Solved

windws 2008 vpn IKE v2

Posted on 2010-11-15
15
2,699 Views
Last Modified: 2013-12-05
Hi Guys,
I am tryng to setup microsoft server 2008 as an Active Directory, DC, DNS server and VPN access.
I have followed the steps posted on microsoft's web site called lab test.
http://technet.microsoft.com/en-us/library/dd637783(WS.10).aspx
The setup is as follow.
-Server 2008 ent.
-Active Directory, DC, DNS and RAS are running on the same machine.
-Internet is one static IP using a netgear router to share the connection with the other computers on the network.

I have suceccfully genereated an VPN reconnect certificate and installed it both on the server and the client machine.
when I try to connect to the server I get error code 13801 and in the server log it shows the following error.

CoId={E344AD01-6C14-7402-DA7F-87D332300063}: The following error occurred in the Point to Point Protocol module on port: VPN1-125, UserName: <Unauthenticated User>. Negotiation timed out.

Any ideas what the problem could be form ?
0
Comment
Question by:janod
15 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 34147575
Error 13801 occurs on the client when:

    * The certificate is expired.

    * The trusted root for the certificate is not present on the client.

    * The subject name of the certificate does not match the remote computer.

    * The certificate does not have the required Enhanced Key Usage (EKU) values assigned.


http://technet.microsoft.com/en-us/library/dd941612%28WS.10%29.aspx
0
 
LVL 28

Expert Comment

by:asavener
ID: 34147582
If the remote clients are not members of the domain, then they will not have the trusted root for the RRAS server.
0
 

Author Comment

by:janod
ID: 34149858
Wizard,
Thanks for the reply. I know what the error is. I dont know hot to resolve it.
to give you a better picture my server has the following Ip address.
Public Nic 192.168.1.240 Private Nic 192.168.1.241. my public Domain name is xwz.net. if I have a feeling the problem is in the certificate name I have tried xwz.net and during the connection In windows 7 i use xyz for the domain and still the same error.
Am I even in the right page ?
0
 
LVL 28

Expert Comment

by:asavener
ID: 34150055
Can you describe the steps you went through to install the certificate on the client?  Did you install the certification authority for the remote access server as a trusted root?

Can you get the VPN to work with pre-shared keys?  (Two reasons for asking:  1) to make sure the client can connect successfully, and 2) to be able to install the the certification authority certificate if necessary)
0
 

Author Comment

by:janod
ID: 34150250
i used Microsoft Lab test documment step by step. Once again thanks for your help.
Here are the steps:

Create and install the Server Authentication certificate
The Server Authentication certificate is used by CLIENT1 to authenticate VPN1. The certificate must have the “Server Authentication” and “IP security IKE intermediate” extended key usage (EKU) options applied.
 To create a certificate template with the required EKUs
1.      On VPN1, click Start, click Administrative Tools, and then click Certification Authority.
2.      In the navigation tree, expand contoso-VPN1-CA.
3.      Right-click Certificate Templates, and then click Manage. The Certificate Templates Console appears.
4.      Right-click the IPsec template in the list, and then click Duplicate Template.
5.      In the Duplicate Template dialog box, select Windows Server 2003 Enterprise, and then click OK.
6.      On the General tab, change the Template display name to VPN Reconnect.
7.      Check the Validity period. The default is 2 years. You can adjust this per your organization’s requirements.
8.      On the Request Handling tab, select Allow private key to be exported.
9.      On the Subject Name tab, select Supply in the request. If a warning message appears, click OK.
10.      On the Extensions tab, select Application Policies, and then click Edit.
11.      The IP security IKE intermediate policy is already present. Keep it. If there are any others, select them and click Remove.
12.      Click Add, select Server Authentication, and then click OK.
13.      Click OK to return to the Extensions tab.
14.      Select Key Usage, and then click Edit.
15.      In the Signature section, ensure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK.
16.      Click OK to save your completed template.
17.      Close the Certificate Templates Console window.
The certificate template has been created. It must be issued before it can be used to request a certificate.

