Problem with certificates/L2TP VPN

So we have a Windows 2000 RRAS VPN server which has been serving us
with PPTP VPN service for a long time now. We decided to upgrade
security and implement L2TP. So I installed standalone CA and
installed CA ROOT ccert on both RRAS server and test client. I can see
the cert in "Trusted Root Certification Authorities" on both RRAS
server and client. Also I issued computer certs to RRAS server
(purpose: Server Authentication) and client (purpose: Client
Authentication). That should finish the story with certs. However when
I try to establish VPN connection from client I get:

Error 786: The L2TP connection attempt failed because there is no
valid machine certificate on your computer for security
authentication.

Also I have following in Security log:

---
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address 192.168.0.33
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.0.15
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 192.168.0.33
IKE Peer Addr 192.168.0.15
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject CN=HP-SERVER test cert
My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
Peer IP Address: 192.168.0.15

Failure Point:
Me

Failure Reason:
IKE failed to find valid machine certificate

Extra Status:
Processed second (KE) payload
Initiator. Delta Time 0
0x80092004 0x100
---

Please advise, what have I done wrong?

I'm assuming you are testing on a LAN without any firewalls in between?

Does the EKU extension (Enhanced Key Usage) on the client contain the
'Client Authentication Purpose' or IPSec purpose? On the VPN server does
the EKU extension contain the Server & Client Authentication purpose?

p.s. PPTP isn't that bad you know... It's not -insecure-, just less
secure than LT2P, and a lot easier to implement

/ ) Regards,
/ /_________
_|__|__) Paul Weterings
/ (O_)
__/ (O_)
____(O_)

dpetrek wrote:
> So we have a Windows 2000 RRAS VPN server which has been serving us
> with PPTP VPN service for a long time now. We decided to upgrade
> security and implement L2TP. So I installed standalone CA and
> installed CA ROOT ccert on both RRAS server and test client. I can see
> the cert in "Trusted Root Certification Authorities" on both RRAS
> server and client. Also I issued computer certs to RRAS server
> (purpose: Server Authentication) and client (purpose: Client
> Authentication). That should finish the story with certs. However when
> I try to establish VPN connection from client I get:
>
> Error 786: The L2TP connection attempt failed because there is no
> valid machine certificate on your computer for security
> authentication.
>
> Also I have following in Security log:
>
> ---
> IKE security association negotiation failed.
> Mode:
> Key Exchange Mode (Main Mode)
>
> Filter:
> Source IP Address 192.168.0.33
> Source IP Address Mask 255.255.255.255
> Destination IP Address 192.168.0.15
> Destination IP Address Mask 255.255.255.255
> Protocol 0
> Source Port 0
> Destination Port 0
> IKE Local Addr 192.168.0.33
> IKE Peer Addr 192.168.0.15
> IKE Source Port 500
> IKE Destination Port 500
> Peer Private Addr
>
> Peer Identity:
> Certificate based Identity.
> Peer Subject
> Peer SHA Thumbprint 0000000000000000000000000000000000000000
> Peer Issuing Certificate Authority
> Root Certificate Authority
> My Subject CN=HP-SERVER test cert
> My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
> Peer IP Address: 192.168.0.15
>
> Failure Point:
> Me
>
> Failure Reason:
> IKE failed to find valid machine certificate
>
> Extra Status:
> Processed second (KE) payload
> Initiator. Delta Time 0
> 0x80092004 0x100
> ---
>
> Please advise, what have I done wrong?

I certainly agree with your PS. I would never recommend changing to L2TP
unless there was an established certificate service (and somebody who
uinderstood it). Ditto for SSTP in server 2008.

