The L2TP connection attempt failed because security policy for the connection was not found?

[BaDaBooM]

Trying to make a VPN connection using two win2k domain controllers (same domain) and I got most of it worked out with the certificates and all but I get this error:

Event ID: 20111

A Demand Dial connection to the remote interface <VPN SITE> on port VPN2-4 was successfully initiated but failed to complete successfully because of the following error: The L2TP connection attempt failed because security policy for the connection was not found.

It will connect locally (on the same LAN) but not when I put the DC at the remote site (on the other side of the WAN). Anybody got an idea? Been working on this for days.

 

[bigshooter]

trying to remember (its been a while since i messed with this) but if you dont have a local security policy saying use ipsec, then you can't have a vpn connection. It's probably setup to use L2TP plus ipsec, but if your security policy doesnt say use ipsec, then it can cause problems? damn, its been a year since i learned this stuff, and i never had to use it... time to hit the books and put the DC back up... goodbye linux.

 

[LiLithTecH]

Are you using AD?
If so, did you publish the cerificate revocation list to AD?

 

[BaDaBooM]

Bigshooter - That could be the reason.... I'm not sure exactly how to do that though. I will try to look around on the MS website for but if you know please share. Here is an export of my local policies on the server for IPsec:

Name: Description - Policy Assigned

Client (Respond Only): Communicate normally (unsecured). Use the default response
rule to negotiate with servers that request security. Only the
requested protocol and port traffic with that server is secured. - No

Server (Request Security): For all IP traffic, always request security using Kerberos trust.
Allow unsecured communication with clients that do not respond
to request. - No

Secure Server (Require Security): For all IP traffic, always require security using Kerberos trust. Do
NOT allow unsecured communication with untrusted clients. - No

I'm really not sure how to assign it or whatever I have to do. I don't want to make it use IPsec for all traffic just for the VPN connection.

LilLithTech - Yea, I'm using AD. I didn't specifically do that but I looked into on technet and I found this:

You can use Windows 2000 CAs to publish the CRL to the Active Directory. The clients can download the CRL from the CA; it is kept in the client's local cache and referred to when the client attempts to verify the validity of a certificate that was issued by the CA. CAs automatically publish a CRL at an interval that is set by the administrator (the default publication interval is one week, but you can change this by modifying the properties of the Revoked Certificates folder in the CA MMC). You can also manually publish a CRL. You would do this if you revoke certificates between publication periods and need to get the revocation updates to the clients immediately

I guess it does this automatically. What is strange is that if I put them both on the same LAN then the connection works just fine. But as soon as I make it go across the internet it talks about not finding security policies.

I appreciate the help guys, keep it coming I know it's a pretty technical problem. Hopefully we'll be able to figure it out.

 

[BaDaBooM]

bump... still no answers on this. Plenty of sites listing this as an error message, just none with the fix for it.