Re: L2TP/IPSEC Connection problem to Windows 2000 Server

From: Marco Formato (marco.formato_at_formathomes.com.au)
Date: 11/19/04 

Date: Fri, 19 Nov 2004 11:58:00 +1030

Forgot to add - the following was logged in the WinXP Event List
Security Section:

IKE security association negotiation failed.
 Mode:
Key Exchange Mode (Main Mode)

 Filter:
Source IP Address 192.168.0.9
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.0.1
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.0.9
IKE Peer Addr 192.168.0.1

 Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject E=marco.formato@formathomes.com.au, C=AU, S=SA, L=Adelaide,
O=Format Homes, OU=Administration, CN=Marco Formato
My SHA Thumbprint 3097b80df5819d37fed9e4c3131b22069b141fb2
Peer IP Address: 192.168.0.1

  Failure Point:
Me

 Failure Reason:
No private key associated with machine certificate

 Extra Status:
0x80092004 0x0

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

On Fri, 19 Nov 2004 11:11:57 +1030, Marco Formato
<firstname.lastname[AT]formathomes.com.au> wrote:

>I am currently running the following setup as a test-bed:
>
>Windows 2000 Server SP4 with RRAS and a Stand-alone CA
>Windows XP Professional SP2
>
>Both machine are currently on the same LAN (subnet etc) and I'm trying
>to get a L2TP VPN connection working from the XP Professional machine
>to the Server. PPTP already works fine in this setup.
>
>My problem appears to be Certificates. I am requesting a 'Client
>authentication' Certificate from the CA using the Web Server option
>(running on Port 81 as SUS is running on Port 80) I'm filling in the
>personal details, using a 1024 bit key and selecting 'Use Local
>Machine Store'. All other options are left at default.
>
>First problem is that when I go to Install the Certificate on the
>WinXP machine I get a 'Unable to Install Certificate. Please ensure
>your CSP supports any settings you have made and that your input is
>valid. Error 0x80090016'. At this point however the certificate is
>available in the Local Machine Personal Certificate Store. (checked
>with certmgr.msc) Also certmgr.msc reports that it has a private key
>
>I have also downloaded and installed the CA Certificate, and when
>checking the 'Client Authentication' Certificate there is no warning
>about a non-trusted root CA.
>
>I've also installed both a 'Client Authentication' and a 'Server
>Authentication' certificate on the RRAS Server (which is also the Root
>CA) and ensured the CA is listed in the Local Machine Trusted Root
>Certification Store. And certmgr.msc also reports that it has a
>private key.
>
>Upon initiating an L2TP connection I currently get an Error 786. The
>oakley log has the following listed (subset of the log file)
>
>11-19: 11:05:17:253:10c Receive: (get) SA = 0x00148b70 from
>192.168.0.1.500
>11-19: 11:05:17:253:10c ISAKMP Header: (V1.0), len = 342
>11-19: 11:05:17:253:10c I-COOKIE f529a37cd4885a0d
>11-19: 11:05:17:253:10c R-COOKIE 939bbe9064bddbc2
>11-19: 11:05:17:253:10c exchange: Oakley Main Mode
>11-19: 11:05:17:253:10c flags: 0
>11-19: 11:05:17:253:10c next payload: KE
>11-19: 11:05:17:253:10c message ID: 00000000
>11-19: 11:05:17:253:10c processing payload KE
>11-19: 11:05:17:269:10c processing payload NONCE
>11-19: 11:05:17:269:10c processing payload CRP
>11-19: 11:05:17:269:10c E=marco.formato@formathomes.com.au, C=AU,
>S=SA, L=Adelaide, O=Format Homes, OU=IT, CN=Server 01
>11-19: 11:05:17:269:10c ClearFragList
>11-19: 11:05:17:269:10c constructing ISAKMP Header
>11-19: 11:05:17:269:10c constructing ID
>11-19: 11:05:17:269:10c Looking for IPSec only cert
>11-19: 11:05:17:269:10c Cert Trustes. 0 100
>11-19: 11:05:17:269:10c Cert SHA Thumbprint
>6c5ad2e103b79c31d01cb11d1797ae8c
>11-19: 11:05:17:269:10c 650c5513
>11-19: 11:05:23:909:10c AcquireContext Sig Key error: -2146893802
>11-19: 11:05:23:909:10c Failed to get key for cert
>11-19: 11:05:23:909:10c Looking for IPSec only cert
>11-19: 11:05:23:909:10c failed to get chain 80092004
>11-19: 11:05:23:909:10c Looking for any cert
>11-19: 11:05:23:909:10c Cert Trustes. 0 100
>11-19: 11:05:23:909:10c Cert SHA Thumbprint
>6c5ad2e103b79c31d01cb11d1797ae8c
>11-19: 11:05:23:909:10c 650c5513
