IPSEC\L2TP issue

[Kati]

If a fully AD-controlled computer inside the network gets
a certificate, it can connect using IPSEC/L2TP just fine,
but there seems to be no way to give a certificate to an
uncontrolled computer (e.g., one owned by an otherwise
authenticated user at his home) that would allow a
connection.

So far I have found no way to produce a certificate for
such a user that would be honored by the RAS server.

 

[Miha Pihler]

Hi Kati,

If you double click the certificate what does it say under Certificate
Information? Does client PC (at home) trust this certificate? Did you
install RootCA public certificate so that client would trust this
certificate? In domain you don't have to do this if you have Enterprise
CA...

What is the error that you get if client tries to connect?

Mike

 

[Kati]

Thanx Mike!! - I'll check the error and re-post.

-----Original Message-----
Hi Kati,

If you double click the certificate what does it say under Certificate
Information? Does client PC (at home) trust this certificate? Did you
install RootCA public certificate so that client would trust this
certificate? In domain you don't have to do this if you have Enterprise
CA...

What is the error that you get if client tries to connect?

Mike





.

 

[Guest]

Certificates:
Certs were issued using our enterprise CA, that is AD-
integrated.
All servers have a copy of the root cert, and it's
trusted.
All clients have a copy of the root cert, trusted.

Error:
"Error 792: The L2TP connection attempt failed because
security negotiations timed out."
Looking in the event log of the RAS server shows this:

Event Type: Failure Audit
Event Source: Security
Event Category: System Event
Event ID: 547
Date: 8/6/2004
Time: 9:34:08 AM
User: BUILTIN\Administrators
Computer: RAS
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address 192.168.2.232
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.2.1
Destination IP Address Mask 255.255.255.255 Protocol 0
Source Port 0 Destination Port 0

Failure Point:
Peer

Failure Reason:
IKE security attributes are unacceptable

Kati

 

[Miha Pihler]

Hi,

Have you tried using share key instead of certificates? This would give you
idea where to look for the problem. Is the problem in certificate or RAS
configuration?

Is your enterprise CA server also Root CA server? Can you import your RootCA
public key to clients that are not part of domain? Don't import them only to
user's store. Import them also to computer store!

Start -> Run -> MMC -> File -> Add/Remove Snap-In -> Certificate -> Computer
Account -> Local computer -> Close -> Ok. Import your Root CA server public
key to Trusted Root Certificates. You can also import user's certificate
that is used to authenticate to RAS into Personal Store (under Computer
Account) to see if certificate is trusted (double click and there should not
be red cross on top part of General certificate Tab or yellow exclamation
point.

What OS are clients running? What SP does RAS server has installed?

Mike