L2TP/IPSEC Connection problem to Windows 2000 Server

[Marco Formato]

I am currently running the following setup as a test-bed:

Windows 2000 Server SP4 with RRAS and a Stand-alone CA
Windows XP Professional SP2

Both machine are currently on the same LAN (subnet etc) and I'm trying
to get a L2TP VPN connection working from the XP Professional machine
to the Server. PPTP already works fine in this setup.

My problem appears to be Certificates. I am requesting a 'Client
authentication' Certificate from the CA using the Web Server option
(running on Port 81 as SUS is running on Port 80) I'm filling in the
personal details, using a 1024 bit key and selecting 'Use Local
Machine Store'. All other options are left at default.

First problem is that when I go to Install the Certificate on the
WinXP machine I get a 'Unable to Install Certificate. Please ensure
your CSP supports any settings you have made and that your input is
valid. Error 0x80090016'. At this point however the certificate is
available in the Local Machine Personal Certificate Store. (checked
with certmgr.msc) Also certmgr.msc reports that it has a private key

I have also downloaded and installed the CA Certificate, and when
checking the 'Client Authentication' Certificate there is no warning
about a non-trusted root CA.

I've also installed both a 'Client Authentication' and a 'Server
Authentication' certificate on the RRAS Server (which is also the Root
CA) and ensured the CA is listed in the Local Machine Trusted Root
Certification Store. And certmgr.msc also reports that it has a
private key.

Upon initiating an L2TP connection I currently get an Error 786. The
oakley log has the following listed (subset of the log file)

11-19: 11:05:17:253:10c Receive: (get) SA = 0x00148b70 from
192.168.0.1.500
11-19: 11:05:17:253:10c ISAKMP Header: (V1.0), len = 342
11-19: 11:05:17:253:10c I-COOKIE f529a37cd4885a0d
11-19: 11:05:17:253:10c R-COOKIE 939bbe9064bddbc2
11-19: 11:05:17:253:10c exchange: Oakley Main Mode
11-19: 11:05:17:253:10c flags: 0
11-19: 11:05:17:253:10c next payload: KE
11-19: 11:05:17:253:10c message ID: 00000000
11-19: 11:05:17:253:10c processing payload KE
11-19: 11:05:17:269:10c processing payload NONCE
11-19: 11:05:17:269:10c processing payload CRP
11-19: 11:05:17:269:10c [email protected], C=AU,
S=SA, L=Adelaide, O=Format Homes, OU=IT, CN=Server 01
11-19: 11:05:17:269:10c ClearFragList
11-19: 11:05:17:269:10c constructing ISAKMP Header
11-19: 11:05:17:269:10c constructing ID
11-19: 11:05:17:269:10c Looking for IPSec only cert
11-19: 11:05:17:269:10c Cert Trustes. 0 100
11-19: 11:05:17:269:10c Cert SHA Thumbprint
6c5ad2e103b79c31d01cb11d1797ae8c
11-19: 11:05:17:269:10c 650c5513
11-19: 11:05:23:909:10c AcquireContext Sig Key error: -2146893802
11-19: 11:05:23:909:10c Failed to get key for cert
11-19: 11:05:23:909:10c Looking for IPSec only cert
11-19: 11:05:23:909:10c failed to get chain 80092004
11-19: 11:05:23:909:10c Looking for any cert
11-19: 11:05:23:909:10c Cert Trustes. 0 100
11-19: 11:05:23:909:10c Cert SHA Thumbprint
6c5ad2e103b79c31d01cb11d1797ae8c
11-19: 11:05:23:909:10c 650c5513
11-19: 11:05:30:550:10c AcquireContext Sig Key error: -2146893802
11-19: 11:05:30:550:10c Failed to get key for cert
11-19: 11:05:30:550:10c Looking for any cert
11-19: 11:05:30:550:10c Cert Trustes. 0 100
11-19: 11:05:30:550:10c Cert SHA Thumbprint
2c57bb9ffcbf507b5514ca03adb8b80d
11-19: 11:05:30:550:10c 4f85127d
11-19: 11:05:37:190:10c AcquireContext Sig Key error: -2146893802
11-19: 11:05:37:190:10c Failed to get key for cert
11-19: 11:05:37:190:10c Looking for any cert
11-19: 11:05:37:190:10c failed to get chain 80092004
11-19: 11:05:37:190:10c Received no valid CRPs. Using all configured
11-19: 11:05:37:190:10c Looking for IPSec only cert
11-19: 11:05:37:190:10c Cert Trustes. 0 100
11-19: 11:05:37:190:10c Cert SHA Thumbprint
6c5ad2e103b79c31d01cb11d1797ae8c
11-19: 11:05:37:190:10c 650c5513
11-19: 11:05:43:831:10c AcquireContext Sig Key error: -2146893802
11-19: 11:05:43:831:10c Failed to get key for cert
11-19: 11:05:43:831:10c Looking for IPSec only cert
11-19: 11:05:43:831:10c failed to get chain 80092004
11-19: 11:05:43:831:10c Looking for any cert
11-19: 11:05:43:831:10c Cert Trustes. 0 100
11-19: 11:05:43:831:10c Cert SHA Thumbprint
6c5ad2e103b79c31d01cb11d1797ae8c
11-19: 11:05:43:831:10c 650c5513
11-19: 11:05:50:472:10c AcquireContext Sig Key error: -2146893802
11-19: 11:05:50:472:10c Failed to get key for cert
11-19: 11:05:50:472:10c Looking for any cert
11-19: 11:05:50:472:10c Cert Trustes. 0 100
11-19: 11:05:50:472:10c Cert SHA Thumbprint
2c57bb9ffcbf507b5514ca03adb8b80d
11-19: 11:05:50:472:10c 4f85127d
11-19: 11:05:57:112:10c AcquireContext Sig Key error: -2146893802
11-19: 11:05:57:112:10c Failed to get key for cert
11-19: 11:05:57:112:10c Looking for any cert
11-19: 11:05:57:112:10c failed to get chain 80092004
11-19: 11:05:57:112:10c ProcessFailure: sa:00148B70 centry:00000000
status:35fc
11-19: 11:05:57:112:10c isadb_set_status sa:00148B70 centry:00000000
status 35fc
11-19: 11:05:57:112:10c Key Exchange Mode (Main Mode)
11-19: 11:05:57:112:10c Source IP Address 192.168.0.9 Source IP
Address Mask 255.255.255.255 Destination IP Address 192.168.0.1
Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0
Destination Port 0 IKE Local Addr 192.168.0.9 IKE Peer Addr
192.168.0.1
11-19: 11:05:57:112:10c Certificate based Identity. Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000 Peer
Issuing Certificate Authority Root Certificate Authority My
Subject [email protected], C=AU, S=SA, L=Adelaide,
O=Format Homes, OU=IT, CN=Marco Formato My SHA Thumbprint
2c57bb9ffcbf507b5514ca03adb8b80d4f85127d Peer IP Address: 192.168.0.1
11-19: 11:05:57:112:10c Me
11-19: 11:05:57:112:10c No private key associated with machine
certificate
11-19: 11:05:57:112:10c 0x80092004 0x0
11-19: 11:05:57:112:10c isadb_set_status InitiateEvent 0000073C:
Setting Status 35fc
11-19: 11:05:57:112:10c Clearing sa 00148B70 InitiateEvent 0000073C
11-19: 11:05:57:112:10c ProcessFailure: sa:00148B70 centry:00000000
status:35fc
11-19: 11:05:57:112:10c Not creating notify.
11-19: 11:05:57:112:10c
11-19: 11:05:57:112:10c Receive: (get) SA = 0x00148b70 from
192.168.0.1.500
11-19: 11:05:57:112:10c ISAKMP Header: (V1.0), len = 342
11-19: 11:05:57:112:10c I-COOKIE f529a37cd4885a0d
11-19: 11:05:57:112:10c R-COOKIE 939bbe9064bddbc2
11-19: 11:05:57:112:10c exchange: Oakley Main Mode
11-19: 11:05:57:112:10c flags: 0
11-19: 11:05:57:112:10c next payload: KE
11-19: 11:05:57:112:10c message ID: 00000000
11-19: 11:05:57:112:10c received an unencrypted packet when crypto
active
11-19: 11:05:57:112:10c GetPacket failed 35ec:

