We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

L2TP with certificates auth.

bbmservis
bbmservis asked
on
Medium Priority
553 Views
Last Modified: 2013-12-05
Hi,
this is my goal:
I want to set up L2TP VPN between office and remote client.
Gear:  win2k3 std server in office---winxp pro remote client, Zywall5 in HQ , active directory installed, no pre-shared key but certificate instead for authentication and remote client computer is not member of domain!
Finaly, i want to manualy create certificate in offce, save to USB stick and send to client, password when installing it on remote computer would be ok but not must have!

DNS, Act. directory, RRAS, IIS and Enter. root authority is installed and working!
How can i achieve my goal?
THX

p.s. can PPTP be disabled and only L2TP allowed when is all finished!?
Comment
Watch Question

ParanormasticCryptographic Engineer
CERTIFIED EXPERT

Commented:

Author

Commented:
sorry for not responding for a long time, lots of work!
ok, this is my progress:
only managed  to get   PPTP working! When trying to connect :786 error: The L2TP connection attempt failed
because there is no valid machine certificate on your computer!
Steps i followed: in browser navigated to http://server-ip/certsrv, admin credentials ,  Request a certificate ,
then advanced certificate request. , Create and submit a request to this CA.-> Certificate Template: tried administrator , user and auth. session -> left everything default and only enabled "Store certificate in the local computer certificate store..." Installed certificate ! Same error , 786.
ParanormasticCryptographic Engineer
CERTIFIED EXPERT

Commented:
Which certificate template are you selecting?  Is it actually called IPSEC or IPSEC (Offline), or something else?  This is a special certificate type that needs to have the enhanced key usage "IP security IKE intermediate", which other cert types will not normally have.

Author

Commented:
These are templates to choose:
Administrator
Authenticated session
Basic EFS
EFS recovery agent
User
Subordinate Certitication atuthority
Web Server

I have tried administrator, user and authenticated session!
Cryptographic Engineer
CERTIFIED EXPERT
Commented:
Ok, you need to open up the Certification Authority MMC and select the Certificate Templates folder, right click - New - Template to issue - select either IPSec or IPSec (Offline), depending on what you feel meets your situation best.  Wait up to 15 minutes for it to replicate in AD, then try again using this template.

If you don't like the default settings, open Certificate Templates MMC and duplicate the IPSec template and adjust as desired, just don't mess with the Extensions tab, then go through and issue that to the CA as described above.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Still same msg:  error 786!
Why under templates (Certification Authority MMC) i see IPSEC but i cannot choose it when requesting certificate and under advanced request i dont jave option "Submit a certificate request to this CA using a form" instead i have this:
 
Create and submit a request to this CA.
 
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
 
Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.
 

ParanormasticCryptographic Engineer
CERTIFIED EXPERT

Commented:
Try using IPSec (Offline) instead.  Also make sure you have at least Read and Enroll permissions on that template (cert templates mmc) for the user accont.  

Here is a general walkthrough of the process - hopefully something in here will stick out:
http://support.microsoft.com/kb/555281
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.