Re: L2TP/IPSEC Connection problem to Windows 2000 Server

From: Jorge Coronel (jcoronel_at_online.microsoft.com)
Date: 11/20/04

• Next message: Terry: "Re: Can't get DNS working with RAS. Help!"
• Previous message: Bill Grant: "Re: Ports required for remote hosts wishing to establish PPTP VPN."
• In reply to: Marco Formato: "Re: L2TP/IPSEC Connection problem to Windows 2000 Server"
• Messages sorted by: [ date ] [ thread ]

---

Date: Fri, 19 Nov 2004 17:13:02 -0800

When you are using the certificate authentication method for L2TP
connections, the list of certification authorities (CAs) is not
configurable. Instead, each computer in the L2TP connection sends a list of
root CAs to its IPSec peer from which it accepts a certificate for
authentication. The root CAs in this list correspond to the root CAs that
issued computer certificates to the computer. For example, if Computer A was
issued computer certificates by root CAs CertAuth1 and CertAuth2, it
notifies its IPSec peer during main mode negotiation that it will accept
certificates for authentication from only CertAuth1 and CertAuth2. If the
IPSec peer, Computer B, does not have a valid computer certificate issued
from either CertAuth1 or CertAuth2, IPSec main mode negotiation fails.

Ensure one of the following before attempting an L2TP connection:

  a.. Both the VPN client and VPN server were issued computer certificates
from the same CA.
  b.. Both the VPN client and VPN server were issued computer certificates
from CAs that follow a certificate chain up to the same root CA.
In general, the VPN client must have a valid computer certificate installed
that was issued by a CA that follows a valid certificate chain from the
issuing CA up to a root CA that the VPN server trusts. Additionally, the VPN
server must have a valid computer certificate installed that was issued by a
CA that follows a valid certificate chain from the issuing CA up to a root
CA that the VPN client trusts.

You are having problems with the certificates because they cannot be
chainned up to a root CA that both client and server trusts.

