Re: revoking ipsec certificate doesn't work
From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 09/24/05
- Previous message: TimeTraveller: "Spontaneous permission changes-How?Why?"
- In reply to: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Next in thread: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Reply: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 Sep 2005 22:18:58 -0500
In article <OC33ceEwFHA.3864@TK2MSFTNGP12.phx.gbl>,
franz.schenkNOSPAM@fititNO-_SPAM.ch says...
> Thank you for your information.
>
> It's possible to publish manually the update delta and full CRL using the CA
> MMC SnapIn on the Server. I also have verified that this CRL is published in
> AD and in a file.
> Despite of that, my test VPN client (or the VPN server) never checks if the
> certificate using for the L2TP/IPSec connection is revoked or not. The Win
> XP SP2 client can establish the L2TP/IPSec VPN connection to the Windows
> Server 2003 SP1 without any problem after the certificate is revoked nearly
> a week ago.
>
<snip>
There are a couple of possibilities here:
1) did you enable CRL checking for IPSec. in my whitepaper on
Certificate Status and Revocation, I include a section discussing CRL
checking for IPSec connections. Ensure that you have enabled the
following registry setting at both the client and the server (moreso the
server in your case):
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent
\Oakley\
StrongCrlCheck
This Reg_DWORD data type can be assigned values from 0-2, with the
following meanings:
=3F 0 =3F Disables CRL checking for certificate-based IPSec authentication
=3F 1 =3F Enables CRL checking and fails the validation process only if the
CRL explicitly indicates that the certificate is revoked. All other
failures, including when the CDP URL is unavailable, will be ignored.
=3F 2 =3F Enables CRL checking and fails certificate validation on any CRL
check errors.
For maximum validation, set a value of 2, although a value of 1 would
work in your case.
2) The second issue may be that you have not modified the default CRL
publication interval. The default value is to publish the base CRL every
7 days. If you look at the troubleshooting whitepaper, you will see that
a client will not download an updated CRL if a time valid CRL exists in
the client's cache. The client will only download an updated CRL when
the previous CRL expires from the cache (as per RFC 3280). For the
details, see the whitepaper at
http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl
.mspx
Brian
- Previous message: TimeTraveller: "Spontaneous permission changes-How?Why?"
- In reply to: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Next in thread: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Reply: Franz Schenk: "Re: revoking ipsec certificate doesn't work"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