"Paul Weterings" <Paul-nospam-@syncpuls-dot-com> wrote in message
news:47e58bc8$0$25712$(E-Mail Removed)4a ll.nl...
> I'm assuming you are testing on a LAN without any firewalls in between?
>
> Does the EKU extension (Enhanced Key Usage) on the client contain the
> 'Client Authentication Purpose' or IPSec purpose? On the VPN server does
> the EKU extension contain the Server & Client Authentication purpose?
>
> p.s. PPTP isn't that bad you know... It's not -insecure-, just less secure
> than LT2P, and a lot easier to implement
>
> / ) Regards,
> / /_________
> _|__|__) Paul Weterings
> / (O_)
> __/ (O_)
> ____(O_)
>
> dpetrek wrote:
>> So we have a Windows 2000 RRAS VPN server which has been serving us
>> with PPTP VPN service for a long time now. We decided to upgrade
>> security and implement L2TP. So I installed standalone CA and
>> installed CA ROOT ccert on both RRAS server and test client. I can see
>> the cert in "Trusted Root Certification Authorities" on both RRAS
>> server and client. Also I issued computer certs to RRAS server
>> (purpose: Server Authentication) and client (purpose: Client
>> Authentication). That should finish the story with certs. However when
>> I try to establish VPN connection from client I get:
>>
>> Error 786: The L2TP connection attempt failed because there is no
>> valid machine certificate on your computer for security
>> authentication.
>>
>> Also I have following in Security log:
>>
>> ---
>> IKE security association negotiation failed.
>> Mode:
>> Key Exchange Mode (Main Mode)
>>
>> Filter:
>> Source IP Address 192.168.0.33
>> Source IP Address Mask 255.255.255.255
>> Destination IP Address 192.168.0.15
>> Destination IP Address Mask 255.255.255.255
>> Protocol 0
>> Source Port 0
>> Destination Port 0
>> IKE Local Addr 192.168.0.33
>> IKE Peer Addr 192.168.0.15
>> IKE Source Port 500
>> IKE Destination Port 500
>> Peer Private Addr
>>
>> Peer Identity:
>> Certificate based Identity.
>> Peer Subject
>> Peer SHA Thumbprint 0000000000000000000000000000000000000000
>> Peer Issuing Certificate Authority
>> Root Certificate Authority
>> My Subject CN=HP-SERVER test cert
>> My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
>> Peer IP Address: 192.168.0.15
>>
>> Failure Point:
>> Me
>>
>> Failure Reason:
>> IKE failed to find valid machine certificate
>>
>> Extra Status:
>> Processed second (KE) payload
>> Initiator. Delta Time 0
>> 0x80092004 0x100
>> ---
>>
>> Please advise, what have I done wrong?

Yes Paul, I am testing on LAN, without firewalls, just to make initial
sucessfull connection.
EKU on client contains: Client Authentication (1.3.6.1.5.5.7.3.2)
EKU on server contains: Server Authentication(1.3.6.1.5.5.7.3.1)

I know that PPTP is not that "bad", actually it depends on length of
password how secure it
actually is. However, in my opinion my users should have the
alternative to use L2TP if they
want to.