 To issue the certificate template
1.      In the Certification Authority console window, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
2.      In the Enable Certificate Templates dialog box, select VPN Reconnect, and then click OK.
The template is now ready to be used for certificate requests. Before you can request one, you must configure Internet Explorer security settings to work with the certificate publishing web page.
 To configure Internet Explorer to allow certificate publishing
1.      On VPN1, click Start, right-click Internet Explorer, and then click Run as administrator.
2.      Click Tools, and then click Internet Options.
3.      On the Security tab, under Select a zone to view or change security settings, click Local intranet.
4.      Change the security level for Local intranet from Medium-low to Low, and then click OK.
 Note
In a real-world scenario, you should configure individual ActiveX® control settings using Custom level rather than lowering the overall security level.
Internet Explorer is now ready to be used to request and install certificates on the local computer.

 To request a Server Authentication certificate using Internet Explorer
1.      On VPN1, in the Internet Explorer address bar, type http://localhost/certsrv, and then press ENTER.
2.      Under Select a Task, click Request a Certificate.
3.      Under Request a Certificate, click Advanced Certificate Request.
4.      Under Advanced Certificate Request, click Create and submit a request to this CA.
5.      On the first confirmation dialog box, click Yes to allow the ActiveX control.
6.      On the second confirmation dialog box, click Yes to allow the certificate operation.
7.      In the Certificate Template list, select VPN Reconnect.
8.      Under Identifying Information, in the Name field, type vpn1.contoso.com.
 Note
The name is the certificate subject name and must be the same as the Internet address used in the IKEv2 connection settings configured later in this document.
9.      Under Key Options, select Mark keys as exportable, and then click Submit.
10.      Click Yes in each of the confirmation dialog boxes.
The server authentication certificate is created in the user personal store. It must be moved to the machine store to be used.
 To move the certificate to the machine store
1.      On VPN1, click Start, type MMC, and then press ENTER.
2.      In Console1, click File, and then click Add/Remove Snap-in.
3.      Under Available snap-ins, click Certificates, and then click Add.
4.      Click Finish to accept the default setting of My user account.
5.      Click Add a second time, click Computer account, and then click Next.
6.      In the Select Computer dialog box, click Finish to accept the default setting of Local computer.
7.      Click OK to close the Add or Remove Snap-ins dialog box.
8.      In the navigation tree, expand Certificates - Current User, expand Personal, and then click Certificates.
9.      In the details pane, right-click the vpn1.contoso.com certificate, click All Tasks, and then click Export.
10.      On the Welcome page, click Next.
11.      On the Export Private Key page, click Yes, export the private key, and then click Next.
12.      On the Export File Format page, click Next to accept the default file format.
13.      On the Password page, type Pass@word1 in both text boxes, and then click Next.
14.      On the File to Export page, click Browse.
15.      Under Favorites, click Desktop
16.      In the File name text box, type vpn1cert, and then click Save to save the certificate to the desktop.
17.      Back on the File to Export page, click Next.
18.      On the Completing the Certificate Export Wizard page, click Finish to close the wizard, and then click OK in the confirmation dialog box.
19.      In the console tree pane, expand Certificates (Local Computer), and then expand Personal.
20.      Right-click Certificates, point to All Tasks, and then click Import.
21.      On the Welcome page, click Next.
22.      On the File to Import page, click Browse.
23.      Under Favorites, click Desktop.
24.      In the file type drop-down list, select Personal Information Exchange (*.pfx, *.p12).
25.      In the list of files, double-click vpn1cert.
26.      Back on the File to Import page, click Next.
27.      On the Password page, type Pass@word1, and then click Next.
28.      On the Certificate Store page, click Next to accept the Personal store location.
29.      Click Finish to close the Import Export Wizard, and then click OK in the confirmation dialog box.

