Re: IPSec and CA's

From: Troy Bruder (troy.bruder_at_aptconsulting.com)
Date: 06/05/03 

Date: Thu, 5 Jun 2003 15:31:37 -0400

Thanks Steve..

We got it working with Preshared keys... But now we're moving to test with
Certificates from an internal standalone CA.. We have the certificate
installed on the client, and configured the internal CA within the "Client"
IPSec policy, but when trying to make a connection to the server we log an
event ID: 547 and end up making an un-secured connection.

The 547 event states that: "IKE failed to find valid machine certificate".

Any idea what we're missing and how possibly to resolve? We generated the
certificate using the CA's Website (http://internal_server\certsrv).

Thanks,
Troy

"Steven L Umbach" <n9rou@attbi.com> wrote in message
news:fILDa.80905$M01.44611@sccrnsc02...
> Ipsec would use mutual machine authentication to set up a security
> association and use ESP/AH or both to authenticate and /or encrypt all
> traffic before the user would even be prompted to enter user
name/password.
> Only W2K/XP PRO boxes would be able to use ipsec to communicate with that
> server - downlevel clients do not support ipsec, but still could
communicate
> as long as you did not configure a "require" ipsec policy. I would suggest
> setting up with preshared key for ipsec authentication to test everything
> out. --- Steve
>
> "Troy Bruder" <troy.bruder@aptconsulting.com> wrote in message
> news:Opuoef3KDHA.2188@TK2MSFTNGP09.phx.gbl...
> > Hello,
> >
> > I have a Win2k member server which does not participate in our NT 4.0
> > domain. Users have separate accounts on this box for making file share
> > connections and also to authenticate to websites it runs.
> >
> > We need to add some security to this configuration. I was thinking of
> > installing a standalone CA to manually configure certificates for client
> > authentication, then configuring the box for IPSec connections only.
Can
> > someone tell me exactly how things work for say driver share mapping and
> > website browsing??
> >
> > For example, when a user makes a connection, they'll enter a user ID and

> > PW... Will the box validate that information, then check the
> certificate??
> >
> > Any other suggestions/recommendations would be greatly appreciated!
> >
> > Thanks,
> > Troy
> >
> >
> >
>
>

Relevant Pages

  • Re: What can WPA/WPA2 use for Encryption
    ... WPA2 can only use AES/CCMP for the encryption but you can use various ... EAP methods for a more secure authentication setup. ... If this is a point-to-point connection that is not intended to accept ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)
  • Re: IAS VPN authentication only grants access to domain if user has certificate
    ... authenticate a certificate against AD? ... So my question is at what point does the VPN connection use ...
    (microsoft.public.internet.radius)
  • Re: ipsec with certificate authentication issue
    ... I added the offline ipsec cert template one my ... CA and installed one on both client and server. ... chose to download the .cer file for the CA's certificate and manually ...
    (microsoft.public.win2000.security)
  • Re: IPSec & Kerberos
    ... There are three authentication methods for ipsec - kerberos, ... certificate is not required for authentication. ...
    (microsoft.public.win2000.networking)
  • Re: NAP IPsec with HRA problem
    ... between the 2 pcs using IPSEC. ... certificate for authentication was not found on this computer. ... As for the DC GPO, I would suggest to leave the default GPOs alone and create a separate GPO for the IPSec policy. ... Administrator's Guide to Microsoft L2TP/IPSec VPN Client ...
    (microsoft.public.windows.server.active_directory)