On Mar 22, 11:44 pm, Paul Weterings <Paul-nospam-@syncpuls-dot-com>
wrote:
> I'm assuming you are testing on a LAN without any firewalls in between?
>
> Does the EKU extension (Enhanced Key Usage) on the client contain the
> 'Client Authentication Purpose' or IPSec purpose? On the VPN server does
> the EKU extension contain the Server & Client Authentication purpose?
>
> p.s. PPTP isn't that bad you know... It's not -insecure-, just less
> secure than LT2P, and a lot easier to implement
>
> / ) Regards,
> / /_________
> _|__|__) Paul Weterings
> / (O_)
> __/ (O_)
> ____(O_)
>
> dpetrek wrote:
> > So we have a Windows 2000 RRAS VPN server which has been serving us
> > with PPTP VPN service for a long time now. We decided to upgrade
> > security and implement L2TP. So I installed standalone CA and
> > installed CA ROOT ccert on both RRAS server and test client. I can see
> > the cert in "Trusted Root Certification Authorities" on both RRAS
> > server and client. Also I issued computer certs to RRAS server
> > (purpose: Server Authentication) and client (purpose: Client
> > Authentication). That should finish the story with certs. However when
> > I try to establish VPN connection from client I get:
>
> > Error 786: The L2TP connection attempt failed because there is no
> > valid machine certificate on your computer for security
> > authentication.
>
> > Also I have following in Security log:
>
> > ---
> > IKE security association negotiation failed.
> > Mode:
> > Key Exchange Mode (Main Mode)
>
> > Filter:
> > Source IP Address 192.168.0.33
> > Source IP Address Mask 255.255.255.255
> > Destination IP Address 192.168.0.15
> > Destination IP Address Mask 255.255.255.255
> > Protocol 0
> > Source Port 0
> > Destination Port 0
> > IKE Local Addr 192.168.0.33
> > IKE Peer Addr 192.168.0.15
> > IKE Source Port 500
> > IKE Destination Port 500
> > Peer Private Addr
>
> > Peer Identity:
> > Certificate based Identity.
> > Peer Subject
> > Peer SHA Thumbprint 0000000000000000000000000000000000000000
> > Peer Issuing Certificate Authority
> > Root Certificate Authority
> > My Subject CN=HP-SERVER test cert
> > My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
> > Peer IP Address: 192.168.0.15
>
> > Failure Point:
> > Me
>
> > Failure Reason:
> > IKE failed to find valid machine certificate
>
> > Extra Status:
> > Processed second (KE) payload
> > Initiator. Delta Time 0
> > 0x80092004 0x100
> > ---
>
> > Please advise, what have I done wrong?

Looks like your are doing the right things, maybe the next test would be
to run with IKE auditing switched on.

HKLM\system\currentcontrolset\control\lsa\audit = 1
HKLM\system\currentcontrolset\services\ipsec\enabl ediagnostics = 7
(restart system)

Since you're not even getting to Quick mode, it's IKE that is most
likely mis configured. Are you 100% sure authentication, encryption and
key change are the same for both systems?

This may sound silly, but of course you also need to be 100% sure the
packets get to where they net to go. You might want to consider running
Network Monitor or Wireshark to capture IPSec packets, even though you
won't see the content, at least this proves their arrival (if the
auditing didn't already)

/ ) Regards,
/ /_________
_|__|__) Paul Weterings
/ (O_)
__/ (O_)
____(O_)

