Re: revoking ipsec certificate doesn't work

• Previous message: Chris Priede: "Re: Shared drive VS Security"
• In reply to: Steven L Umbach: "Re: revoking ipsec certificate doesn't work"
• Next in thread: Brian Komar [MVP]: "Re: revoking ipsec certificate doesn't work"
• Reply: Brian Komar [MVP]: "Re: revoking ipsec certificate doesn't work"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 Sep 2005 16:06:03 +0200

Thank you for your information.

It's possible to publish manually the update delta and full CRL using the CA
MMC SnapIn on the Server. I also have verified that this CRL is published in
AD and in a file.
Despite of that, my test VPN client (or the VPN server) never checks if the
certificate using for the L2TP/IPSec connection is revoked or not. The Win
XP SP2 client can establish the L2TP/IPSec VPN connection to the Windows
Server 2003 SP1 without any problem after the certificate is revoked nearly
a week ago.

Where is any documentation from MS how the process of verifying the validity
of the certificate when establishing a VPN connection shoud work? Is this MS
security?

Thanks all in advance for any help
Franz

"Steven L Umbach" <n9rou@nospam-comcast.net> schrieb im Newsbeitrag
news:efycLlguFHA.3864@TK2MSFTNGP12.phx.gbl...
> Certificate revocation is not immediate on client computers. There are two
> types of CRL for Windows computers - the regular and delta. The regular
> was what was used until Windows 2003/XP and by default has a weekly
> publish schedule. The delta CRL by default is published daily. Until your
> VPN server refreshes its CRL cache with the delta CRL that contains the
> revoked certificate it will not know that the certificate is revoked. I
> don't know of a way to "flush the cache" to speed this up.
>
> While revoking the certificate was a good thing to do I would not rely on
> that alone to prevent access. I don't know how securely your PKI is
> managed but there may be the possibility that they have other
> certificates. You really need to disable the ability of the user accounts
> that they can use from logging on via VPN in the dial up properties of
> those accounts or maybe consider shutting down the VPN until you can
> decide on the best way to proceed whether it be change the account
> passwords, etc. If you have a specific Remote Access Policy that allows
> that company access you may also be able to modify that policy to prevent
> access. --- Steve
>
> "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
> news:uFEkz2fuFHA.1572@TK2MSFTNGP10.phx.gbl...
>> imagine the following scenario:
>>
>> - have a Windows 2003 SP1 VPN Server with standalone or enterprise
>> certification authority, allowing only L2TP/IPSec connections with
>> certificate based authentication.
>> - have an external company that has a computer with an installed computer
>> IPSec certificate from our CA for VPN access.
>> - The external company has knowledge of several user accounts/password
>> that have VPN dial in permissions to our VPN server.
>>
>> - Need to disable VPN access for this external company as fast as
>> possible. But it's not possible to change all these user
>> accounts/passwords.
>>
>> Thought that this one is easy: Go to the certification authority, revoke
>> the certificate that was issued to the computer of the external company,
>> then manually publish the CRL and delta CRL.
>>
>> Have tested this scenario, doesn't work at all. The computer from the
>> external company still has the IPSec certificate after several hours and
>> several reboots, and is able to connect to the VPN server.
>>
>> Any advice, aolutions, suggestions?
>> Thank you all in advance for your help!
>> Franz
>>
>
>

• Previous message: Chris Priede: "Re: Shared drive VS Security"
• In reply to: Steven L Umbach: "Re: revoking ipsec certificate doesn't work"
• Next in thread: Brian Komar [MVP]: "Re: revoking ipsec certificate doesn't work"
• Reply: Brian Komar [MVP]: "Re: revoking ipsec certificate doesn't work"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]