Problem with certificates/L2TP VPN

From: dpetrek <delfincek28@xxxxxxxxx>
Date: Sat, 22 Mar 2008 12:41:12 -0700 (PDT)

So we have a Windows 2000 RRAS VPN server which has been serving us
with PPTP VPN service for a long time now. We decided to upgrade
security and implement L2TP. So I installed standalone CA and
installed CA ROOT ccert on both RRAS server and test client. I can see
the cert in "Trusted Root Certification Authorities" on both RRAS
server and client. Also I issued computer certs to RRAS server
(purpose: Server Authentication) and client (purpose: Client
Authentication). That should finish the story with certs. However when
I try to establish VPN connection from client I get:

Error 786: The L2TP connection attempt failed because there is no
valid machine certificate on your computer for security
authentication.

Also I have following in Security log:

---
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address 192.168.0.33
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.0.15
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.0.33
IKE Peer Addr 192.168.0.15
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject CN=HP-SERVER test cert
My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
Peer IP Address: 192.168.0.15

Failure Point:
Me

Failure Reason:
IKE failed to find valid machine certificate

Extra Status:
Processed second (KE) payload
Initiator. Delta Time 0
0x80092004 0x100
---

Please advise, what have I done wrong?
.

Follow-Ups:
- Re: Problem with certificates/L2TP VPN
  - From: Paul Weterings

Prev by Date: Re: Small network with 3 Win2k Servers
Next by Date: Re: How Can I Obtain a Logged On User Name from Just a Computer Name?
Previous by thread: Small network with 3 Win2k Servers
Next by thread: Re: Problem with certificates/L2TP VPN
Index(es):
- Date
- Thread

Relevant Pages

Re: VPN Error 733, Event Log Error 20050 with SBS 2003 - revisited
... First, we need to ensure the RRAS is running in a clean environment, make ... SBS Server from the LAN client directly by following this KB: ... How to configure a VPN connection to your corporate network in Windows XP ... the CEICW Wizard and the remote access wizard. ...
(microsoft.public.windows.server.sbs)
Re: 2 nic setup cant access internet
... If you are using the SBS with RRAS, ... Unattached all modems from the SBS server. ...
(microsoft.public.windows.server.sbs)
Re: VPN Error 733, Event Log Error 20050 with SBS 2003 - revisited
... I suggest you repair the whole RRAS by ... Please call CSS for further investigation on this issue. ... Microsoft CSS Online Newsgroup Support ... |> disable or uninstall any antivirus software on the RRAS Server. ...
(microsoft.public.windows.server.sbs)
Re: Remote access problem
... Microsoft Windows Small Business Server 2003 Best Practices Analyzer ... Calling CRRASCommit::ValidatePropertyBag ... Reading VPN Server Name returned OK ... Checking whether RRAS is already running returned OK ...
(microsoft.public.windows.server.sbs)
RE: RRAS and Adaptor
... I understand that you can not make RRAS use ... You have to rerun the CEICW to make sure your SBS 2003 server have right ... Please run the Configure Remote Access Wizard to reconfigure the VPN ... After you run the CEICW Wizard, please open Routing and Remote Access ...
(microsoft.public.windows.server.sbs)