Re: Any VPN Guru ? W2k3 L2TP VPN - not much hair left, suggestions please

Just so we know, what kind of authentication are your clients using?

Oliver

<nick.farrow@xxxxxx> wrote in message
news:1157034076.843604.289630@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I have been at this for few days now with not much progress.

The problem is that I have it configured to what I think correct, but a
vpn client cannot connect and I cant find anything in the logs that
indicate a failure other than that a ike negotiation failed. The client
get a message that the machine certificate is not installed, but I
guess thats a cover for lots of things being wrong. I dont really know
whether is ipsec, RRas or domain settings that are wrong. I have a
simple set up, domain server connected to the inet over one lan card,
and the client dhcp'd to another lan card foe the internal network. I
jst want a simple l2tp vpn between the client and the server on the
internal network.

So the basic config is -

- RRAS set up for l2tp. It has KB914841 installed (this configures the
ipsec firewall).
- RRAS access policy set up for tunnel type=l2tp and NasportType = vpn,
and granted
- Active directory Computers, Group Policy edit - Autoenroll enabled
and certificate generated
- All restarted.
- Server and client have a brief dialog over port 500 before the client
complains of no certificate

There are some bits I'm not sure of
1) ipsecmon shows there is no active policy - do I need this ? I have
tried adding one and making it active, but it asked my to select a
certificate to use - so it would not be using the autogenerated one ?

2) I'm not sure of what half the ipsec config should be, as revealed by
'netsh ipsec dynamic show'

Can anyone give me some clear pointers and help, l2tp seems to be
configured differently between w2k and w2k3

Thanks

nick



.

Relevant Pages

  • Re: ICMP IPSec Filter with certificates
    ... All machines that communicate via IPSEC must have a certificate installed ... This explains how to add a CA to the server. ... > the client (other than automatically which requires a Domain which I ...
    (microsoft.public.win2000.security)
  • Re: Any VPN Guru ? W2k3 L2TP VPN - not much hair left, suggestions please
    ... So as far as I can see, all I really needed to do was to set the IPSec ... Setting the ipsec policy to use a certificate and then ... copying and installing the certificate on the client, ...
    (microsoft.public.windows.server.networking)
  • Re: Why doesnt IPSEC respect revoked certificates.
    ... You are probably seeing a cached CRL which is normal and expected behavior. ... > 1) Enterprise Certificate Authority, ... > 3) Created IPSEC Policies that require IPSEC for port 25 traffic- using ... > need to be on the Server and the Client - or else it doesn't work. ...
    (microsoft.public.win2000.security)
  • Re: Cannot request computer certificate.
    ... >problem since you can not request a certificate while logged onto the CA. ... Verify that you can ping it by name and IP address from the client ... >> Kerberos, or dns. ... >> List of NetBt transports currently bound to the Redir ...
    (microsoft.public.windows.server.security)
  • Re: The message must contain a wsa:To header
    ... My client app is not generating a trace file. ... the client is not applying the WSE policy at all because of an ... at ApplicationMessagingWS.Dispatch(String messageType, String ... look for a certificate with this subject name in the certificate store ...
    (microsoft.public.dotnet.framework.webservices.enhancements)