ipsec w/certificates

[Guest]

What I'm trying to do: Create an IPSEC trust in transport mode, using certificates as the mode of authentication. I'm attempting to do this on a LAN between two hosts. NAT is not an issue

What I've done:
- Successfully created the trust using a preshared secret (password) just to make sure that IPSEC was working. (note: this was just a test step, I am going to disable the preshared pw because I want to use certs
- Used openssl to generate a CA (I used the canned CA.sh script
- Generated certificates for the two hosts
- Imported the CA certificate to each host
- Imported the respective cert to each host
- Changed the authentication mode to certificates
- Assigned the ipsec policies

when I ping, it shows that the nodes are negotiating but never connect (this was working in pw mode). Nor can I use any of the services between the host (http, ftp, etc. -- also working in pw moded).

What could I be forgetting/missing? Also, I can't seem to locate any obvious errors in the event logs --- is there another place I can look for info

Thanks
Dan

 

[Steven L Umbach]

It looks like you did everything right and I assume the trusted CA certificates are
in the Trusted Root Store since you would have needed to select a CA when you
configured the ipsec policy. I would check that the certificates you issued are in
the computer store via mmc certificate snapin for certificates/computer and that they
have the private key and no other problems show such as invalid date. If it still
does not work my guess is that W2K does not recognize them as valid certificates for
ipsec use. I have never tried openssl certificates for ipsec - only computer
certificates from a W2K CA. The link below on more advanced tips to troubleshoot
ipsec may be helpful. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;257225

What I'm trying to do: Create an IPSEC trust in transport mode, using certificates

as the mode of authentication. I'm attempting to do this on a LAN between two hosts.
NAT is not an issue.

What I've done:
- Successfully created the trust using a preshared secret (password) just to make

sure that IPSEC was working. (note: this was just a test step, I am going to disable
the preshared pw because I want to use certs)

- Used openssl to generate a CA (I used the canned CA.sh script)
- Generated certificates for the two hosts.
- Imported the CA certificate to each host.
- Imported the respective cert to each host.
- Changed the authentication mode to certificates.
- Assigned the ipsec policies.

when I ping, it shows that the nodes are negotiating but never connect (this was

working in pw mode). Nor can I use any of the services between the host (http, ftp,
etc. -- also working in pw moded).

What could I be forgetting/missing? Also, I can't seem to locate any obvious

errors in the event logs --- is there another place I can look for info?

 

[Guest]

Steve -

One thing I noticed that you mentioned was the private key. I realized that I did not explicity import the private key. As of this writing, I am unable to discover the mechanism to import the private key. Do you know how this is done

Much thanks for your thoughts

Da

----- Steven L Umbach wrote: ----

It looks like you did everything right and I assume the trusted CA certificates ar
in the Trusted Root Store since you would have needed to select a CA when yo
configured the ipsec policy. I would check that the certificates you issued are i
the computer store via mmc certificate snapin for certificates/computer and that the
have the private key and no other problems show such as invalid date. If it stil
does not work my guess is that W2K does not recognize them as valid certificates fo
ipsec use. I have never tried openssl certificates for ipsec - only compute
certificates from a W2K CA. The link below on more advanced tips to troubleshoo
ipsec may be helpful. --- Stev

http://support.microsoft.com/default.aspx?scid=kb;en-us;25722

What I'm trying to do: Create an IPSEC trust in transport mode, using certificate

as the mode of authentication. I'm attempting to do this on a LAN between two hosts
NAT is not an issue

- Successfully created the trust using a preshared secret (password) just to mak

sure that IPSEC was working. (note: this was just a test step, I am going to disabl
the preshared pw because I want to use certs

- Used openssl to generate a CA (I used the canned CA.sh script
- Generated certificates for the two hosts
- Imported the CA certificate to each host
- Imported the respective cert to each host
- Changed the authentication mode to certificates
- Assigned the ipsec policies

working in pw mode). Nor can I use any of the services between the host (http, ftp
etc. -- also working in pw moded)

 

[Steven L Umbach]

Hi Dan.

I am not familiar with openssl, but in W2K you need to export the certificate and
private key to a .pfx file [not all certificates allow the export of the private key]
which will require a password to protect the associated private key that was
generated by the CA. Then you copy the .pfx file to the computer and open it to start
the process to import both the certificate and matching private key into the
certificate store. When you look at a certificate in W2K via the mmc certificate
snapin for computer certificates, the first page of the certificate for general will
say "you have a private key that corresponds with this certificate" if the private
key has also been installed. Sorry I can't be of more help on openssl. --- Steve

Steve --

One thing I noticed that you mentioned was the private key. I realized that I did

not explicity import the private key. As of this writing, I am unable to discover
the mechanism to import the private key. Do you know how this is done?