Re: ipsec with certificate authentication issue



Look in the security log of each computer to see if there is any information
about IKE failure that may help determine what is going on. Windows 2000 has
much less logging than Windows 2003. You also want to make sure you have
auditing of logon events enabled in the Local Security Policy of each
computer. My guess is there may be a problem with the administrator
certificates and I would try to use a computer or offline ipsec certificate
[which always worked for me] instead and remove the administrator
certificate from the computer store. In Windows 2000 Enterprise CA you need
to enable the offline ipsec template on the CA before it will show up as an
option via Web Enrollment as an advanced request and then you want to
specify the computer name and be sure to select to store in computer
store. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;257225 --- Windows
2000 ipsec troubleshooting.



"djc" <dcopenhaver@xxxxxxxxxxxxxxx> wrote in message
news:OZ1ZUDZ$FHA.216@xxxxxxxxxxxxxxxxxxxxxxx
>I have ipsec setup for telnet (transport). I'll leave out all the filter
>details as I don't think they are pertinent to the problem. It works fine
>with preshared key but I cannot get it to work with certificate
>authentication. Client machine is connected to the lan via pptp vpn and
>telnet server resides on the remote lan. This works fine with preshared
>key. Both machines have my own MS cert server's certificate installed in
>their local machine store's trusted root certification authorities folder
>and both machines have their own certificate issued from this CA installed
>in their own local machine store. The cert was obtained via ms cert
>services web interface using the 'administrator' template. But if I
>understand correctly the type of cert on each machine does not really
>matter as long as they are both from the same trused root CA, which they
>are.
>
> I'm really not sure where to go from here. I know the issue must be
> certificate auth related since it works just fine with preshared key.
>
> any help would be greatly appreciated.
>


.