VPN Certificate

[Peter Kaufman]

Hi,

W2K SP4 server, XP SP1 client.

I am having a problem with L2 Ipsec VPN certificate.

I've requested and installed an administrator certificate. I see the
same certificate on both the server and client in Console
Root\Certificates\Local Computer\Personal\Certificates

Certificate details:
Ensures software came from software publisher
Protects software from alteration after publication
Allows you to digitally sign a certificate trust list
Allows data on disk to be encrypted
Protects e-mail messages
Proves your identity to a remote computer

The certificate says OK

I am not sure of the significance of the Connect to these Servers on
the Client VPN connection properties, but have tried both unchecked
and the name of the CA.

- There is nothing in the security event log of either computer.
- I've followed the instructions in KB 259880 -Configuring a VPN to
Use Extensible Authentication Protocol (EAP) and assume there is
nothing substantially different for XP.
- I _can_ connect using PPTP

When I try to connect I get an error: "798 - A certificate could not
be found that could be used with this EAP."

Thanks,

Peter

 

[Brian Komar]

followed the instructions in KB 259880 -Configuring a VPN to
Use Extensible Authentication Protocol (EAP) and assume there is
nothing substantially different for XP.
- I _can_ connect using PPTP

When I try to connect I get an error: "798 - A certificate could not
be found that could be used with this EAP."

Hi Peter,

For L2TP/IPSec, both the client computer and the VPN server must have an
IPSec certificate. It is the computers that require the certificates,
not the user for the IPSec authentication.

Brian

 

[Peter Kaufman]

Yes, I know that, but KB article 253498 HOW TO: Install a Certificate
for Use with IP Security states to request an administrator
certificate from an Enterprise CA. There is no such choice as "Ipsec
certificate".

Peter

 

[Joe Wu [MSFT]]

Hello Peter,

Thanks for your post and for Brian's input.

The certificates for L2TP/IPSEC and EAP are different. The first one is
used for IPSEC connection encryption, and the second one is used for user
Authentication.

EAP can be used on both L2TP and PPTP. In this case, you need to request a
certificate for EAP use, which needs be in the current user store.
Therefore, when applying a certificate, please do NOT choose the machine
store to generate the certificate.

Please try it and let us know if it works.

Thank you for using our news groups!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|From: Peter Kaufman <[email protected]>
|Subject: Re: VPN Certificate
|Date: Fri, 02 Jan 2004 12:14:37 +0700
|Message-ID: <[email protected]>
|References: <[email protected]>
<[email protected]>
|X-Newsreader: Forte Agent 1.93/32.576 English (American)
|MIME-Version: 1.0
|Content-Type: text/plain; charset=us-ascii
|Content-Transfer-Encoding: 7bit
|Newsgroups: microsoft.public.win2000.security
|NNTP-Posting-Host: 203.147.59.7
|Lines: 1
|Path:
cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
..phx.gbl!TK2MSFTNGP12.phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:18765
|X-Tomcat-NG: microsoft.public.win2000.security
|
|Yes, I know that, but KB article 253498 HOW TO: Install a Certificate
|for Use with IP Security states to request an administrator
|certificate from an Enterprise CA. There is no such choice as "Ipsec
|certificate".
|
|Peter
|
|On Thu, 1 Jan 2004 21:32:19 -0600, Brian Komar
|
|>In article <[email protected]>, (e-mail address removed)
|>says...
|>> followed the instructions in KB 259880 -Configuring a VPN to
|>> Use Extensible Authentication Protocol (EAP) and assume there is
|>> nothing substantially different for XP.
|>> - I _can_ connect using PPTP
|>>
|>> When I try to connect I get an error: "798 - A certificate could not
|>> be found that could be used with this EAP."
|>>
|>>
|>Hi Peter,
|>
|>For L2TP/IPSec, both the client computer and the VPN server must have an
|>IPSec certificate. It is the computers that require the certificates,
|>not the user for the IPSec authentication.
|>
|>Brian
|
|

 

[Peter Kaufman]

Joe,

Thank you for your response.

The choices of certificate I am presented with when choosing to submit
a request are:
USER
Basic EFS
Administrator
EFS Recovery Agent
Web Server
Subordinate Certificate Authority

Which, if any, should I choose, or should I not be using the form
application at all?

