ipsec with certificate authentication issue

[djc]

I have ipsec setup for telnet (transport). I'll leave out all the filter
details as I don't think they are pertinent to the problem. It works fine
with preshared key but I cannot get it to work with certificate
authentication. Client machine is connected to the lan via pptp vpn and
telnet server resides on the remote lan. This works fine with preshared key.
Both machines have my own MS cert server's certificate installed in their
local machine store's trusted root certification authorities folder and both
machines have their own certificate issued from this CA installed in their
own local machine store. The cert was obtained via ms cert services web
interface using the 'administrator' template. But if I understand correctly
the type of cert on each machine does not really matter as long as they are
both from the same trused root CA, which they are.

I'm really not sure where to go from here. I know the issue must be
certificate auth related since it works just fine with preshared key.

any help would be greatly appreciated.

 

[Steven L Umbach]

Look in the security log of each computer to see if there is any information
about IKE failure that may help determine what is going on. Windows 2000 has
much less logging than Windows 2003. You also want to make sure you have
auditing of logon events enabled in the Local Security Policy of each
computer. My guess is there may be a problem with the administrator
certificates and I would try to use a computer or offline ipsec certificate
[which always worked for me] instead and remove the administrator
certificate from the computer store. In Windows 2000 Enterprise CA you need
to enable the offline ipsec template on the CA before it will show up as an
option via Web Enrollment as an advanced request and then you want to
specify the computer name and be sure to select to store in computer
store. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;257225 --- Windows
2000 ipsec troubleshooting.

 

[djc]

Thanks for the reply Steven. I added the offline ipsec cert template one my
CA and installed one on both client and server. I believe the
ipsec/certificates part is working now (connects successfully now but now I
have a telnet server config question - see below). Thank you!

1) initially I chose the 'install certification path' option from windows
2000 enterprise CA web form... ipsec connection didn't work. Then I just
chose to download the .cer file for the CA's certificate and manually
imported it into the trusted root cert store for the local machine and then
it worked. What is the 'install certification path' for? from the
description on the page it sounded like that should have worked for me?

2) A. unrelated to original post/problem but: After I connect to the telnet
server (win 2000 server sp4) it rejects the connection saying only NTLM Auth
is accepted. The client in this case is a computer that is NOT a member of
the domain (connected remotely via VPN). Is there a way for me to send NTLM
credentials to the telnet server? Obviously not the local machine
credentials but how about the domain credentials I use for the VPN? I'm
thinking probably not but I figured I would ask anyway...

2) B. if I can't send NTLM can the telnet server be changed to accept 'clear
text' login (which really wouldn't be since its via a PPTP VPN and transport
ipsec at the application layer)?

thanks again for the help.

Look in the security log of each computer to see if there is any information
about IKE failure that may help determine what is going on. Windows 2000 has
much less logging than Windows 2003. You also want to make sure you have
auditing of logon events enabled in the Local Security Policy of each
computer. My guess is there may be a problem with the administrator
certificates and I would try to use a computer or offline ipsec certificate
[which always worked for me] instead and remove the administrator
certificate from the computer store. In Windows 2000 Enterprise CA you need
to enable the offline ipsec template on the CA before it will show up as an
option via Web Enrollment as an advanced request and then you want to
specify the computer name and be sure to select to store in computer
store. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;257225 --- Windows
2000 ipsec troubleshooting.

I have ipsec setup for telnet (transport). I'll leave out all the filter
details as I don't think they are pertinent to the problem. It works fine
with preshared key but I cannot get it to work with certificate
authentication. Client machine is connected to the lan via pptp vpn and
telnet server resides on the remote lan. This works fine with preshared
key. Both machines have my own MS cert server's certificate installed in
their local machine store's trusted root certification authorities folder
and both machines have their own certificate issued from this CA installed
in their own local machine store. The cert was obtained via ms cert
services web interface using the 'administrator' template. But if I
understand correctly the type of cert on each machine does not really
matter as long as they are both from the same trused root CA, which they
are.

I'm really not sure where to go from here. I know the issue must be
certificate auth related since it works just fine with preshared key.

any help would be greatly appreciated.

 

[djc]

ignore question 2)B. below. I found the tlntadmn.exe utility and made the
change.

Thanks for the reply Steven. I added the offline ipsec cert template one my
CA and installed one on both client and server. I believe the
ipsec/certificates part is working now (connects successfully now but now I
have a telnet server config question - see below). Thank you!

1) initially I chose the 'install certification path' option from windows
2000 enterprise CA web form... ipsec connection didn't work. Then I just
chose to download the .cer file for the CA's certificate and manually
imported it into the trusted root cert store for the local machine and then
it worked. What is the 'install certification path' for? from the
description on the page it sounded like that should have worked for me?