Thanks

JC

"Marco Formato" <marco.formato@formathomes.com.au> wrote in message
news:10jqp0lj84o49g6d4qkelm9oi50jedp2qe@4ax.com...
> Forgot to add - the following was logged in the WinXP Event List
> Security Section:
>
> IKE security association negotiation failed.
> Mode:
> Key Exchange Mode (Main Mode)
>
> Filter:
> Source IP Address 192.168.0.9
> Source IP Address Mask 255.255.255.255
> Destination IP Address 192.168.0.1
> Destination IP Address Mask 255.255.255.255
> Protocol 0
> Source Port 0
> Destination Port 0
> IKE Local Addr 192.168.0.9
> IKE Peer Addr 192.168.0.1
>
> Peer Identity:
> Certificate based Identity.
> Peer Subject
> Peer SHA Thumbprint 0000000000000000000000000000000000000000
> Peer Issuing Certificate Authority
> Root Certificate Authority
> My Subject E=marco.formato@formathomes.com.au, C=AU, S=SA, L=Adelaide,
> O=Format Homes, OU=Administration, CN=Marco Formato
> My SHA Thumbprint 3097b80df5819d37fed9e4c3131b22069b141fb2
> Peer IP Address: 192.168.0.1
>
> Failure Point:
> Me
>
> Failure Reason:
> No private key associated with machine certificate
>
> Extra Status:
> 0x80092004 0x0
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
> On Fri, 19 Nov 2004 11:11:57 +1030, Marco Formato
> <firstname.lastname[AT]formathomes.com.au> wrote:
>
>>I am currently running the following setup as a test-bed:
>>
>>Windows 2000 Server SP4 with RRAS and a Stand-alone CA
>>Windows XP Professional SP2
>>
>>Both machine are currently on the same LAN (subnet etc) and I'm trying
>>to get a L2TP VPN connection working from the XP Professional machine
>>to the Server. PPTP already works fine in this setup.
>>
>>My problem appears to be Certificates. I am requesting a 'Client
>>authentication' Certificate from the CA using the Web Server option
>>(running on Port 81 as SUS is running on Port 80) I'm filling in the
>>personal details, using a 1024 bit key and selecting 'Use Local
>>Machine Store'. All other options are left at default.
>>
>>First problem is that when I go to Install the Certificate on the
>>WinXP machine I get a 'Unable to Install Certificate. Please ensure
>>your CSP supports any settings you have made and that your input is
>>valid. Error 0x80090016'. At this point however the certificate is
>>available in the Local Machine Personal Certificate Store. (checked
>>with certmgr.msc) Also certmgr.msc reports that it has a private key
>>
>>I have also downloaded and installed the CA Certificate, and when
>>checking the 'Client Authentication' Certificate there is no warning
>>about a non-trusted root CA.
>>
>>I've also installed both a 'Client Authentication' and a 'Server
>>Authentication' certificate on the RRAS Server (which is also the Root
>>CA) and ensured the CA is listed in the Local Machine Trusted Root
>>Certification Store. And certmgr.msc also reports that it has a
>>private key.
>>
>>Upon initiating an L2TP connection I currently get an Error 786. The
>>oakley log has the following listed (subset of the log file)
>>
>>11-19: 11:05:17:253:10c Receive: (get) SA = 0x00148b70 from
>>192.168.0.1.500
>>11-19: 11:05:17:253:10c ISAKMP Header: (V1.0), len = 342
>>11-19: 11:05:17:253:10c I-COOKIE f529a37cd4885a0d
>>11-19: 11:05:17:253:10c R-COOKIE 939bbe9064bddbc2
>>11-19: 11:05:17:253:10c exchange: Oakley Main Mode
>>11-19: 11:05:17:253:10c flags: 0
>>11-19: 11:05:17:253:10c next payload: KE
>>11-19: 11:05:17:253:10c message ID: 00000000
>>11-19: 11:05:17:253:10c processing payload KE
>>11-19: 11:05:17:269:10c processing payload NONCE
>>11-19: 11:05:17:269:10c processing payload CRP
>>11-19: 11:05:17:269:10c E=marco.formato@formathomes.com.au, C=AU,
>>S=SA, L=Adelaide, O=Format Homes, OU=IT, CN=Server 01
>>11-19: 11:05:17:269:10c ClearFragList
>>11-19: 11:05:17:269:10c constructing ISAKMP Header
>>11-19: 11:05:17:269:10c constructing ID
>>11-19: 11:05:17:269:10c Looking for IPSec only cert
>>11-19: 11:05:17:269:10c Cert Trustes. 0 100
>>11-19: 11:05:17:269:10c Cert SHA Thumbprint
>>6c5ad2e103b79c31d01cb11d1797ae8c
>>11-19: 11:05:17:269:10c 650c5513
>>11-19: 11:05:23:909:10c AcquireContext Sig Key error: -2146893802
>>11-19: 11:05:23:909:10c Failed to get key for cert
>>11-19: 11:05:23:909:10c Looking for IPSec only cert
>>11-19: 11:05:23:909:10c failed to get chain 80092004
>>11-19: 11:05:23:909:10c Looking for any cert
>>11-19: 11:05:23:909:10c Cert Trustes. 0 100
>>11-19: 11:05:23:909:10c Cert SHA Thumbprint
>>6c5ad2e103b79c31d01cb11d1797ae8c
>>11-19: 11:05:23:909:10c 650c5513
>>11-19: 11:05:30:550:10c AcquireContext Sig Key error: -2146893802
>>11-19: 11:05:30:550:10c Failed to get key for cert
>>11-19: 11:05:30:550:10c Looking for any cert
>>11-19: 11:05:30:550:10c Cert Trustes. 0 100
>>11-19: 11:05:30:550:10c Cert SHA Thumbprint
>>2c57bb9ffcbf507b5514ca03adb8b80d
>>11-19: 11:05:30:550:10c 4f85127d
>>11-19: 11:05:37:190:10c AcquireContext Sig Key error: -2146893802
>>11-19: 11:05:37:190:10c Failed to get key for cert
>>11-19: 11:05:37:190:10c Looking for any cert
>>11-19: 11:05:37:190:10c failed to get chain 80092004
>>11-19: 11:05:37:190:10c Received no valid CRPs. Using all configured
>>11-19: 11:05:37:190:10c Looking for IPSec only cert