dpetrek wrote:
> Yes Paul, I am testing on LAN, without firewalls, just to make initial
> sucessfull connection.
> EKU on client contains: Client Authentication (1.3.6.1.5.5.7.3.2)
> EKU on server contains: Server Authentication(1.3.6.1.5.5.7.3.1)
>
> I know that PPTP is not that "bad", actually it depends on length of
> password how secure it
> actually is. However, in my opinion my users should have the
> alternative to use L2TP if they
> want to.
>
> On Mar 22, 11:44 pm, Paul Weterings <Paul-nospam-@syncpuls-dot-com>
> wrote:
>> I'm assuming you are testing on a LAN without any firewalls in between?
>>
>> Does the EKU extension (Enhanced Key Usage) on the client contain the
>> 'Client Authentication Purpose' or IPSec purpose? On the VPN server does
>> the EKU extension contain the Server & Client Authentication purpose?
>>
>> p.s. PPTP isn't that bad you know... It's not -insecure-, just less
>> secure than LT2P, and a lot easier to implement
>>
>> / ) Regards,
>> / /_________
>> _|__|__) Paul Weterings
>> / (O_)
>> __/ (O_)
>> ____(O_)
>>
>> dpetrek wrote:
>>> So we have a Windows 2000 RRAS VPN server which has been serving us
>>> with PPTP VPN service for a long time now. We decided to upgrade
>>> security and implement L2TP. So I installed standalone CA and
>>> installed CA ROOT ccert on both RRAS server and test client. I can see
>>> the cert in "Trusted Root Certification Authorities" on both RRAS
>>> server and client. Also I issued computer certs to RRAS server
>>> (purpose: Server Authentication) and client (purpose: Client
>>> Authentication). That should finish the story with certs. However when
>>> I try to establish VPN connection from client I get:
>>> Error 786: The L2TP connection attempt failed because there is no
>>> valid machine certificate on your computer for security
>>> authentication.
>>> Also I have following in Security log:
>>> ---
>>> IKE security association negotiation failed.
>>> Mode:
>>> Key Exchange Mode (Main Mode)
>>> Filter:
>>> Source IP Address 192.168.0.33
>>> Source IP Address Mask 255.255.255.255
>>> Destination IP Address 192.168.0.15
>>> Destination IP Address Mask 255.255.255.255
>>> Protocol 0
>>> Source Port 0
>>> Destination Port 0
>>> IKE Local Addr 192.168.0.33
>>> IKE Peer Addr 192.168.0.15
>>> IKE Source Port 500
>>> IKE Destination Port 500
>>> Peer Private Addr
>>> Peer Identity:
>>> Certificate based Identity.
>>> Peer Subject
>>> Peer SHA Thumbprint 0000000000000000000000000000000000000000
>>> Peer Issuing Certificate Authority
>>> Root Certificate Authority
>>> My Subject CN=HP-SERVER test cert
>>> My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
>>> Peer IP Address: 192.168.0.15
>>> Failure Point:
>>> Me
>>> Failure Reason:
>>> IKE failed to find valid machine certificate
>>> Extra Status:
>>> Processed second (KE) payload
>>> Initiator. Delta Time 0
>>> 0x80092004 0x100
>>> ---
>>> Please advise, what have I done wrong?
>

Paul, the issue with certificates has been resolved, there were 2
identical root certs from my CA in Trusted roots.
Once I deleted one of them, it started working.
However I have new issues
VPN connection is successfully established on local LAN, however it
does not work properly
from client on the Internet. Currently, we have some inbound filters
configured on WAN interface
of RRAS server. RRAS is directly connected to Internet, no NATs
involved there.
The client IS behind NAT.
If I disable the inbound filters and let all traffic IN on RRAS,
client connects successfully.
Ofcourse I dont want to leave the filters like that, the only traffic
I want to let in on my RRAS is VPN traffic.
So i fired up Ethereal, and established the connection successfuly.
This is what I found out from the sniffed bytes, the traffic that has
to be let in for L2TP connection to work:

UDP 500 - for IKE
UDP 4500 for IPSEC UDP encapsulation
and *whole* UDP traffic (dont understand the purpose of this traffic)

So my client connects successfully ONLY if i let all UDP traffic in.
This is not an option at all. Could you explain what could be
happening, what could be
the reason for this?

