client certificates and L2TP/VPN

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

After Nealls very useful info, I have now managed to get a VPN link to a friends PC running using PPTP so many thanks for that.

However I now want to use L2TP instead. I have set up my Windows Server 2003 DC as an Enterprise root CA, and configured VPN ports through RRAS. There are several ports for both PPTP and L2TP.

However when I set up a VPN connection on my friends PC, I keep getting a message about being unable to locate a valid certificate (Error 781 I think it is). Once a VPN connection is established using PPTP I can install a certificate on the client PC by going to http://servername/certsrv but still I get the error message. There seems to be a choice between user certificate or a client authentication certificate.

Any help would be greatly appreciated.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

why bother with certificates - it'll be a world of pain. Set ipsec up to use a shared secret.. i.e. type in the same ipsec password on each PC

plenty of info here... probably too much...

http://www.microsoft.com/windows2000/technologies/communications/vpn/default.mspx

and there's a worked example here that, while not 100% relevant may give some ideas..

http://www.cuhk.edu.hk/itsc/network/vpn/win2k_setting.html#createvpn

 

Makes sense. I'm really just trying to get to grips with certifcate config ready for my exam tomorrow. Sometimes it makes it clearer to do it rather than just read about it.

However, will follow the advice in the links you have listed and let you know how I get on. Many Thanx

 

Good luck in the exam Phil.

From Clyde's link I found this page...

http://www.microsoft.com/windows2000/techinfo/planning/incremental/vpndeploy.asp

On the right there is a Word document named vpndeploy.doc It has everything in there you want to know and then some. It is 79 pages though

From reading nearly the whole thing I came to the conclusion that Clyde is correct. Certificate based authentication with L2TP/IPSec is a can of worms.

The copy/paste below may be an issue?

• L2TP-based VPN clients or servers cannot be behind a NAT unless both support IPSec NAT Traversal (NAT-T). IPSec NAT-T is supported by Windows Server 2003, Microsoft L2TP/IPSec VPN Client, and for VPN clients with L2TP/IPSec NAT-T Update for Windows XP and Windows 2000. Windows 2000 Server does not support IPSec NAT-T.