>11-19: 11:05:30:550:10c AcquireContext Sig Key error: -2146893802
>11-19: 11:05:30:550:10c Failed to get key for cert
>11-19: 11:05:30:550:10c Looking for any cert
>11-19: 11:05:30:550:10c Cert Trustes. 0 100
>11-19: 11:05:30:550:10c Cert SHA Thumbprint
>2c57bb9ffcbf507b5514ca03adb8b80d
>11-19: 11:05:30:550:10c 4f85127d
>11-19: 11:05:37:190:10c AcquireContext Sig Key error: -2146893802
>11-19: 11:05:37:190:10c Failed to get key for cert
>11-19: 11:05:37:190:10c Looking for any cert
>11-19: 11:05:37:190:10c failed to get chain 80092004
>11-19: 11:05:37:190:10c Received no valid CRPs. Using all configured
>11-19: 11:05:37:190:10c Looking for IPSec only cert
>11-19: 11:05:37:190:10c Cert Trustes. 0 100
>11-19: 11:05:37:190:10c Cert SHA Thumbprint
>6c5ad2e103b79c31d01cb11d1797ae8c
>11-19: 11:05:37:190:10c 650c5513
>11-19: 11:05:43:831:10c AcquireContext Sig Key error: -2146893802
>11-19: 11:05:43:831:10c Failed to get key for cert
>11-19: 11:05:43:831:10c Looking for IPSec only cert
>11-19: 11:05:43:831:10c failed to get chain 80092004
>11-19: 11:05:43:831:10c Looking for any cert
>11-19: 11:05:43:831:10c Cert Trustes. 0 100
>11-19: 11:05:43:831:10c Cert SHA Thumbprint
>6c5ad2e103b79c31d01cb11d1797ae8c
>11-19: 11:05:43:831:10c 650c5513
>11-19: 11:05:50:472:10c AcquireContext Sig Key error: -2146893802
>11-19: 11:05:50:472:10c Failed to get key for cert
>11-19: 11:05:50:472:10c Looking for any cert
>11-19: 11:05:50:472:10c Cert Trustes. 0 100
>11-19: 11:05:50:472:10c Cert SHA Thumbprint
>2c57bb9ffcbf507b5514ca03adb8b80d
>11-19: 11:05:50:472:10c 4f85127d
>11-19: 11:05:57:112:10c AcquireContext Sig Key error: -2146893802
>11-19: 11:05:57:112:10c Failed to get key for cert
>11-19: 11:05:57:112:10c Looking for any cert
>11-19: 11:05:57:112:10c failed to get chain 80092004
>11-19: 11:05:57:112:10c ProcessFailure: sa:00148B70 centry:00000000
>status:35fc
>11-19: 11:05:57:112:10c isadb_set_status sa:00148B70 centry:00000000
>status 35fc
>11-19: 11:05:57:112:10c Key Exchange Mode (Main Mode)
>11-19: 11:05:57:112:10c Source IP Address 192.168.0.9 Source IP
>Address Mask 255.255.255.255 Destination IP Address 192.168.0.1
>Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0
>Destination Port 0 IKE Local Addr 192.168.0.9 IKE Peer Addr
>192.168.0.1
>11-19: 11:05:57:112:10c Certificate based Identity. Peer Subject
>Peer SHA Thumbprint 0000000000000000000000000000000000000000 Peer
>Issuing Certificate Authority Root Certificate Authority My
>Subject E=marco.formato@formathomes.com.au, C=AU, S=SA, L=Adelaide,
>O=Format Homes, OU=IT, CN=Marco Formato My SHA Thumbprint
>2c57bb9ffcbf507b5514ca03adb8b80d4f85127d Peer IP Address: 192.168.0.1
>11-19: 11:05:57:112:10c Me
>11-19: 11:05:57:112:10c No private key associated with machine
>certificate
>11-19: 11:05:57:112:10c 0x80092004 0x0
>11-19: 11:05:57:112:10c isadb_set_status InitiateEvent 0000073C:
>Setting Status 35fc
>11-19: 11:05:57:112:10c Clearing sa 00148B70 InitiateEvent 0000073C
>11-19: 11:05:57:112:10c ProcessFailure: sa:00148B70 centry:00000000
>status:35fc
>11-19: 11:05:57:112:10c Not creating notify.
>11-19: 11:05:57:112:10c
>11-19: 11:05:57:112:10c Receive: (get) SA = 0x00148b70 from
>192.168.0.1.500
>11-19: 11:05:57:112:10c ISAKMP Header: (V1.0), len = 342
>11-19: 11:05:57:112:10c I-COOKIE f529a37cd4885a0d
>11-19: 11:05:57:112:10c R-COOKIE 939bbe9064bddbc2
>11-19: 11:05:57:112:10c exchange: Oakley Main Mode
>11-19: 11:05:57:112:10c flags: 0
>11-19: 11:05:57:112:10c next payload: KE
>11-19: 11:05:57:112:10c message ID: 00000000
>11-19: 11:05:57:112:10c received an unencrypted packet when crypto
>active
>11-19: 11:05:57:112:10c GetPacket failed 35ec:
>
>I've been trying for about a week to get this working, and receiving
>789 and 792 errors as well, as well as having reinstalled the CA about
>5 times (both Enterprise level and stand alone) I have also been
>restarting the IPSEC Policy Agent Service and the RRAS Service
>whenever issuing the Server new certificates. I've tried numerous
>step-by-step postings on UseNet and also run through Microsoft
>
>Also the WinXP SP2 firewall is off and disabling Symantec Client
>Security's Firewall that is on the XP machine makes no difference.
>
>Can anybody help?
>
>Thanks
>Marco