On Mar 23, 4:25 pm, Paul Weterings <Paul-nospam-@syncpuls-dot-com>
wrote:
> Looks like your are doing the right things, maybe the next test would be
> to run with IKE auditing switched on.
>
> HKLM\system\currentcontrolset\control\lsa\audit = 1
> HKLM\system\currentcontrolset\services\ipsec\enabl ediagnostics = 7
> (restart system)
>
> Since you're not even getting to Quick mode, it's IKE that is most
> likely mis configured. Are you 100% sure authentication, encryption and
> key change are the same for both systems?
>
> This may sound silly, but of course you also need to be 100% sure the
> packets get to where they net to go. You might want to consider running
> Network Monitor or Wireshark to capture IPSec packets, even though you
> won't see the content, at least this proves their arrival (if the
> auditing didn't already)
>
> / ) Regards,
> / /_________
> _|__|__) Paul Weterings
> / (O_)
> __/ (O_)
> ____(O_)
>
> dpetrek wrote:
> > Yes Paul, I am testing on LAN, without firewalls, just to make initial
> > sucessfull connection.
> > EKU on client contains: Client Authentication (1.3.6.1.5.5.7.3.2)
> > EKU on server contains: Server Authentication(1.3.6.1.5.5.7.3.1)
>
> > I know that PPTP is not that "bad", actually it depends on length of
> > password how secure it
> > actually is. However, in my opinion my users should have the
> > alternative to use L2TP if they
> > want to.
>
> > On Mar 22, 11:44 pm, Paul Weterings <Paul-nospam-@syncpuls-dot-com>
> > wrote:
> >> I'm assuming you are testing on a LAN without any firewalls in between?
>
> >> Does the EKU extension (Enhanced Key Usage) on the client contain the
> >> 'Client Authentication Purpose' or IPSec purpose? On the VPN server does
> >> the EKU extension contain the Server & Client Authentication purpose?
>
> >> p.s. PPTP isn't that bad you know... It's not -insecure-, just less
> >> secure than LT2P, and a lot easier to implement
>
> >> / ) Regards,
> >> / /_________
> >> _|__|__) Paul Weterings
> >> / (O_)
> >> __/ (O_)
> >> ____(O_)
>
> >> dpetrek wrote:
> >>> So we have a Windows 2000 RRAS VPN server which has been serving us
> >>> with PPTP VPN service for a long time now. We decided to upgrade
> >>> security and implement L2TP. So I installed standalone CA and
> >>> installed CA ROOT ccert on both RRAS server and test client. I can see
> >>> the cert in "Trusted Root Certification Authorities" on both RRAS
> >>> server and client. Also I issued computer certs to RRAS server
> >>> (purpose: Server Authentication) and client (purpose: Client
> >>> Authentication). That should finish the story with certs. However when
> >>> I try to establish VPN connection from client I get:
> >>> Error 786: The L2TP connection attempt failed because there is no
> >>> valid machine certificate on your computer for security
> >>> authentication.
> >>> Also I have following in Security log:
> >>> ---
> >>> IKE security association negotiation failed.
> >>> Mode:
> >>> Key Exchange Mode (Main Mode)
> >>> Filter:
> >>> Source IP Address 192.168.0.33
> >>> Source IP Address Mask 255.255.255.255
> >>> Destination IP Address 192.168.0.15
> >>> Destination IP Address Mask 255.255.255.255
> >>> Protocol 0
> >>> Source Port 0
> >>> Destination Port 0
> >>> IKE Local Addr 192.168.0.33
> >>> IKE Peer Addr 192.168.0.15
> >>> IKE Source Port 500
> >>> IKE Destination Port 500
> >>> Peer Private Addr
> >>> Peer Identity:
> >>> Certificate based Identity.
> >>> Peer Subject
> >>> Peer SHA Thumbprint 0000000000000000000000000000000000000000
> >>> Peer Issuing Certificate Authority
> >>> Root Certificate Authority
> >>> My Subject CN=HP-SERVER test cert
> >>> My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
> >>> Peer IP Address: 192.168.0.15
> >>> Failure Point:
> >>> Me
> >>> Failure Reason:
> >>> IKE failed to find valid machine certificate
> >>> Extra Status:
> >>> Processed second (KE) payload
> >>> Initiator. Delta Time 0
> >>> 0x80092004 0x100
> >>> ---
> >>> Please advise, what have I done wrong?

Do you have Kerberos (port 88 on UDP & TCP) open?

/ ) Regards,
/ /_________
_|__|__) Paul Weterings
/ (O_)
__/ (O_)
____(O_)

