Re: Problem with certificates/L2TP VPN

I certainly agree with your PS. I would never recommend changing to L2TP unless there was an established certificate service (and somebody who uinderstood it). Ditto for SSTP in server 2008.

"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message news:47e58bc8$0$25712$e4fe514c@xxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm assuming you are testing on a LAN without any firewalls in between?

Does the EKU extension (Enhanced Key Usage) on the client contain the 'Client Authentication Purpose' or IPSec purpose? On the VPN server does the EKU extension contain the Server & Client Authentication purpose?

p.s. PPTP isn't that bad you know... It's not -insecure-, just less secure than LT2P, and a lot easier to implement

/ ) Regards,
/ /_________
_|__|__) Paul Weterings
/ (O_)
__/ (O_)
____(O_)

dpetrek wrote:
So we have a Windows 2000 RRAS VPN server which has been serving us
with PPTP VPN service for a long time now. We decided to upgrade
security and implement L2TP. So I installed standalone CA and
installed CA ROOT ccert on both RRAS server and test client. I can see
the cert in "Trusted Root Certification Authorities" on both RRAS
server and client. Also I issued computer certs to RRAS server
(purpose: Server Authentication) and client (purpose: Client
Authentication). That should finish the story with certs. However when
I try to establish VPN connection from client I get:

Error 786: The L2TP connection attempt failed because there is no
valid machine certificate on your computer for security
authentication.

Also I have following in Security log:

---
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address 192.168.0.33
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.0.15
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.0.33
IKE Peer Addr 192.168.0.15
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject CN=HP-SERVER test cert
My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
Peer IP Address: 192.168.0.15

Failure Point:
Me

Failure Reason:
IKE failed to find valid machine certificate

Extra Status:
Processed second (KE) payload
Initiator. Delta Time 0
0x80092004 0x100
---

Please advise, what have I done wrong?

.

Relevant Pages

  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... order to detect we are connected to the wrong server (even though its SSL ... certificate is OK and valid by Verisign); we would need a client certificate. ... this can be detected by SSL/HTTPS client in ...
    (microsoft.public.dotnet.framework.aspnet.security)