Re: Problem with certificates/L2TP VPN

Looks like your are doing the right things, maybe the next test would be to run with IKE auditing switched on.

HKLM\system\currentcontrolset\control\lsa\audit = 1
HKLM\system\currentcontrolset\services\ipsec\enablediagnostics = 7
(restart system)

Since you're not even getting to Quick mode, it's IKE that is most likely mis configured. Are you 100% sure authentication, encryption and key change are the same for both systems?

This may sound silly, but of course you also need to be 100% sure the packets get to where they net to go. You might want to consider running Network Monitor or Wireshark to capture IPSec packets, even though you won't see the content, at least this proves their arrival (if the auditing didn't already)

/ ) Regards,
/ /_________
_|__|__) Paul Weterings
/ (O_)
__/ (O_)

dpetrek wrote:
Yes Paul, I am testing on LAN, without firewalls, just to make initial
sucessfull connection.
EKU on client contains: Client Authentication (
EKU on server contains: Server Authentication(

I know that PPTP is not that "bad", actually it depends on length of
password how secure it
actually is. However, in my opinion my users should have the
alternative to use L2TP if they
want to.

On Mar 22, 11:44 pm, Paul Weterings <Paul-nospam-@syncpuls-dot-com>
I'm assuming you are testing on a LAN without any firewalls in between?

Does the EKU extension (Enhanced Key Usage) on the client contain the
'Client Authentication Purpose' or IPSec purpose? On the VPN server does
the EKU extension contain the Server & Client Authentication purpose?

p.s. PPTP isn't that bad you know... It's not -insecure-, just less
secure than LT2P, and a lot easier to implement

/ ) Regards,
/ /_________
_|__|__) Paul Weterings
/ (O_)
__/ (O_)

dpetrek wrote:
So we have a Windows 2000 RRAS VPN server which has been serving us
with PPTP VPN service for a long time now. We decided to upgrade
security and implement L2TP. So I installed standalone CA and
installed CA ROOT ccert on both RRAS server and test client. I can see
the cert in "Trusted Root Certification Authorities" on both RRAS
server and client. Also I issued computer certs to RRAS server
(purpose: Server Authentication) and client (purpose: Client
Authentication). That should finish the story with certs. However when
I try to establish VPN connection from client I get:
Error 786: The L2TP connection attempt failed because there is no
valid machine certificate on your computer for security
Also I have following in Security log:
IKE security association negotiation failed.
Key Exchange Mode (Main Mode)
Source IP Address
Source IP Address Mask
Destination IP Address
Destination IP Address Mask
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr
IKE Peer Addr
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject CN=HP-SERVER test cert
My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
Peer IP Address:
Failure Point:
Failure Reason:
IKE failed to find valid machine certificate
Extra Status:
Processed second (KE) payload
Initiator. Delta Time 0
0x80092004 0x100
Please advise, what have I done wrong?


Relevant Pages

  • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
    ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
  • Re: Windows Authentication, Single sign on and Active Directory
    ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...