Thanks again,

Peter

 

[Brian Komar]

The choices of certificate I am presented with when choosing to submit
a request are:
USER
Basic EFS
Administrator
EFS Recovery Agent
Web Server
Subordinate Certificate Authority

Which, if any, should I choose, or should I not be using the form
application at all?

Peter,

A few things for you to check...

What certificates do you need to do L2TP/IPSec with EAP/TLS auth?

a. IPSec certificates at the two IPSec endpoints (client computer and
VPN server)
b. Server certificate (any certificate with the Server Authentication
EKU or Application Policy OID) at the computer where Remote Access
Policy is read and applied. This could be the VPN server if using
Windows authentication or an IAS server if using RADIUS auth.
c. Client certificate for the user making the request. The Administrator
works for this, but so does a User or User Signature Only. As long as
the user certificate has the Client AUthentication EKU or Application
Policy OID.

Where do the certificates go (which store).

The IPSec certs and the Server certs go in the Computer store. They can
be requested from the Certificates MMC console focused on the local
computer, or can be deployed by using Group Policy and ACRS.

The user certificate must be loaded in the User certificate store. You
can use the Web or Certificates console focused on the current user.

What certificates are published at the Enterprise CA?

YOu have to include the IPSec certificate template. Use the
Certification AUthority console (certsrv.msc).


HTH,
Brian

 

[Peter Kaufman]

Hi Brian,

Do you know of a KB (or other) article showing a step-by-step
procedure on this? None of the articles I've found say anything about
a separate Ipsec certificate.

Following your hint on adding a new template I found in the policy
settings in certsrv.msc, NEW - >Certificate to Issue. Is that what you
were referring to?

I have added the Ipsec one. However when I go to request a
certificate, it does not show up in the combo box of certificate
templates. Where am I going wrong?

Thanks,

Peter

 

[Peter Kaufman]

Joe and Brian,

OK - it's working but I'm not exactly sure how and why :-(
So if either of you know a good reference on configuring up the CA,
requesting certificates, setting the connection properties - the
whole ball of wax, I'd sure appreciate it.

Thanks,

Peter

 

[Steven L Umbach]

You need to add the ipsec offline template for it to be available for Web Enrollment
and then it will be available in the choices. You also need to be logged onto the
computer requesting the certificate as a local administrator and be sure to save it
to the machine store. For an Enterprise CA in an AD domain, you can configure auto
enrollemnt of machine certificates. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp

 

[Joe Wu [MSFT]]

Hello Peter,

Thank you for your updates and I am glad to hear that the problem has been
resolved. Regarding the reference you requested, I hope the following helps:

Windows 2000 Certificate Services
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windows2000serv/deploy/2000cert.asp

259880 Configuring a VPN to Use Extensible Authentication Protocol (EAP)
http://support.microsoft.com/?id=259880

326474 HOW TO: Troubleshoot VPN with Extensible Authentication Protocol
(EAP)
http://support.microsoft.com/?id=326474

325034 How to Troubleshoot a Microsoft L2TP/IPSec Virtual Private Network
http://support.microsoft.com/?id=325034

314831 Basic L2TP/IPSec Troubleshooting in Windows XP
http://support.microsoft.com/?id=314831

259335 Basic L2TP/IPSec Troubleshooting in Windows
http://support.microsoft.com/?id=259335

Virtual Private Networking with Windows Server 2003: Overview
http://www.microsoft.com/windowsserver2003/techinfo/overview/vpnover.mspx

Again, thank you for using our news group, and have a great day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|From: Peter Kaufman <[email protected]>
|Subject: Re: VPN Certificate
|Date: Sat, 03 Jan 2004 15:17:26 +0700
|Message-ID: <[email protected]>
|References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
|X-Newsreader: Forte Agent 1.93/32.576 English (American)
|MIME-Version: 1.0
|Content-Type: text/plain; charset=us-ascii
|Content-Transfer-Encoding: 7bit
|Newsgroups: microsoft.public.win2000.security
|NNTP-Posting-Host: 203.147.59.5
|Lines: 1
|Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.
phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:18840
|X-Tomcat-NG: microsoft.public.win2000.security
|
|Joe and Brian,
|
|OK - it's working but I'm not exactly sure how and why :-(
|So if either of you know a good reference on configuring up the CA,
|requesting certificates, setting the connection properties - the
|whole ball of wax, I'd sure appreciate it.
|
|Thanks,
|
|Peter
|
|
|