L2TP/IPSec Computer Certificates for non domain computers

[Bernd Schnabl]

Hi
I am really happy about my VPN using L2TP/IPSec with
certificates rolled out with AD autoenrollment.
This requires, that the computer is member of
the domain. How can I issue computer certificates to
computers, that are not member of the domain ?
I tries standard Web Server certificates.
Didn't work.
Any help is very much apreceated
Kind Regards
Bernd

 

[Herb Martin]

Issue them manually -- also install the CA's trust certificate on the
machine to which you issue them (so it will trust yours.)

You can use the Cert MMC for this.

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, Herb Martin

You can use the Cert MMC for this.

No, you can't. You can only use the MMC to install certs on systems that
are joined to a domain that has a CA in the forest. You'll need to use
the web enrollment page or manually get the certs to the clients.

 

[Herb Martin]

My mistake.

--
Herb Martin

microsoft.public.win2000.security news group, Herb Martin


No, you can't. You can only use the MMC to install certs on systems that
are joined to a domain that has a CA in the forest. You'll need to use
the web enrollment page or manually get the certs to the clients.

 

[Bernd Schnabl]

I tried the web enrollment with the IPsec and the
IPSec (Offline Request) template.
The subject is the FQDN of the client computer.
This one does not have the same DNS namespace
as the domain to which it wants to connect via
the VPN.
The issued certificate differs from the one,
which is automatically enrolled to another workstation
by the certificate extensions: the automatically
enrolled one has the purpose: "Server authentication"
and "Client Autnentication".
The manually enrolled one has the
"IP Securit IKE Intermediate" purpose.
Now I get the error 786: The connection attempt failed
because of failure to encrypt the data.
Any idea ?

-----Original Message-----
My mistake.

--
Herb Martin
"Paul Adare - MVP - Microsoft Virtual PC"

message

 

[Steven L Umbach]

First thing to check is that your vpn client trusts the CA that issued the
certificate. That should happen automatically to a domain computer using an
Enterprise CA for the AD domain but not for a non domain computer. You can use Web
Enrollment to request and install the CA's certificate or you can copy it after
exporting it to a .cer file. You just have to click the .cer file to start the
installation wizard. Then use mmc certificate/computer snapin to make sure that the
CA is shown in the trusted CA folder. Also check that your firewall has the proper
ports open to the VPN server - port 1701 udp and protocol 50 for L2TP I believe. L2TP
will not work over NAT, you would need to do the NAT-T upgrade and then another port
will need to be opened - udp 4500. If possible always try to get your vpn connection
working on the lan first before trying across the wan. Once it works successfully on
the wan, you know further issues are probably firewall configuration related. ---
Steve

http://www.microsoft.com/resources/...3/enterprise/proddocs/en-us/sag_vpn_und13.asp

I tried the web enrollment with the IPsec and the
IPSec (Offline Request) template.
The subject is the FQDN of the client computer.
This one does not have the same DNS namespace
as the domain to which it wants to connect via
the VPN.
The issued certificate differs from the one,
which is automatically enrolled to another workstation
by the certificate extensions: the automatically
enrolled one has the purpose: "Server authentication"
and "Client Autnentication".
The manually enrolled one has the
"IP Securit IKE Intermediate" purpose.
Now I get the error 786: The connection attempt failed
because of failure to encrypt the data.
Any idea ?

-----Original Message-----
My mistake.

--
Herb Martin
"Paul Adare - MVP - Microsoft Virtual PC"

message