2) A. unrelated to original post/problem but: After I connect to the telnet
server (win 2000 server sp4) it rejects the connection saying only NTLM Auth
is accepted. The client in this case is a computer that is NOT a member of
the domain (connected remotely via VPN). Is there a way for me to send NTLM
credentials to the telnet server? Obviously not the local machine
credentials but how about the domain credentials I use for the VPN? I'm
thinking probably not but I figured I would ask anyway...

2) B. if I can't send NTLM can the telnet server be changed to accept 'clear
text' login (which really wouldn't be since its via a PPTP VPN and transport
ipsec at the application layer)?

thanks again for the help.

Look in the security log of each computer to see if there is any information
about IKE failure that may help determine what is going on. Windows 2000 has
much less logging than Windows 2003. You also want to make sure you have
auditing of logon events enabled in the Local Security Policy of each
computer. My guess is there may be a problem with the administrator
certificates and I would try to use a computer or offline ipsec certificate
[which always worked for me] instead and remove the administrator
certificate from the computer store. In Windows 2000 Enterprise CA you need
to enable the offline ipsec template on the CA before it will show up as an
option via Web Enrollment as an advanced request and then you want to
specify the computer name and be sure to select to store in computer
store. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;257225 --- Windows
2000 ipsec troubleshooting.

I have ipsec setup for telnet (transport). I'll leave out all the filter
details as I don't think they are pertinent to the problem. It works fine
with preshared key but I cannot get it to work with certificate
authentication. Client machine is connected to the lan via pptp vpn and
telnet server resides on the remote lan. This works fine with preshared
key. Both machines have my own MS cert server's certificate installed in
their local machine store's trusted root certification authorities folder
and both machines have their own certificate issued from this CA installed
in their own local machine store. The cert was obtained via ms cert
services web interface using the 'administrator' template. But if I
understand correctly the type of cert on each machine does not really
matter as long as they are both from the same trused root CA, which they
are.

I'm really not sure where to go from here. I know the issue must be
certificate auth related since it works just fine with preshared key.

any help would be greatly appreciated.

 

[Steven L Umbach]

The .cer file would be the certificate that includes the public key for the
Certificate Authority. I think when you select the path it also downloads
all CA certificates in the path if there are subordinate CAs used. You need
to trust the CA but if the problem was that you were using the wrong
certificate for ipsec just downloading the CA certificate itself would not
help. It sounds like you fixed your telnet problem already and thanks for
posting the solution. --- Steve

Thanks for the reply Steven. I added the offline ipsec cert template one
my
CA and installed one on both client and server. I believe the
ipsec/certificates part is working now (connects successfully now but now
I
have a telnet server config question - see below). Thank you!

1) initially I chose the 'install certification path' option from windows
2000 enterprise CA web form... ipsec connection didn't work. Then I just
chose to download the .cer file for the CA's certificate and manually
imported it into the trusted root cert store for the local machine and
then
it worked. What is the 'install certification path' for? from the
description on the page it sounded like that should have worked for me?

2) A. unrelated to original post/problem but: After I connect to the
telnet
server (win 2000 server sp4) it rejects the connection saying only NTLM
Auth
is accepted. The client in this case is a computer that is NOT a member of
the domain (connected remotely via VPN). Is there a way for me to send
NTLM
credentials to the telnet server? Obviously not the local machine
credentials but how about the domain credentials I use for the VPN? I'm
thinking probably not but I figured I would ask anyway...

2) B. if I can't send NTLM can the telnet server be changed to accept
'clear
text' login (which really wouldn't be since its via a PPTP VPN and
transport
ipsec at the application layer)?

thanks again for the help.

Look in the security log of each computer to see if there is any information
about IKE failure that may help determine what is going on. Windows 2000 has
much less logging than Windows 2003. You also want to make sure you have
auditing of logon events enabled in the Local Security Policy of each
computer. My guess is there may be a problem with the administrator
certificates and I would try to use a computer or offline ipsec certificate
[which always worked for me] instead and remove the administrator
certificate from the computer store. In Windows 2000 Enterprise CA you need
to enable the offline ipsec template on the CA before it will show up as an
option via Web Enrollment as an advanced request and then you want to
specify the computer name and be sure to select to store in computer
store. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;257225 --- Windows
2000 ipsec troubleshooting.

I have ipsec setup for telnet (transport). I'll leave out all the filter
details as I don't think they are pertinent to the problem. It works
fine
with preshared key but I cannot get it to work with certificate
authentication. Client machine is connected to the lan via pptp vpn and
telnet server resides on the remote lan. This works fine with preshared
key. Both machines have my own MS cert server's certificate installed in
their local machine store's trusted root certification authorities
folder
and both machines have their own certificate issued from this CA installed
in their own local machine store. The cert was obtained via ms cert
services web interface using the 'administrator' template. But if I
understand correctly the type of cert on each machine does not really
matter as long as they are both from the same trused root CA, which they
are.

I'm really not sure where to go from here. I know the issue must be
certificate auth related since it works just fine with preshared key.

any help would be greatly appreciated.