C
charlesbedrosian
I am running a multihomed Windows2000 server as a VPN server. I can
get L2TP/IPSec connections working great, but only if the machine is
issued a certificate from our Windows2000-based certificate server
(called windowsCA). The VPN server has a machine certificate from
windowsCA. windowsCA however cannot give out a certificate to a machine
that is not part of the domain, and connected normally (not through
PPTP VPN). So, I implemented an openssl CA on Linux (called linuxCA).
linuxCA's root certificate was installed into the trusted authority
store and the VPN server was issued a machine certificate from linuxCA.
I understand that during the IPSec handshake, the two machines exchange
a list of CAs for which they have certificates. They pick one that is
common, authenticate and they move on.
I believe this is the problem. When setting up a RAS policy, you select
to allow EAP authentication in the associated profile. When doing this
you must specify which certificate to give to the accessing client.
Well, the problem is that only certificates issued by the windowsCA
show up. I have even limited the purpose of the linuxCA-issued
certificate to be 'server authentication and 'client authentication'.
So, how can I get the certificates from the linuxCA to appear in that
list? I have restarted IPSec agent and also RAS after installing the
certificates (both root and machine).
Thanks,
Charles
get L2TP/IPSec connections working great, but only if the machine is
issued a certificate from our Windows2000-based certificate server
(called windowsCA). The VPN server has a machine certificate from
windowsCA. windowsCA however cannot give out a certificate to a machine
that is not part of the domain, and connected normally (not through
PPTP VPN). So, I implemented an openssl CA on Linux (called linuxCA).
linuxCA's root certificate was installed into the trusted authority
store and the VPN server was issued a machine certificate from linuxCA.
I understand that during the IPSec handshake, the two machines exchange
a list of CAs for which they have certificates. They pick one that is
common, authenticate and they move on.
I believe this is the problem. When setting up a RAS policy, you select
to allow EAP authentication in the associated profile. When doing this
you must specify which certificate to give to the accessing client.
Well, the problem is that only certificates issued by the windowsCA
show up. I have even limited the purpose of the linuxCA-issued
certificate to be 'server authentication and 'client authentication'.
So, how can I get the certificates from the linuxCA to appear in that
list? I have restarted IPSec agent and also RAS after installing the
certificates (both root and machine).
Thanks,
Charles