L2TP/IPSEC - Please help - I'm losing it!!

[CG]

I am running the following:
Windows 2000 IAS server for Radius authentication.

Windows 2003 RRAS with PPTP and L2TP enabled. PPTP and L2TP with shared
secrets work fine. However, I cannot get certificates working.

My CA is on another Windows 2000 box. I have setup my client to have a
client authentication certificate stored in the local store. I have verified
that it is there. The Trusted Root CA is in the current user location with
in the MMC Certificates snap-in. This is where it automatically installed
the Trusted Root CA on the RRAS and Client when I installed it from the
http://myca/certsrv "Install this CA Certification path".

There error I am receiving is: Error 678: There was no answer. I have also
received the error "Timed Out" when I was using the Client Cert (on the
client) and the Server Authentication Cert (on the RRAS server). I have now
installed the IPSEC cert on each machine (RRAS and client) when I receive
the Error 678.

The firewall is enabled in the RRAS server. There is no firewall between the
client and the Internet. I assume that the connection for L2TP/IPSEC with
shared secrets uses the same ports as the L2TP/IPSEC with Certificates
because the shared secrets connection works.

I can't figure out what I am missing.

Should the server have the Server Authentication cert only as well as the CA
certification path? Or should it have the IPSEC cert with the CA
certification path? Also, should the Trusted Root CA show up in the Local
Computer store? If so, why doesn't this happen automatically (I know it's
not a rights issue because I am admin on everything).

Which cert should the client have? IPSEC or Client Authentication?

When I install the cert on the server I always restart the ipsec policyagent
then RRAS. Does anything on the client need to be restarted?

Does a Cert have to reside on the IAS server?

Many thanks for your help... I'm almost out of ideas!

 

[Janani V[MSFT]]

I think this is a problem with the firewall blocking the traffic. Ensure if
the following ports are opened in the firewall.

UDP 500 - for IKE traffic
UDP 4500 - for IPSEC traffic
UDP 1701 - for L2TP traffic

 

[CG]

Janani -

I checked the settings in the Windows 2003 RRAS firewall. All of those ports
are open. They were by default. They all point to 127.0.0.1 for the private
address.

If it was a firewall problem - would the "shared secrets" config NOT work as
well? Because, I can get this to work with my config.

I also looked at my IAS server config. Under my remote access policies it
doesn't have EAP checked. If I do check it, and try to pick a cert from the
drop down list, my cert isn't listed. I have installed the Server
Authentication cert on this Windows 2000 IAS server. How can I get it to
show up in the drop down list?

Many thanks for the quick reply!

 

[menard]

have you tried it with a client inside your network?
you can connect via l2tp (if it is configured correctly) to the inside nic
on your isa box from a client on your network. i did this when i was first
setting it up to ensure certs were configured correctly. if this works,
everything else is firewall stuff. works best if you have a laptop, and can
use the same machine inside and outside of your network.

mike

 

[Janani V[MSFT]]

Hi,
Is your server auth certificate present in the Local Computer store? If it
is present in the Local User store it may not be listed.
You can do this to check if it is in the Local machine store:
Start -> Run -> mmc.exe
file -> Add/Remove snap-in
Choose Certificates -> Add -> choose 'Computer account' -> Local computer ->
finish

Now go to the node -> certificates(Local computer) -> Personal ->
Certificates.

See if your certificate with purpose as 'Server Authentication' is present
here.

 

[CG]

I'm not using an ISA server. I'm using RRAS with IAS (Radius).

I'll try it from the inside though and report back.

 

[CG]

Janani -

I checked on my RRAS server and the Server Authentication certficate shows
up in the Local Computer / Personal store.

On my client I checked and the Client Authentication shows up in the Local
Computer/Personal store. What is the difference between the IPSEC and Client
Authentication? I have tried both with no luck.

Should anything be installed on my Microsoft Internet Authentication Server
(IAS) which has the remote policies? If so, I installed it but when I go to
my remote policy I don't see the server listed in the drop down box in EAP
authentication.

Thanks again.

 

[Janani V[MSFT]]

Hi,
Here is the snip from MSDN which says the minimum requirements of a server
cert and reasons why it may not be displayed. Check these out.
BTW, if you are using RADIUS authentication, the server certs should be
installed on the IAS server. Also, try unchecking the 'Validate server
certificate' checkbox on the client under EAP properties.

