1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

client certificates and L2TP/VPN

Discussion in 'Networks' started by philbenson, Nov 30, 2005.

  1. philbenson

    philbenson Byte Poster

    After Nealls very useful info, I have now managed to get a VPN link to a friends PC running using PPTP so many thanks for that.

    However I now want to use L2TP instead. I have set up my Windows Server 2003 DC as an Enterprise root CA, and configured VPN ports through RRAS. There are several ports for both PPTP and L2TP.

    However when I set up a VPN connection on my friends PC, I keep getting a message about being unable to locate a valid certificate (Error 781 I think it is). Once a VPN connection is established using PPTP I can install a certificate on the client PC by going to http://servername/certsrv but still I get the error message. There seems to be a choice between user certificate or a client authentication certificate.

    Any help would be greatly appreciated.
    Certifications: MCP, MCP+I, MCSE, MCSA, MCTS
    WIP: CCNA(?)
  2. Clyde

    Clyde Megabyte Poster

    why bother with certificates - it'll be a world of pain. Set ipsec up to use a shared secret.. i.e. type in the same ipsec password on each PC

    plenty of info here... probably too much...


    and there's a worked example here that, while not 100% relevant may give some ideas..

    Certifications: A+, Network+, Security+, MCSA, MCSE
  3. philbenson

    philbenson Byte Poster

    Makes sense. I'm really just trying to get to grips with certifcate config ready for my exam tomorrow. Sometimes it makes it clearer to do it rather than just read about it.

    However, will follow the advice in the links you have listed and let you know how I get on. Many Thanx
    Certifications: MCP, MCP+I, MCSE, MCSA, MCTS
    WIP: CCNA(?)
  4. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    Good luck in the exam Phil.

    From Clyde's link I found this page...


    On the right there is a Word document named vpndeploy.doc It has everything in there you want to know and then some. It is 79 pages though :eek:

    From reading nearly the whole thing :rolleyes: I came to the conclusion that Clyde is correct. Certificate based authentication with L2TP/IPSec is a can of worms.

    The copy/paste below may be an issue?

    • L2TP-based VPN clients or servers cannot be behind a NAT unless both support IPSec NAT Traversal (NAT-T). IPSec NAT-T is supported by Windows Server 2003, Microsoft L2TP/IPSec VPN Client, and for VPN clients with L2TP/IPSec NAT-T Update for Windows XP and Windows 2000. Windows 2000 Server does not support IPSec NAT-T.
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)

Share This Page