L2TP with certificates auth.

Posted on 2009-02-12
Last Modified: 2013-12-05
this is my goal:
I want to set up L2TP VPN between office and remote client.
Gear:  win2k3 std server in office---winxp pro remote client, Zywall5 in HQ , active directory installed, no pre-shared key but certificate instead for authentication and remote client computer is not member of domain!
Finaly, i want to manualy create certificate in offce, save to USB stick and send to client, password when installing it on remote computer would be ok but not must have!

DNS, Act. directory, RRAS, IIS and Enter. root authority is installed and working!
How can i achieve my goal?

p.s. can PPTP be disabled and only L2TP allowed when is all finished!?
Question by:bbmservis
    LVL 31

    Expert Comment


    Author Comment

    sorry for not responding for a long time, lots of work!
    ok, this is my progress:
    only managed  to get   PPTP working! When trying to connect :786 error: The L2TP connection attempt failed
    because there is no valid machine certificate on your computer!
    Steps i followed: in browser navigated to http://server-ip/certsrv, admin credentials ,  Request a certificate ,
    then advanced certificate request. , Create and submit a request to this CA.-> Certificate Template: tried administrator , user and auth. session -> left everything default and only enabled "Store certificate in the local computer certificate store..." Installed certificate ! Same error , 786.
    LVL 31

    Expert Comment

    Which certificate template are you selecting?  Is it actually called IPSEC or IPSEC (Offline), or something else?  This is a special certificate type that needs to have the enhanced key usage "IP security IKE intermediate", which other cert types will not normally have.

    Author Comment

    These are templates to choose:
    Authenticated session
    Basic EFS
    EFS recovery agent
    Subordinate Certitication atuthority
    Web Server

    I have tried administrator, user and authenticated session!
    LVL 31

    Accepted Solution

    Ok, you need to open up the Certification Authority MMC and select the Certificate Templates folder, right click - New - Template to issue - select either IPSec or IPSec (Offline), depending on what you feel meets your situation best.  Wait up to 15 minutes for it to replicate in AD, then try again using this template.

    If you don't like the default settings, open Certificate Templates MMC and duplicate the IPSec template and adjust as desired, just don't mess with the Extensions tab, then go through and issue that to the CA as described above.

    Author Comment

    Still same msg:  error 786!
    Why under templates (Certification Authority MMC) i see IPSEC but i cannot choose it when requesting certificate and under advanced request i dont jave option "Submit a certificate request to this CA using a form" instead i have this:
    Create and submit a request to this CA.
    Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
    Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.

    LVL 31

    Expert Comment

    Try using IPSec (Offline) instead.  Also make sure you have at least Read and Enroll permissions on that template (cert templates mmc) for the user accont.  

    Here is a general walkthrough of the process - hopefully something in here will stick out:

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    After having deployed hundreds of thousands of Terminal Services seats worldwide, I still see all the time people asking me that same old question: "If TS/RDS is that reliable why are you telling me I should reboot it that often? My DC/SQL/Exchange/…
    The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now