I've been trying for about a week to get this working, and receiving
789 and 792 errors as well, as well as having reinstalled the CA about
5 times (both Enterprise level and stand alone) I have also been
restarting the IPSEC Policy Agent Service and the RRAS Service
whenever issuing the Server new certificates. I've tried numerous
step-by-step postings on UseNet and also run through Microsoft

Also the WinXP SP2 firewall is off and disabling Symantec Client
Security's Firewall that is on the XP machine makes no difference.

Can anybody help?

Thanks
Marco

 

[Marco Formato]

Forgot to add - the following was logged in the WinXP Event List
Security Section:

IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address 192.168.0.9
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.0.1
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.0.9
IKE Peer Addr 192.168.0.1

Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject [email protected], C=AU, S=SA, L=Adelaide,
O=Format Homes, OU=Administration, CN=Marco Formato
My SHA Thumbprint 3097b80df5819d37fed9e4c3131b22069b141fb2
Peer IP Address: 192.168.0.1

Failure Point:
Me

Failure Reason:
No private key associated with machine certificate

Extra Status:
0x80092004 0x0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Jorge Coronel]

When you are using the certificate authentication method for L2TP
connections, the list of certification authorities (CAs) is not
configurable. Instead, each computer in the L2TP connection sends a list of
root CAs to its IPSec peer from which it accepts a certificate for
authentication. The root CAs in this list correspond to the root CAs that
issued computer certificates to the computer. For example, if Computer A was
issued computer certificates by root CAs CertAuth1 and CertAuth2, it
notifies its IPSec peer during main mode negotiation that it will accept
certificates for authentication from only CertAuth1 and CertAuth2. If the
IPSec peer, Computer B, does not have a valid computer certificate issued
from either CertAuth1 or CertAuth2, IPSec main mode negotiation fails.

Ensure one of the following before attempting an L2TP connection:

a.. Both the VPN client and VPN server were issued computer certificates
from the same CA.
b.. Both the VPN client and VPN server were issued computer certificates
from CAs that follow a certificate chain up to the same root CA.
In general, the VPN client must have a valid computer certificate installed
that was issued by a CA that follows a valid certificate chain from the
issuing CA up to a root CA that the VPN server trusts. Additionally, the VPN
server must have a valid computer certificate installed that was issued by a
CA that follows a valid certificate chain from the issuing CA up to a root
CA that the VPN client trusts.

You are having problems with the certificates because they cannot be
chainned up to a root CA that both client and server trusts.

Thanks

JC