Re: Any VPN Guru ? W2k3 L2TP VPN - not much hair left, suggestions please

Hi Oliver,

Not fusssy!

I have had some success, if I used a preshared key, the tunnel comes
up.

So as far as I can see, all I really needed to do was to set the IPSec
policy to use this. However the bit that is not working is the
certificate. Setting the ipsec policy to use a certificate and then
copying and installing the certificate on the client, it still fails
(no certificate installed).

I dont understand why this fails, and how the domain group
autoenrollment interacts/overides the assigned/or not assigned ipssec
policy.

At least least I have something working, so it proves the firewall
rules and ras etc.

Any ideas on the certificate bit ?

Thanks

nick

Oliver O'Boyle wrote:
Just so we know, what kind of authentication are your clients using?

Oliver

<nick.farrow@xxxxxx> wrote in message
news:1157034076.843604.289630@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I have been at this for few days now with not much progress.

The problem is that I have it configured to what I think correct, but a
vpn client cannot connect and I cant find anything in the logs that
indicate a failure other than that a ike negotiation failed. The client
get a message that the machine certificate is not installed, but I
guess thats a cover for lots of things being wrong. I dont really know
whether is ipsec, RRas or domain settings that are wrong. I have a
simple set up, domain server connected to the inet over one lan card,
and the client dhcp'd to another lan card foe the internal network. I
jst want a simple l2tp vpn between the client and the server on the
internal network.

So the basic config is -

- RRAS set up for l2tp. It has KB914841 installed (this configures the
ipsec firewall).
- RRAS access policy set up for tunnel type=l2tp and NasportType = vpn,
and granted
- Active directory Computers, Group Policy edit - Autoenroll enabled
and certificate generated
- All restarted.
- Server and client have a brief dialog over port 500 before the client
complains of no certificate

There are some bits I'm not sure of
1) ipsecmon shows there is no active policy - do I need this ? I have
tried adding one and making it active, but it asked my to select a
certificate to use - so it would not be using the autogenerated one ?

2) I'm not sure of what half the ipsec config should be, as revealed by
'netsh ipsec dynamic show'

Can anyone give me some clear pointers and help, l2tp seems to be
configured differently between w2k and w2k3

Thanks

nick


.

Relevant Pages

  • Re: The message must contain a wsa:To header
    ... My client app is not generating a trace file. ... the client is not applying the WSE policy at all because of an ... at ApplicationMessagingWS.Dispatch(String messageType, String ... look for a certificate with this subject name in the certificate store ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: security header is not present in the incoming message
    ... Similar problem appears when I run my client directly under IIS instead of under ASP.NET Development Server. ... There are no certificates in the certificate store that match the find value of 'CN=WSE2QuickStartServer'. ... 'Hello World with certificate policy. ...
    (microsoft.public.dotnet.security)
  • re: Microsoft IPSec
    ... My original intention for enabling IPsec was the prevent users from ... Microsoft IPSec via group policy ... Requiring ipsec between a client and a DC via GPO is problematic. ...
    (Security-Basics)
  • RE: Microsoft IPSec via group policy
    ... IPsec could accomplish this. ... Microsoft IPSec via group policy ... Requiring ipsec between a client and a DC via GPO is problematic. ...
    (Security-Basics)
  • RE: Microsoft IPSec via group policy
    ... IPsec could accomplish this. ... Microsoft IPSec via group policy ... Requiring ipsec between a client and a DC via GPO is problematic. ...
    (Security-Basics)