L2TP/IPSEC - Please help - I'm losing it!!

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: CG (cg_at_cg.com)
Date: 10/31/04 

Date: Sun, 31 Oct 2004 09:33:22 -0500

I am running the following:
Windows 2000 IAS server for Radius authentication.

Windows 2003 RRAS with PPTP and L2TP enabled. PPTP and L2TP with shared
secrets work fine. However, I cannot get certificates working.

My CA is on another Windows 2000 box. I have setup my client to have a
client authentication certificate stored in the local store. I have verified
that it is there. The Trusted Root CA is in the current user location with
in the MMC Certificates snap-in. This is where it automatically installed
the Trusted Root CA on the RRAS and Client when I installed it from the
http://myca/certsrv "Install this CA Certification path".

There error I am receiving is: Error 678: There was no answer. I have also
received the error "Timed Out" when I was using the Client Cert (on the
client) and the Server Authentication Cert (on the RRAS server). I have now
installed the IPSEC cert on each machine (RRAS and client) when I receive
the Error 678.

The firewall is enabled in the RRAS server. There is no firewall between the
client and the Internet. I assume that the connection for L2TP/IPSEC with
shared secrets uses the same ports as the L2TP/IPSEC with Certificates
because the shared secrets connection works.

I can't figure out what I am missing.

Should the server have the Server Authentication cert only as well as the CA
certification path? Or should it have the IPSEC cert with the CA
certification path? Also, should the Trusted Root CA show up in the Local
Computer store? If so, why doesn't this happen automatically (I know it's
not a rights issue because I am admin on everything).

Which cert should the client have? IPSEC or Client Authentication?

When I install the cert on the server I always restart the ipsec policyagent
then RRAS. Does anything on the client need to be restarted?

Does a Cert have to reside on the IAS server?

Many thanks for your help... I'm almost out of ideas!

Relevant Pages

  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
    (comp.protocols.kerberos)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: ESMTP: STARTTLS with "target domain" parameter(s)
    ... Some services use "client certificates" as a substitute to authentication. ... server on which you host multiple independent (read as AS / autonomious ...
    (comp.mail.sendmail)
  • Re: Secure VPN access
    ... with it's security option for the client. ... After getting the VPN connection I check the Ip settings and found the ... point to the head ISP's DNS server. ... > Computer certificates for L2TP/IPSec VPN connections ...
    (microsoft.public.windows.server.sbs)