{snip from msdn}
Server certificate requirements
-------------------------------

Clients can be configured to validate server certificates by using the
Validate server certificate option. With PEAP-EAP-MS-CHAPv2, PEAP-EAP-TLS,
or EAP-TLS as the authentication method, the client accepts the server's
authentication attempt when the certificate meets the following
requirements:

1. The Subject name contains a value. If you issue a certificate to your IAS
server that has a blank Subject, the certificate is not available to
authenticate your IAS server. To configure the certificate template with a
Subject name:
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to
change, and then click Properties.
Click the Subject Name tab, and then click Build from this Active Directory
information.
In Subject name format, select a value other than None.

2. The computer certificate on the server chains to a trusted root CA and
does not fail any of the checks that are performed by CryptoAPI and
specified in the remote access policy.

3. The IAS or VPN server computer certificate is configured with the Server
Authentication purpose in EKU extensions.

 

[CG]

I have installed the Server Authentication certificate on the IAS server.
Under the remote access policies, I don't see it listed in the drop down
field to pick this particular cert for authentication. Other certs that are
installed on this box show up. How can I get this new cert to be listed?
Does something have to be restarted?

 

[CG]

I found out that for the CSP I need to have the Microsoft RSA type chosen to
make the cert show up in the drop down on the IAS server. Does this mean I
have to change my client & server certs to match this?

Also, I NEVER read this anywhere. Is there something I am missing?

I know there isn't a firewall blocking me because using an XP client with
Shared Secrets works just fine.

 

[Janani V[MSFT]]

Hi,
I went through the whole list of conversations again. I'm confused about
one thing. If you want to establish a L2TP/IPSEC connection then why do you
want to select EAP in the authentication methods. You can first try it using
the MSCHAPV2.
Also, for L2TP/IPSEC it is enough if you have certificate with IPSEC
purpose, but having an additional purpose of 'Client authentication' will
not do any harm.

The following snip from MSDN may help you:

{snip}
You need a computer certificate with a private key, which can be found in
the Local Computer Personal Certificate store.

For additional information about installing a certificate, click the article
number below to view the article in the Microsoft Knowledge Base:
253498 How to Install a Certificate for Use with IP Security
If a computer certificate is not found, L2TP issues a warning that you do
not have a certificate, but it does not know whether the certificate has a
properly installed and associated private key for the existing certificate.
Internet Key Exchange (IKE) determines this during negotiation. Start the
Local Computer Certificates snap-in, double-click Certificate, and verify
that General indicates "You have a private key that corresponds with this
certificate." Also verify that the certificate path is complete, and that
the certificate is valid.

The client must have a machine certificate whose root certificate authority
is the same as the certificate on the gateway certificate. The reason for
the certificate failure is noted by IKE in the security log event entry. For
additional information, click the article number below to view the article
in the Microsoft Knowledge Base:
257225 Basic IPSec Troubleshooting in Windows 2000
For additional information about what kind of machine certificate works
properly, click the article number below to view the article in the
Microsoft Knowledge Base:
249125 Using Certificates for Windows 2000 and Cisco IOS Interoperation
Both sides must be able to process the certificate validation successfully.
If certificate authentication is successful, an entry in the security log
notes the successful event of an IPSec main mode SA establish
(logon/logoff).

 

[CG]

I was under the assumption that I had to have a Client Authentication cert
on the client, a Server Authentication cert on the RRAS server and a cert on
the IAS server. I guess the cert on the IAS server isn't necessary.

Do you think that this could have something to do with my RRAS server being
Windows 2003? I previously had the Certificate Services installed on it but
has been removed. Both the client and the RRAS server seem to have the
correct setup (certs in the right places & both have a cert from the CA).
The really odd thing is I can get it to work using shared secrets just fine.
As well as PPTP works great.

Wonder if I should place a call to MS about this?

 

[CG]

Ok, I have SUCCESS!

This, however, is what I had to do to make it work.

I am using the Certificate Services webpage for my users to sign up and
download their certs (we aren't running AD). The Client Authentication cert
gets installed in the Local Computer store right where it is supposed to be.
When they download the CA certification path it is installed ONLY in the
Current User store. This is the case whether they click the "Install this CA
certification path" link or if they click the "Download CA certification
path" and import with the wizard. If they have the Wizard automatically
decide to put the cert where it is supposed to go it always installs it in
the Current User store. When I try to authenticate with the Client
Authentication cert in the local store and the CA in the Current User I get
an error 786. I export the CA from the Current User store and import it into
the Local Computer into Trusted CA and everything works fine.

My question is- is there anyway to have the Trusted CA to into the Local
Computer store? Is this configurable on the CA server somewhere?

With the CMAK - is it possible to build a config that includes the certs and
will put them into the Local Computer store?

Thanks for the help!