dpetrek wrote:
> Paul, the issue with certificates has been resolved, there were 2
> identical root certs from my CA in Trusted roots.
> Once I deleted one of them, it started working.
> However I have new issues
> VPN connection is successfully established on local LAN, however it
> does not work properly
> from client on the Internet. Currently, we have some inbound filters
> configured on WAN interface
> of RRAS server. RRAS is directly connected to Internet, no NATs
> involved there.
> The client IS behind NAT.
> If I disable the inbound filters and let all traffic IN on RRAS,
> client connects successfully.
> Ofcourse I dont want to leave the filters like that, the only traffic
> I want to let in on my RRAS is VPN traffic.
> So i fired up Ethereal, and established the connection successfuly.
> This is what I found out from the sniffed bytes, the traffic that has
> to be let in for L2TP connection to work:
>
> UDP 500 - for IKE
> UDP 4500 for IPSEC UDP encapsulation
> and *whole* UDP traffic (dont understand the purpose of this traffic)
>
> So my client connects successfully ONLY if i let all UDP traffic in.
> This is not an option at all. Could you explain what could be
> happening, what could be
> the reason for this?
>
> On Mar 23, 4:25 pm, Paul Weterings <Paul-nospam-@syncpuls-dot-com>
> wrote:
>> Looks like your are doing the right things, maybe the next test would be
>> to run with IKE auditing switched on.
>>
>> HKLM\system\currentcontrolset\control\lsa\audit = 1
>> HKLM\system\currentcontrolset\services\ipsec\enabl ediagnostics = 7
>> (restart system)
>>
>> Since you're not even getting to Quick mode, it's IKE that is most
>> likely mis configured. Are you 100% sure authentication, encryption and
>> key change are the same for both systems?
>>
>> This may sound silly, but of course you also need to be 100% sure the
>> packets get to where they net to go. You might want to consider running
>> Network Monitor or Wireshark to capture IPSec packets, even though you
>> won't see the content, at least this proves their arrival (if the
>> auditing didn't already)
>>
>> / ) Regards,
>> / /_________
>> _|__|__) Paul Weterings
>> / (O_)
>> __/ (O_)
>> ____(O_)
>>
>> dpetrek wrote:
>>> Yes Paul, I am testing on LAN, without firewalls, just to make initial
>>> sucessfull connection.
>>> EKU on client contains: Client Authentication (1.3.6.1.5.5.7.3.2)
>>> EKU on server contains: Server Authentication(1.3.6.1.5.5.7.3.1)
>>> I know that PPTP is not that "bad", actually it depends on length of
>>> password how secure it
>>> actually is. However, in my opinion my users should have the
>>> alternative to use L2TP if they
>>> want to.
>>> On Mar 22, 11:44 pm, Paul Weterings <Paul-nospam-@syncpuls-dot-com>
>>> wrote:
>>>> I'm assuming you are testing on a LAN without any firewalls in between?
>>>> Does the EKU extension (Enhanced Key Usage) on the client contain the
>>>> 'Client Authentication Purpose' or IPSec purpose? On the VPN server does
>>>> the EKU extension contain the Server & Client Authentication purpose?
>>>> p.s. PPTP isn't that bad you know... It's not -insecure-, just less
>>>> secure than LT2P, and a lot easier to implement
>>>> / ) Regards,
>>>> / /_________
>>>> _|__|__) Paul Weterings
>>>> / (O_)
>>>> __/ (O_)
>>>> ____(O_)
>>>> dpetrek wrote:
>>>>> So we have a Windows 2000 RRAS VPN server which has been serving us
>>>>> with PPTP VPN service for a long time now. We decided to upgrade
>>>>> security and implement L2TP. So I installed standalone CA and
>>>>> installed CA ROOT ccert on both RRAS server and test client. I can see
>>>>> the cert in "Trusted Root Certification Authorities" on both RRAS
>>>>> server and client. Also I issued computer certs to RRAS server
>>>>> (purpose: Server Authentication) and client (purpose: Client
>>>>> Authentication). That should finish the story with certs. However when
>>>>> I try to establish VPN connection from client I get:
>>>>> Error 786: The L2TP connection attempt failed because there is no
>>>>> valid machine certificate on your computer for security
>>>>> authentication.
>>>>> Also I have following in Security log:
>>>>> ---
>>>>> IKE security association negotiation failed.
>>>>> Mode:
>>>>> Key Exchange Mode (Main Mode)
>>>>> Filter:
>>>>> Source IP Address 192.168.0.33
>>>>> Source IP Address Mask 255.255.255.255
>>>>> Destination IP Address 192.168.0.15
>>>>> Destination IP Address Mask 255.255.255.255
>>>>> Protocol 0
>>>>> Source Port 0
>>>>> Destination Port 0
>>>>> IKE Local Addr 192.168.0.33
>>>>> IKE Peer Addr 192.168.0.15
>>>>> IKE Source Port 500
>>>>> IKE Destination Port 500
>>>>> Peer Private Addr
>>>>> Peer Identity:
>>>>> Certificate based Identity.
>>>>> Peer Subject
>>>>> Peer SHA Thumbprint 0000000000000000000000000000000000000000
>>>>> Peer Issuing Certificate Authority
>>>>> Root Certificate Authority
>>>>> My Subject CN=HP-SERVER test cert
>>>>> My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
>>>>> Peer IP Address: 192.168.0.15
>>>>> Failure Point:
>>>>> Me
>>>>> Failure Reason:
>>>>> IKE failed to find valid machine certificate
>>>>> Extra Status:
>>>>> Processed second (KE) payload
>>>>> Initiator. Delta Time 0
>>>>> 0x80092004 0x100
>>>>> ---
>>>>> Please advise, what have I done wrong?
>

