Windows Vista VPN: A Step Backward
Source: saunderslog.com
One of the most frustrating aspects of Windows XP is how difficult it can be to get a VPN running. Unless you are running a full set of domain services. the process is a little bit like divining the future amongst chicken entrails: messy and unpleasant with a heavy dose of guesswork. It typically involves manual manipulation of firewall ports, manual mapping of hosts on the VPN side, and a lot of shrewd guessing.
Having said that, for some time I’ve been successfully running Windows XP, and the Windows OneCare Live security package, which does firewall, antivirus, and spyware protection, as well as nagging me about backups. It’s a nice integrated tool. In order to get it to work with our VPN, I needed to open the GRE protocol port — helpfully renamed Microsoft VPN in later builds. It was a fair work of divination to make that happen because:
1) The Windows XP VPN client doesn’t actually provide any useful information when it’s blocked. In this particular case, the VPN connects, informs you that it’s verifying your password, and fails on password verification. There are obviously many possibilities at this point, including the fact that you simply might have mistyped the password. The “oh-so-informative” error message 619 provides the following possible clues:
There are several possible reasons why a connection to the remote computer could not be established:
- The remote computer might have been too busy. Wait a few minutes and try the connection again.
- If you are trying to establish a dial-up connection, you might have tried to redial before the modem fully disconnected. Wait a short time and try your call again.
- If you are trying to establish a connection by using a modem, the modem might not be functioning properly. For more information, see Troubleshooting modems.
- If you are using a device such as a router, a hub, or a network adapter for network address translation (NAT), the device might not be functioning properly. If the device provides firewall capabilities, the device might be blocking the connection. Consult the documentation for the device.
2) The Windows Live OneCare firewall doesn’t inform you which port it has blocked. It simply blocks.
That was several months ago. I’ve been successfully running Windows Vista Beta 2, and then RC 1 with the TrendMicro PC-Cillin beta. Until recently. PC-Cillin was the only solution for Windows Vista. However. a couple of days ago, I upgraded the PC to Windows Vista RC2, and the just-released Windows OneCare Live 1.5 beta. That’s when the nightmares started.
You see, unlike the mostly unhelpful messages provided by Windows XP, Windows Vista provides you with no information. It says “Failed to connect”, and then offers “Diagnose the problem”, which unhelpfully told me that it couldn’t find anything wrong.
After several attempts to get the correct ports open in Windows OneCare Live, I gave up. Turning the firewall off helped me to determine that the problem was indeed the firewall, and I have now reverted to PC-Cillin.
There’s a bug in Windows OneCare Live’s firewall support. More importantly, though, it’s nearly impossible to diagnose in Windows Vista. That’s a huge usability problem.