 To generate the trusted root certificate
1.      On VPN1, in the Internet Explorer address bar, type http://localhost/certsrv, and then press ENTER.
2.      Under Select a task, click Download a CA certificate, certificate chain, or CRL.
3.      Click Yes to allow the ActiveX control, and Yes to allow the certificate operation.
4.      Click Download CA certificate.
5.      Click Save, select Desktop, type the name RootCACert, click Save, and then click Close. Later, you will move this certificate to the Client1 computer.
 Important
The root certificate for the CA is already installed on VPN1, because the root certificate for a CA is installed when the computer is made a CA. If your CA is a separate computer from VPN1, then you must separately download and install the root CA certificate to VPN1.

--------------------------
as far as getting it working with pre-shared key i have not tried that. can you specify how to do it or if there is alink I care refer to.
Thanks
0
 

Author Comment

by:janod
ID: 34150762
oh forgot to mention that the local domain name for AD is rflaw.local.. if that makes a differance.
0
 
LVL 28

Expert Comment

by:bgoering
ID: 34152107
The certificate subject name must be the same as what would be returned from a nslookup of the public ip address of your netgear router.

You must also configure your netgear to forward the following ports and protocols to your vpn server.

IP Protocol ID 50:
For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.
IP Protocol ID 51:
For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.
UDP Port 500:
For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.

Good Luck
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 28

Expert Comment

by:asavener
ID: 34152167
To generate the trusted root certificate
1.      On VPN1, in the Internet Explorer address bar, type http://localhost/certsrv, and then press ENTER.
2.      Under Select a task, click Download a CA certificate, certificate chain, or CRL.
3.      Click Yes to allow the ActiveX control, and Yes to allow the certificate operation.
4.      Click Download CA certificate.
5.      Click Save, select Desktop, type the name RootCACert, click Save, and then click Close. Later, you will move this certificate to the Client1 computer.

Did you perform the operation that I've bolded?
0
 
LVL 28

Expert Comment

by:asavener
ID: 34152180
@bgoering,

When setting up IPSec/L2TP VPN servers on Windows 2003, the public DNS did not matter; only the internal/Active Directory name mattered.

Is this something that has changed in Windows 2008?
0
 

Author Comment

by:janod
ID: 34152482
@asavener.
Yes i have already download the certificate and installed it on the client computer.
question.
the server name is server.rflaw.local in this case the certifcate titile is also server.rflaw.local. in the connection domain name is rflaw with our external domain name which is eg. zwx.net.

is all the above correct ?
0
 

Author Comment

by:janod
ID: 34152815
@bgoering
 When you say
IP Protocol ID 50: ESP
IP Protocol ID 51: AH0:
For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.
do you mean the pass through for IPSEC,  PPTP and L2TP? i have alread forwarded tcp/UDP ports 500, 4500 and 1732 to the VPN server.  Just dont know what you mean with IP protoco 50 and 51.

Thanks
0
 

Accepted Solution

by:
janod earned 0 total points
ID: 34153525
guys.
case closed
For IKEv2 machine certificate authentication: Ensure the trusted root certificate store on the VPN Server contains **only** the trust root certificate that matches the trust chain with which the client will send the machine certificate. And you MUST delete all the other trust chain on the VPN Server – to avoid any malicious client machine having a certificate with one of those trust chain to be able to successfully connect to this VPN server using IKEv2 machine certificate authentication. WARNING: If you have enabled IKEv2 machine certificate authentication scenario, you MUST NOT install any trusted root certificates from a public certificate authority (e.g. Verisign) on the VPN server machine. Otherwise, any malicious user  with a machine certificate from that particular public CA – can connect with your VPN server. You must only install the trusted root certificate of your own certificate authority.

There was a default certificate along with the new cerificate.
0
 
LVL 28

Expert Comment

by:asavener
ID: 34153871
FYI, you do not need to allow TCP 500, TCP 4500, UDP 1723 or TCP 1723 to the server.  These are not needed for IPSec connections.

TCP 1723 might actually cause problems, since that's the port used for setting up PPTP connections.

If there is any kind of network address translation between the server and client, then IP protocol 50 (ESP) is also not needed.  The connection will detect the address translation and switch over to NAT traversal (NAT-T) and use UDP 4500 for payload encapsulation instead of ESP.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34824867
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Know what services you can and cannot, should and should not combine on your server.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now