I did not try opening that port: the client connecting is not a part
of the domain.
Ethereal shows no traffic on ports 88 UDP/TCP when connection is
successfull.

On Mar 23, 9:21 pm, Paul Weterings <Paul-nospam-@syncpuls-dot-com>
wrote:
> Do you have Kerberos (port 88 on UDP & TCP) open?
>
> / ) Regards,
> / /_________
> _|__|__) Paul Weterings
> / (O_)
> __/ (O_)
> ____(O_)
>
> dpetrek wrote:
> > Paul, the issue with certificates has been resolved, there were 2
> > identical root certs from my CA in Trusted roots.
> > Once I deleted one of them, it started working.
> > However I have new issues
> > VPN connection is successfully established on local LAN, however it
> > does not work properly
> > from client on the Internet. Currently, we have some inbound filters
> > configured on WAN interface
> > of RRAS server. RRAS is directly connected to Internet, no NATs
> > involved there.
> > The client IS behind NAT.
> > If I disable the inbound filters and let all traffic IN on RRAS,
> > client connects successfully.
> > Ofcourse I dont want to leave the filters like that, the only traffic
> > I want to let in on my RRAS is VPN traffic.
> > So i fired up Ethereal, and established the connection successfuly.
> > This is what I found out from the sniffed bytes, the traffic that has
> > to be let in for L2TP connection to work:
>
> > UDP 500 - for IKE
> > UDP 4500 for IPSEC UDP encapsulation
> > and *whole* UDP traffic (dont understand the purpose of this traffic)
>
> > So my client connects successfully ONLY if i let all UDP traffic in.
> > This is not an option at all. Could you explain what could be
> > happening, what could be
> > the reason for this?
>
> > On Mar 23, 4:25 pm, Paul Weterings <Paul-nospam-@syncpuls-dot-com>
> > wrote:
> >> Looks like your are doing the right things, maybe the next test would be
> >> to run with IKE auditing switched on.
>
> >> HKLM\system\currentcontrolset\control\lsa\audit = 1
> >> HKLM\system\currentcontrolset\services\ipsec\enabl ediagnostics = 7
> >> (restart system)
>
> >> Since you're not even getting to Quick mode, it's IKE that is most
> >> likely mis configured. Are you 100% sure authentication, encryption and
> >> key change are the same for both systems?
>
> >> This may sound silly, but of course you also need to be 100% sure the
> >> packets get to where they net to go. You might want to consider running
> >> Network Monitor or Wireshark to capture IPSec packets, even though you
> >> won't see the content, at least this proves their arrival (if the
> >> auditing didn't already)
>
> >> / ) Regards,
> >> / /_________
> >> _|__|__) Paul Weterings
> >> / (O_)
> >> __/ (O_)
> >> ____(O_)
>
> >> dpetrek wrote:
> >>> Yes Paul, I am testing on LAN, without firewalls, just to make initial
> >>> sucessfull connection.
> >>> EKU on client contains: Client Authentication (1.3.6.1.5.5.7.3.2)
> >>> EKU on server contains: Server Authentication(1.3.6.1.5.5.7.3.1)
