PLEASE HELP ! L2TP & Certificates

[Jimbob]

I apologizr if this isn't the exact area to be asking this. but Ok
heres my current configuration. I
currently have a 2003 domain with 2003 enterprise ras server with pptp
vpn working fine in my corporate network. My boss wants to upgrade to
L2TP security with certificates. Now please bare with me as I am new to
certificates. He wants to physically hand out the certificates via
email or floppy disc. NOT use auto enrollment. As far as VPN users,
Some computers are part of the domain and most are not. Now I setup A
enterprise CA on the VPN server. I installed (or at least i think i
did) the certificates on the client. If i open the
mmc>certificates(LOCAL), the certificate shows up in personal and also
in trusted root ca. My problem is this, #1, I'm not sure what EXACTLY
they mean by machine certificate. I setup IPsec (offline) template and
used that, is that correct for this situation? am i missing something.
As of right now, my status is when i go to connect, it tells me error
786, cant find valid machine cert. I would greatly appreciate it if
anyone has ANY input or direction. Thank you in advance.

 

[Puja Pandey[MSFT]]

Hi,

To setup L2TP certs connection please check following things.
1. You must have valid certificates on client and server.
2. Valid certificate means - The certificate must be obtained from the same
CA for both client and server. The certificates must not be expired. Root
cert must be present in the "Trusted Root Certification Authorities" node.
3. Open the certificate and check the details. Expiry date must be valid,
Certification path will show you the root cert and that root cert must be
present under "Trusted Root Certification Authorities". Check the intended
purpose of the certificate.
4. Machine certificates are located in the mmc in Local Computer certificate
store. L2TP requires machine level certs.
5. Auto enroll would be a good option to try to generate certificates but
you can also export the certicates and then import it on the desired
machine.

 

[Jimbob]

Ok,
1. I'm pretty sure the certificates are installed on the client and
server. I open up mmc > (locaL) personal and see the certs there. also,
I see them in trusted root ca folder.
2. Here is where I get a bit lost, when you have to install on the
server, do I have to install a certificate on the VPN server for EVERY
client ? or is it just 1 certificate to match all my clients?
3. Exporation date is valid. (2 years)
4. I am running enteprise edition so i have installed IPSec (V2)
certificate templates
5. I know Auto enroll would probably be easier but unfortunately my
boss is demanding that we export them out through email/cd and them
have them import them.
My other question that confuses me is "which type (extension) is it
that I have to import/export ? I see like 4 different kinds. I see .cer
, .p7b, pfx... I'm not sure what they all mean, whichs ones i really
need and there purpose... maybe this is where im screwing it up. Thanks
again for your response

 

[Puja Pandey[MSFT]]

You need only one certificate on the server if all the certs on clients and
server are issued from the same CA. You can use either .pfx file or p7b file
for export/import.

I am just guessing but does the root cert get installed on your client when
u import the certs? What is the intended purpose of the certs on client and
server?