that might be satisfactory. Both
Windows Vista and the Cisco PIX support CHAP. Although this is a one-way
authentication, it is encrypted and therefore better then PAP.

In both your PIX and the Windows PPTP connection you must only select CHAP
authentication. In Windows you must also select "Optional Data Encryption".

If you are using Microsoft IAS as a RADIUS server to authenticate your
Active Directory users, you must turn on "Store password using reversible
encryption" on the specified user account, or in a GPO. Don't forget to reset
the passwords of all users who must authenticate through CHAP.

Kind regards,

Lucas de Wal
De Wal ICT
The Netherlands

"Dave" wrote:

I have the same problem with a VPN connection to my PIX 506E. The
username/password verified message is displayed and then failure. It would
be nice if a Microsoft rep could provide some clarification on their position
with respect to MS-CHAP v1 suport in Vista.

I would rather not have to revert to PAP and I like the idea of using the MS
VPN client as it makes VPN connections to the office easy for my users to
make from any Windows computer since they don't have to install the Cisco VPN
client.

Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
software, but their are 4 PIX 500 series firewalls, including the 506E, that
cannot use the 7.0 software. I need to know if I need to make a significant
investment in new Cisco hardware, on top of my Microsoft Volume License
Agreement, prior to rolling out Vista.


"ld" wrote:

I'm trying to connect a machine to work with a PPTP VPN. Of course this
works with the XP Pro machine, but I can't get connected with the Vista box.
Same setup, same VPN endpoint, no luck.

I start the VPN connection, I get the username/password verified, and then:
"Error 732: Your computer and the remote computer could not agree on PPP
contol protocols." I'm trying to connect to a PIX 501, no dice. Funny
thing is I can connect the Vista laptop with PPTP to a Cisco 3005
concentrator.

Did Microsoft change something in the PPTP protocol negotiation? I have the
VPN logs, but before I go wading through a few hundred lines of that, I
wanted to check and see if anyone had any helpful info. Thanks

Thanks Lucas. This looks promising. I'll give it a try.

"Lucas" wrote:

Dear Dave, and all others using Cisco PIX 500 series Firewalls,

I have just installed Windows Vista RC2 and there seems to be no support for
MSCAP (V1). There is however a sollution that might be satisfactory. Both
Windows Vista and the Cisco PIX support CHAP. Although this is a one-way
authentication, it is encrypted and therefore better then PAP.

In both your PIX and the Windows PPTP connection you must only select CHAP
authentication. In Windows you must also select "Optional Data Encryption".

If you are using Microsoft IAS as a RADIUS server to authenticate your
Active Directory users, you must turn on "Store password using reversible
encryption" on the specified user account, or in a GPO. Don't forget to reset
the passwords of all users who must authenticate through CHAP.

Kind regards,

Lucas de Wal
De Wal ICT
The Netherlands

"Dave" wrote:

I have the same problem with a VPN connection to my PIX 506E. The
username/password verified message is displayed and then failure. It would
be nice if a Microsoft rep could provide some clarification on their position
with respect to MS-CHAP v1 suport in Vista.

I would rather not have to revert to PAP and I like the idea of using the MS
VPN client as it makes VPN connections to the office easy for my users to
make from any Windows computer since they don't have to install the Cisco VPN
client.

Cisco supports MS-CHAP v2 in version 7.0 of their Cisco Secure firewall
software, but their are 4 PIX 500 series firewalls, including the 506E, that
cannot use the 7.0 software. I need to know if I need to make a significant
investment in new Cisco hardware, on top of my Microsoft Volume License
Agreement, prior to rolling out Vista.


"ld" wrote:

I'm trying to connect a machine to work with a PPTP VPN. Of course this
works with the XP Pro machine, but I can't get connected with the Vista box.
Same setup, same VPN endpoint, no luck.

I start the VPN connection, I get the username/password verified, and then:
"Error 732: Your computer and the remote computer could not agree on PPP
contol protocols." I'm trying to connect to a PIX 501, no dice. Funny
thing is I can connect the Vista laptop with PPTP to a Cisco 3005
concentrator.

Did Microsoft change something in the PPTP protocol negotiation? I have the
VPN logs, but before I go wading through a few hundred lines of that, I
wanted to check and see if anyone had any helpful info. Thanks