Making L2TP work

From: Michael Purcell (mike_at_cmatech.com)
Date: 04/30/03


Date: Wed, 30 Apr 2003 09:39:24 -0700


I am going to explain this in full. My ultimate goal is
to establish an L2TP/IPSec connection to my ISA server.

My setup includes, an Enterprise Root CA server and a
Stand-Alone Subordinate server. My VPN server is an ISA
server acting as a firewall/VPN server. I installed a
machine certificate in to the ISA/VPN server's local
computer store from the Stand-alone Subordinate CA. When
a client requests a certificate from the Stand-alone
Subordinate, they choose an advanced certificate with
there domain username as the name of the certificate and
the intented purpose being client authentication, the CSP
is Microsoft RSA Schannel Crypotographic Provider. I used
this CSP because that is what I am using for the ISA/VPN
server according to Microsoft Article 326474. I also have
to install the client certificate in the local computer
store and in the current user store for the VPN client to
use the certificate. When I attempt to connect to the
ISA/VPN server it says verify username and password, and
then says Error 0x80090325: The certificate chain was
issued by an untrusted authority. On the client the
Standalone Subordinate is list in the Intermediate
Certification Authorities store and the Enterprise Root
CA is listed in the Trusted Root Certification
Authorities store, and the same listings are on the
ISA/VPN server. When you look at the client and ISA/VPN
server's certificate they both chain back to the root
just fine. Now I did finally make an L2TP/IPSec
connection to the ISA/VPN server when I installed a
certificate on the client from the Enterprise Root CA, I
was able to do this because I am testing this VPN
connection internally to the ISA server internal
interface, before trying it externally. The difference
between the certificate form the Root CA and the
Subordinate CA was that the Root CA's certificate had the
name "username@domain.com" on it and the intended
purposes of the certificate were for, client
authentication, encrypting file system (which is not a
choice from the Subordinate CA) and Secure Email. But I
obviously want external clients to use the Standalone
Subordinate to get the certificate to use for the VPN
client. Does anyone know what I am doing wrong? or does
anyone have a suggestions they can through out?

Thanks in advance.

Mike



Relevant Pages

  • Re: [opensuse] Apache 2.4.6 on OpenSuse 13.1: ssl_error_rx_record_too_long and ERR_SSL_PROTOCOL_ERRO
    ... to the server's key and certificate, as well as to my rootCA ... The web server DOES start, ... virtual host that is supposed to be using SSL, ... # List the ciphers that the client is permitted to negotiate. ...
    (SuSE)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)