Relevant Pages

  • VPN using L2TP
    ... IKE security association established. ... Peer Identity: ... Certificate based Identity. ... Destination Port 0 ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN using L2TP
    ... > IKE security association established. ... > Peer Identity: ... > Certificate based Identity. ... > Destination Port 0 ...
    (microsoft.public.windows.server.sbs)
  • Re: ipsec lan: IKE: no private key found, ideas?
    ... According to the portions of oakley.log you have in your email, Peer 1's ... can't find a valid machine certificate for use with IPSec. ... > Der Schlüsselsatz ist nicht vorhanden. ...
    (microsoft.public.win2000.security)
  • Re: L2TP/IPSEC Connection problem to Windows 2000 Server
    ... When you are using the certificate authentication method for L2TP ... the list of certification authorities (CAs) is not ... The root CAs in this list correspond to the root CAs that ... notifies its IPSec peer during main mode negotiation that it will accept ...
    (microsoft.public.win2000.ras_routing)
  • certificate revocation error
    ... I have configured IAS and certificate server as Enterprise Root CA. ... "The revocation function was unable to check revocation for the ... CN=TEST DSL Gateway Device Root Certificate Authority ... CN=TEST DSL Gateway Device Root Certificate Authority, ...
    (microsoft.public.win2000.networking)