Making L2TP work

From: Michael Purcell (
Date: 04/30/03

Date: Wed, 30 Apr 2003 09:39:24 -0700

I am going to explain this in full. My ultimate goal is
to establish an L2TP/IPSec connection to my ISA server.

My setup includes, an Enterprise Root CA server and a
Stand-Alone Subordinate server. My VPN server is an ISA
server acting as a firewall/VPN server. I installed a
machine certificate in to the ISA/VPN server's local
computer store from the Stand-alone Subordinate CA. When
a client requests a certificate from the Stand-alone
Subordinate, they choose an advanced certificate with
there domain username as the name of the certificate and
the intented purpose being client authentication, the CSP
is Microsoft RSA Schannel Crypotographic Provider. I used
this CSP because that is what I am using for the ISA/VPN
server according to Microsoft Article 326474. I also have
to install the client certificate in the local computer
store and in the current user store for the VPN client to
use the certificate. When I attempt to connect to the
ISA/VPN server it says verify username and password, and
then says Error 0x80090325: The certificate chain was
issued by an untrusted authority. On the client the
Standalone Subordinate is list in the Intermediate
Certification Authorities store and the Enterprise Root
CA is listed in the Trusted Root Certification
Authorities store, and the same listings are on the
ISA/VPN server. When you look at the client and ISA/VPN
server's certificate they both chain back to the root
just fine. Now I did finally make an L2TP/IPSec
connection to the ISA/VPN server when I installed a
certificate on the client from the Enterprise Root CA, I
was able to do this because I am testing this VPN
connection internally to the ISA server internal
interface, before trying it externally. The difference
between the certificate form the Root CA and the
Subordinate CA was that the Root CA's certificate had the
name "" on it and the intended
purposes of the certificate were for, client
authentication, encrypting file system (which is not a
choice from the Subordinate CA) and Secure Email. But I
obviously want external clients to use the Standalone
Subordinate to get the certificate to use for the VPN
client. Does anyone know what I am doing wrong? or does
anyone have a suggestions they can through out?

Thanks in advance.