>>11-19: 11:05:37:190:10c Cert Trustes. 0 100
>>11-19: 11:05:37:190:10c Cert SHA Thumbprint
>>6c5ad2e103b79c31d01cb11d1797ae8c
>>11-19: 11:05:37:190:10c 650c5513
>>11-19: 11:05:43:831:10c AcquireContext Sig Key error: -2146893802
>>11-19: 11:05:43:831:10c Failed to get key for cert
>>11-19: 11:05:43:831:10c Looking for IPSec only cert
>>11-19: 11:05:43:831:10c failed to get chain 80092004
>>11-19: 11:05:43:831:10c Looking for any cert
>>11-19: 11:05:43:831:10c Cert Trustes. 0 100
>>11-19: 11:05:43:831:10c Cert SHA Thumbprint
>>6c5ad2e103b79c31d01cb11d1797ae8c
>>11-19: 11:05:43:831:10c 650c5513
>>11-19: 11:05:50:472:10c AcquireContext Sig Key error: -2146893802
>>11-19: 11:05:50:472:10c Failed to get key for cert
>>11-19: 11:05:50:472:10c Looking for any cert
>>11-19: 11:05:50:472:10c Cert Trustes. 0 100
>>11-19: 11:05:50:472:10c Cert SHA Thumbprint
>>2c57bb9ffcbf507b5514ca03adb8b80d
>>11-19: 11:05:50:472:10c 4f85127d
>>11-19: 11:05:57:112:10c AcquireContext Sig Key error: -2146893802
>>11-19: 11:05:57:112:10c Failed to get key for cert
>>11-19: 11:05:57:112:10c Looking for any cert
>>11-19: 11:05:57:112:10c failed to get chain 80092004
>>11-19: 11:05:57:112:10c ProcessFailure: sa:00148B70 centry:00000000
>>status:35fc
>>11-19: 11:05:57:112:10c isadb_set_status sa:00148B70 centry:00000000
>>status 35fc
>>11-19: 11:05:57:112:10c Key Exchange Mode (Main Mode)
>>11-19: 11:05:57:112:10c Source IP Address 192.168.0.9 Source IP
>>Address Mask 255.255.255.255 Destination IP Address 192.168.0.1
>>Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0
>>Destination Port 0 IKE Local Addr 192.168.0.9 IKE Peer Addr
>>192.168.0.1
>>11-19: 11:05:57:112:10c Certificate based Identity. Peer Subject
>>Peer SHA Thumbprint 0000000000000000000000000000000000000000 Peer
>>Issuing Certificate Authority Root Certificate Authority My
>>Subject E=marco.formato@formathomes.com.au, C=AU, S=SA, L=Adelaide,
>>O=Format Homes, OU=IT, CN=Marco Formato My SHA Thumbprint
>>2c57bb9ffcbf507b5514ca03adb8b80d4f85127d Peer IP Address: 192.168.0.1
>>11-19: 11:05:57:112:10c Me
>>11-19: 11:05:57:112:10c No private key associated with machine
>>certificate
>>11-19: 11:05:57:112:10c 0x80092004 0x0
>>11-19: 11:05:57:112:10c isadb_set_status InitiateEvent 0000073C:
>>Setting Status 35fc
>>11-19: 11:05:57:112:10c Clearing sa 00148B70 InitiateEvent 0000073C
>>11-19: 11:05:57:112:10c ProcessFailure: sa:00148B70 centry:00000000
>>status:35fc
>>11-19: 11:05:57:112:10c Not creating notify.
>>11-19: 11:05:57:112:10c
>>11-19: 11:05:57:112:10c Receive: (get) SA = 0x00148b70 from
>>192.168.0.1.500
>>11-19: 11:05:57:112:10c ISAKMP Header: (V1.0), len = 342
>>11-19: 11:05:57:112:10c I-COOKIE f529a37cd4885a0d
>>11-19: 11:05:57:112:10c R-COOKIE 939bbe9064bddbc2
>>11-19: 11:05:57:112:10c exchange: Oakley Main Mode
>>11-19: 11:05:57:112:10c flags: 0
>>11-19: 11:05:57:112:10c next payload: KE
>>11-19: 11:05:57:112:10c message ID: 00000000
>>11-19: 11:05:57:112:10c received an unencrypted packet when crypto
>>active
>>11-19: 11:05:57:112:10c GetPacket failed 35ec:
>>
>>I've been trying for about a week to get this working, and receiving
>>789 and 792 errors as well, as well as having reinstalled the CA about
>>5 times (both Enterprise level and stand alone) I have also been
>>restarting the IPSEC Policy Agent Service and the RRAS Service
>>whenever issuing the Server new certificates. I've tried numerous
>>step-by-step postings on UseNet and also run through Microsoft
>>
>>Also the WinXP SP2 firewall is off and disabling Symantec Client
>>Security's Firewall that is on the XP machine makes no difference.
>>
>>Can anybody help?
>>
>>Thanks
>>Marco
>

---

• Next message: Terry: "Re: Can't get DNS working with RAS. Help!"
• Previous message: Bill Grant: "Re: Ports required for remote hosts wishing to establish PPTP VPN."
• In reply to: Marco Formato: "Re: L2TP/IPSEC Connection problem to Windows 2000 Server"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Signtool doesnt add entire chain when signing files ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ... (microsoft.public.platformsdk.security) Re: Schannel CertificateChainValidation failing ... I am not fully up to speed with certs (root, end entity, ... valid Windows trusted root cert. ... You've enabled certificate revocation checking, and the validation code ... (microsoft.public.platformsdk.security) Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA ... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ... (microsoft.public.windows.server.security) Re: Newbie wants to learn about PKI Server 2003...... ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ... (microsoft.public.windows.server.security) Re: Is it possible??.... Defining Root Certificate KeyUsage ... For instance, the self signed certificate ... intermediate servers list every possible key usage defined within the PKI ... Component Verification, OEM Windows System Component Verification, Embedded ... Since the only use these root and intermediate keys are designed for is ... (microsoft.public.inetserver.iis.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Win2000  > microsoft.public.win2000.ras_routing  > 2004-11