Re: VPN, IPsec, and certificates question
From: Chuck (no.one_at_no.where)
Date: 10/06/04
- Next message: jerrycons: "Re: Please help - IIS App won't write to event log on Windows 2003"
- Previous message: Roger Abell: "Re: Serious EFS Issue"
- In reply to: Steven L Umbach: "Re: VPN, IPsec, and certificates question"
- Next in thread: Steven L Umbach: "Re: VPN, IPsec, and certificates question"
- Reply: Steven L Umbach: "Re: VPN, IPsec, and certificates question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 6 Oct 2004 09:15:17 -0400
You're probably right about the computer name 'cause I can't get it to work.
I keep getting this error when copying the certificates from one client to
another: "Error 789: The L2TP connection attempt failed because the security
layer encountered a processing error...".
The reason I aksed the question in the first place is that during testing,
I'm sure I had successfully connected from the second client with copied
certificates. Perhaps there where some left over certificates from a prior
configuration. In any case, I can no longer get it to work without having
each client make their own certificate request.
Thanks
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:e9s9KuwqEHA.1152@TK2MSFTNGP11.phx.gbl...
> I believe that the computer certificate needs to match the computer name
in
> order for it to work. Though I don't endorse using the same computer
> certificate on all computers you would have to test it out to see if it
> works. You can use Web Enrollment to allow users not on the lan to request
> machine certificates for ipsec offline template to use for l2tp. If you
are
> using W2K or W2003 Enterprise as a Certificate Authority you can request
the
> certificates on the lan to distribute to remote users though I would not
> want to do it for more than a few dozen computers as it is a bit time
> consuming.. -- Steve
>
>
> "Chuck" <no.address@no.where> wrote in message
> news:%23mSHjatqEHA.1952@TK2MSFTNGP12.phx.gbl...
> > Thanks for the information. And yes, I am using VPN with L2TP so I am
> > talking about computer certifiacte on the client. I wanted to know if
> > there was a problem with using the same computer certificate on all the
> > clients.
> >
> >
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:Od%23tlZoqEHA.3520@TK2MSFTNGP11.phx.gbl...
> >> Ideally you would not want to have your VPN server also be your CA. A
VPN
> >> server has a higher risk for compromise than other computers in that it
> >> accepts traffic from the internet. If it is compromised then your whole
> >> PKI is compromised and would require you to create a new CA, remove old
> >> CA certificates from trusted stores, and issue new certificates. That
> >> would be a huge problem in most larger networks. However it is
understood
> >> a lot of smaller networks exist with smaller budgets and less demanding
> >> needs and are willing to take that chance. If you do what you propose
> >> make sure a firewall protects the server and it is hardened by
> >> eliminating uneeded servrices, uses complex passwords for administrator
> >> accounts, has virus protection, is current with critical updates, etc.
> >>
> >> Ideally you would want to use a separate certificate for each user so
> >> that you can track what users are logging on via VPN. Keep in mind that
> >> with user certificates if an unauthorized user accesses the computer
> >> they will be able to access the VPN with that certificate. It is not
hard
> >> to use a program to reset the built in administrator account on a W2K
> >> computer if the person has physical access to the computer and can boot
> >> from a floppy or cdrom. You could enable strong private key protection
on
> >> the certificate's private key that would prompt a user for a password
to
> >> access the private key when it is accessed. --- Steve
> >>
> >> I am not sure what your reference to ipsec in your posting is for.
Ipsec
> >> in a VPN connection would mean that l2tp is going to be used. Keep in
> >> mind that l2tp requires "computer" certificates for the VPN server and
> >> all client VPN computers. L2tp enhances VPN security quite a bit over
> >> l2tp by requiring computer authentication first in addiditon to user
> >> authentication. l2tp will not work over a NAT connection to a W2K VPN
> >> server. --- Steve
> >>
> >>
> >> "Chuck" <no.address@no.where> wrote in message
> >> news:OHjN6BhqEHA.896@TK2MSFTNGP12.phx.gbl...
> >>> Hi,
> >>>
> >>> 1. Are there any security concerns with having a stand-alone
certificate
> >>> server and a VPN server on the same box?
> >>> 2. Is there any problem with using the same certificate for all my VPN
> >>> clients? I realise that I would not be able to revoke the certificate
> >>> wothout affecting all the users but instead of revoking the
> >>> certifiacate, I would of course disable their account so that they
> >>> cannot authenticate in the first place. Any problems with this
> >>> scenario?
> >>>
> >>> Thanks
> >>>
> >>
> >>
> >
> >
>
>
- Next message: jerrycons: "Re: Please help - IIS App won't write to event log on Windows 2003"
- Previous message: Roger Abell: "Re: Serious EFS Issue"
- In reply to: Steven L Umbach: "Re: VPN, IPsec, and certificates question"
- Next in thread: Steven L Umbach: "Re: VPN, IPsec, and certificates question"
- Reply: Steven L Umbach: "Re: VPN, IPsec, and certificates question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