> >>> I know that PPTP is not that "bad", actually it depends on length of
> >>> password how secure it
> >>> actually is. However, in my opinion my users should have the
> >>> alternative to use L2TP if they
> >>> want to.
> >>> On Mar 22, 11:44 pm, Paul Weterings <Paul-nospam-@syncpuls-dot-com>
> >>> wrote:
> >>>> I'm assuming you are testing on a LAN without any firewalls in between?
> >>>> Does the EKU extension (Enhanced Key Usage) on the client contain the
> >>>> 'Client Authentication Purpose' or IPSec purpose? On the VPN server does
> >>>> the EKU extension contain the Server & Client Authentication purpose?
> >>>> p.s. PPTP isn't that bad you know... It's not -insecure-, just less
> >>>> secure than LT2P, and a lot easier to implement
> >>>> / ) Regards,
> >>>> / /_________
> >>>> _|__|__) Paul Weterings
> >>>> / (O_)
> >>>> __/ (O_)
> >>>> ____(O_)
> >>>> dpetrek wrote:
> >>>>> So we have a Windows 2000 RRAS VPN server which has been serving us
> >>>>> with PPTP VPN service for a long time now. We decided to upgrade
> >>>>> security and implement L2TP. So I installed standalone CA and
> >>>>> installed CA ROOT ccert on both RRAS server and test client. I can see
> >>>>> the cert in "Trusted Root Certification Authorities" on both RRAS
> >>>>> server and client. Also I issued computer certs to RRAS server
> >>>>> (purpose: Server Authentication) and client (purpose: Client
> >>>>> Authentication). That should finish the story with certs. However when
> >>>>> I try to establish VPN connection from client I get:
> >>>>> Error 786: The L2TP connection attempt failed because there is no
> >>>>> valid machine certificate on your computer for security
> >>>>> authentication.
> >>>>> Also I have following in Security log:
> >>>>> ---
> >>>>> IKE security association negotiation failed.
> >>>>> Mode:
> >>>>> Key Exchange Mode (Main Mode)
> >>>>> Filter:
> >>>>> Source IP Address 192.168.0.33
> >>>>> Source IP Address Mask 255.255.255.255
> >>>>> Destination IP Address 192.168.0.15
> >>>>> Destination IP Address Mask 255.255.255.255
> >>>>> Protocol 0
> >>>>> Source Port 0
> >>>>> Destination Port 0
> >>>>> IKE Local Addr 192.168.0.33
> >>>>> IKE Peer Addr 192.168.0.15
> >>>>> IKE Source Port 500
> >>>>> IKE Destination Port 500
> >>>>> Peer Private Addr
> >>>>> Peer Identity:
> >>>>> Certificate based Identity.
> >>>>> Peer Subject
> >>>>> Peer SHA Thumbprint 0000000000000000000000000000000000000000
> >>>>> Peer Issuing Certificate Authority
> >>>>> Root Certificate Authority
> >>>>> My Subject CN=HP-SERVER test cert
> >>>>> My SHA Thumbprint 0fd6eb25c8ba67e79b97457014a4b8803b05eb3c
> >>>>> Peer IP Address: 192.168.0.15
> >>>>> Failure Point:
> >>>>> Me
> >>>>> Failure Reason:
> >>>>> IKE failed to find valid machine certificate
> >>>>> Extra Status:
> >>>>> Processed second (KE) payload
> >>>>> Initiator. Delta Time 0
> >>>>> 0x80092004 0x100
> >>>>> ---
> >>>>> Please advise, what have I done wrong?