I have 2 Windows 2003 boxes: one in the internal domain and the other in our DMZ. They're separated by a Firewall. The server in the DMZ is NOT part of our internal domain.
Right now, The firewall is configured to allow ALL traffic between these 2 boxes , so the firewall is not the problem
What we want to do is:
Enable IPSEC between these 2 boxes using certificates...
I configured IPSEC without problem using pre-shared key just for test. It worked like a charm.
I changed the authentication method from Pre-Shared Key to "Certificates". It requested the trusted-root CA certificate, I gave it to them.
IMPORTANT NOTE: There is NOT on-line CA in this environment. We imported into these boxes a Certificate from a off-line CA. Also, we tested selecting any CA listed in the Trusted-Root CA list.
The result is: I cannot ping the DMZ server from the internal and the same in the other way.... they shows "NEGOTIATING IP SECURITY" but never establish a connection...
What I'm missing here? how can I make it work using Certificates instead of Pre-Shared Key????
NOTE: The problem is not How to configure an IPSec policy or filter... we know how to do it.. The problem is using Certificates as authentication method... how to use it???
Our community of experts have been thoroughly vetted for their expertise and industry experience.