Re: Any VPN Guru ? W2k3 L2TP VPN - not much hair left, suggestions please
- From: nick.farrow@xxxxxx
- Date: 1 Sep 2006 01:48:11 -0700
Hi Oliver,
Not fusssy!
I have had some success, if I used a preshared key, the tunnel comes
up.
So as far as I can see, all I really needed to do was to set the IPSec
policy to use this. However the bit that is not working is the
certificate. Setting the ipsec policy to use a certificate and then
copying and installing the certificate on the client, it still fails
(no certificate installed).
I dont understand why this fails, and how the domain group
autoenrollment interacts/overides the assigned/or not assigned ipssec
policy.
At least least I have something working, so it proves the firewall
rules and ras etc.
Any ideas on the certificate bit ?
Thanks
nick
Oliver O'Boyle wrote:
Just so we know, what kind of authentication are your clients using?
Oliver
<nick.farrow@xxxxxx> wrote in message
news:1157034076.843604.289630@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have been at this for few days now with not much progress.
The problem is that I have it configured to what I think correct, but a
vpn client cannot connect and I cant find anything in the logs that
indicate a failure other than that a ike negotiation failed. The client
get a message that the machine certificate is not installed, but I
guess thats a cover for lots of things being wrong. I dont really know
whether is ipsec, RRas or domain settings that are wrong. I have a
simple set up, domain server connected to the inet over one lan card,
and the client dhcp'd to another lan card foe the internal network. I
jst want a simple l2tp vpn between the client and the server on the
internal network.
So the basic config is -
- RRAS set up for l2tp. It has KB914841 installed (this configures the
ipsec firewall).
- RRAS access policy set up for tunnel type=l2tp and NasportType = vpn,
and granted
- Active directory Computers, Group Policy edit - Autoenroll enabled
and certificate generated
- All restarted.
- Server and client have a brief dialog over port 500 before the client
complains of no certificate
There are some bits I'm not sure of
1) ipsecmon shows there is no active policy - do I need this ? I have
tried adding one and making it active, but it asked my to select a
certificate to use - so it would not be using the autogenerated one ?
2) I'm not sure of what half the ipsec config should be, as revealed by
'netsh ipsec dynamic show'
Can anyone give me some clear pointers and help, l2tp seems to be
configured differently between w2k and w2k3
Thanks
nick
.
- Follow-Ups:
- Re: Any VPN Guru ? W2k3 L2TP VPN - not much hair left, suggestions please
- From: Oliver O'Boyle
- Re: Any VPN Guru ? W2k3 L2TP VPN - not much hair left, suggestions please
- References:
- Re: Any VPN Guru ? W2k3 L2TP VPN - not much hair left, suggestions please
- From: Oliver O'Boyle
- Re: Any VPN Guru ? W2k3 L2TP VPN - not much hair left, suggestions please
- Prev by Date: Re: Help !!!!!!! DHCP IP not enough - Urgent Urgent
- Next by Date: DHCP Superscope
- Previous by thread: Re: Any VPN Guru ? W2k3 L2TP VPN - not much hair left, suggestions please
- Next by thread: Re: Any VPN Guru ? W2k3 L2TP VPN - not much hair left, suggestions please
- Index(es):
Relevant Pages
|
