Re: L2TP/IPSEC - error 678

From: Herb Martin (news_at_LearnQuick.com)
Date: 01/03/05 

Date: Mon, 3 Jan 2005 06:39:44 -0600

It is pretty hard to troubleshoot from here, but some questions
that might help you:

1) Do the clients actually have the CS trust certificate
for the issuing (to the RRAS server) server, and their
own CLIENT certificate (which is normally on the
Smartcard for EAP-TLS but could be in the client
store I suppose)?

2) Does the RRAS server have both it's own server
certificate (good for IPSec) and it's server trust cert
for the Certificate Server? 

-- 
Herb Martin
"JJ" <iamjimjones@earthlink.net> wrote in message
news:3M4Cd.7670$JC2.3460@newsread2.news.atl.earthlink.net...
> I am in the middle of a win2003 RAS rollout...with an end goal of
L2TP/IPSEC
> for both VPN and wireless connections (802.1x).  I've waded through the
PKI
> setup...certs are issued to my IAS/RAS servers and my test client machine.
>
> Servers are all win2003...client is winXP (sp2).  RAS server has a public
IP
> (firewalled) and a private IP (for corporate LAN)...authentication is via
> IAS installed on win2003 DC's...client is using standard dial-up (no NAT).
>
> I can establish a VPN connection through PPTP...with either CHAP or
> EAP-TLS...with no problems.
>
> When I attempt to connect via L2TP/IPSEC I consistently get 678 errors
> (server did not respond)...this is the case for both preshared key and
> certificate attempts.
>
> When I attempt the L2TP connection it behaves as if it were a firewall
> problem...client sends out an L2TP request on 1701...and then seemingly
> nothing happens...error 678 server did not respond.  However...I have
tested
> with the client and RAS server on the same (public) subnet...as well as
> opening all traffic to/from the RAS server from another known public IP.
So
> I am fairly confident it is not a firewall issue.
>
> The fact that PPTP works with EAP-TLS would seem to imply that it is not a
> certificate related problem.  As would the fact that L2TP also fails with
> preshared key attempts.
>
> I've not been this stumped in quite some time...would appreciate advice on
> where to focus troubleshooting efforts.
>
>

Relevant Pages

  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... order to detect we are connected to the wrong server (even though its SSL ... certificate is OK and valid by Verisign); we would need a client certificate. ... this can be detected by SSL/HTTPS client in ...
    (microsoft.public.dotnet.framework.aspnet.security)
Loading