Is the computer certificate in the Personal store of the local computer? Is
it configured with:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
When not using a pre-shared key, were you trying with MS-CHAPv2 or EAP?
Oliver
<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi Oliver,
>
> Not fusssy!
>
> I have had some success, if I used a preshared key, the tunnel comes
> up.
>
> So as far as I can see, all I really needed to do was to set the IPSec
> policy to use this. However the bit that is not working is the
> certificate. Setting the ipsec policy to use a certificate and then
> copying and installing the certificate on the client, it still fails
> (no certificate installed).
>
> I dont understand why this fails, and how the domain group
> autoenrollment interacts/overides the assigned/or not assigned ipssec
> policy.
>
> At least least I have something working, so it proves the firewall
> rules and ras etc.
>
> Any ideas on the certificate bit ?
>
> Thanks
>
> nick
>
> Oliver O'Boyle wrote:
>> Just so we know, what kind of authentication are your clients using?
>>
>> Oliver
>>
>> <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) oups.com...
>> > Hi,
>> >
>> > I have been at this for few days now with not much progress.
>> >
>> > The problem is that I have it configured to what I think correct, but a
>> > vpn client cannot connect and I cant find anything in the logs that
>> > indicate a failure other than that a ike negotiation failed. The client
>> > get a message that the machine certificate is not installed, but I
>> > guess thats a cover for lots of things being wrong. I dont really know
>> > whether is ipsec, RRas or domain settings that are wrong. I have a
>> > simple set up, domain server connected to the inet over one lan card,
>> > and the client dhcp'd to another lan card foe the internal network. I
>> > jst want a simple l2tp vpn between the client and the server on the
>> > internal network.
>> >
>> > So the basic config is -
>> >
>> > - RRAS set up for l2tp. It has KB914841 installed (this configures the
>> > ipsec firewall).
>> > - RRAS access policy set up for tunnel type=l2tp and NasportType = vpn,
>> > and granted
>> > - Active directory Computers, Group Policy edit - Autoenroll enabled
>> > and certificate generated
>> > - All restarted.
>> > - Server and client have a brief dialog over port 500 before the client
>> > complains of no certificate
>> >
>> > There are some bits I'm not sure of
>> > 1) ipsecmon shows there is no active policy - do I need this ? I have
>> > tried adding one and making it active, but it asked my to select a
>> > certificate to use - so it would not be using the autogenerated one ?
>> >
>> > 2) I'm not sure of what half the ipsec config should be, as revealed by
>> > 'netsh ipsec dynamic show'
>> >
>> > Can anyone give me some clear pointers and help, l2tp seems to be
>> > configured differently between w2k and w2k3
>> >
>> > Thanks
>> >
>> > nick
>> >
>
|
Similar Threads
Linear Mode
