Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
WinXP l2TP/IPSec VPN Client issues
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
WinXP l2TP/IPSec VPN Client issues - 11.Oct.2002 9:19:00 AM
|
|
|
whisperedlies
Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
|
It's been a long day and I'm loosing it, so maybe I'm just doing something stupid.
But I have ISA set up as a VPN server, I have an Standalone root CA for issuing certs to clients, and I have my windows 2000 VPN clients using l2TP/IPSec. On my windows 2000 clients, l2TP/IPSec is working just fine. The PCs are not members of the domain, but instead requested client certificate from the CA. I've added my CA as a trusted root CA. Everything there is working just great.
However, when I go to use L2TP/IPSec on my windows xp pro box, I go to my cert server, request, issue, and install my cert as I have been for the win2k boxes, and then create a new VPN connection to my vpn server and use L2TP it says it can't find a valid machine cert. if i use PPTP, it works fine.
Am I just over looking something simple?
Mike
|
|
|
|
|
RE: WinXP l2TP/IPSec VPN Client issues - 11.Oct.2002 3:46:00 PM
|
|
|
whisperedlies
Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
|
egh... I dunno why this isn't working.
Ok, here's the details (as much as I can recall):
I have a separate server on our network that is working as a standalone root CA, there are no intermediaries. VPN server recieves a server and client certificate from this CA, windows 2000 client recieves client certificate from this CA also.
IPSec SA's are established before PPP authentication by checking certificates. Server has to trust client's root and intermediary CA's, and client needs to trust server's root and intermediary CA's, once this is true, SA's are established, PPP is authenticated, and voila we have our L2TP/IPSec VPN connection (correct me if i have the authentication process wrong). Since there are no intermediary CAs, and the root CA is the same issuer of the server's and the client's certificate, then we should be golden. On the windows 2000 machines, the L2TP/IPsec connections work perfectly.
I do the same process on a windows XP pro box, and it doesn't work, it says that there are no matching certificates. i've verified that the CA path is installed and checks out OK on the XP client. I've also verified that the client certificate is installed and checks out OK.
The one thing I realized was the XP box is behind NAT, and I thought, well L2TP/IPSec doesn't work behind NAT, then I remembered that the VPN client included in 2000 and XP (and can be downloaded for 98, ME and NT) both support NAT transversal.. so that shouldn't be the problem.
So what am I missing? I just can't put my finger on it.
Mike
|
|
|
|
|
RE: WinXP l2TP/IPSec VPN Client issues - 11.Oct.2002 10:37:00 PM
|
|
|
mbundy
Posts: 20
Joined: 6.Sep.2002
Status: offline
|
This actually raises a point I've never totally understood... I know that XP (and updated) VPN clients support NAT-T, but W2K server does not (supposedly will be in the .net edition) so so does L2TP break if either end doesn't support NAT-T and nat was involved somewhere in the connection, or is NAT-T only an issue to be dealt with at each end?
-- MB.
|
|
|
|
|
RE: WinXP l2TP/IPSec VPN Client issues - 11.Oct.2002 10:54:00 PM
|
|
|
whisperedlies
Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
|
I believe that issue only regards the NAT service the Windows 2000 server provides, that the server's NAT service cannot NAT-T, but i BELIEVE (not sure) that if the NAT client supports NAT-T, then it you should be ok.
but the ISA's endpoint in a VPN connection is through a routable IP, so NAT is not performed on that end. I just have to make sure that my client can NAT-T or that the NAT service my client is within supports transversal.
but anywho... I did notice that for some reason, when i downloaded the CA path on my client, it put it in the wrong folder (intermediary CA). I moved it, and now I just get a different error, no longer saying that there is no valid certificate, but instead it's saying the authentication failed.
i'll try moving my XP client outside the NAT tonite and see if that fixes anything, but.. i dunno. bleh.
Mike
|
|
|
|
|
RE: WinXP l2TP/IPSec VPN Client issues - 12.Oct.2002 7:04:00 PM
|
|
|
whisperedlies
Posts: 189
Joined: 7.Jun.2002
From: Ohio
Status: offline
|
Hi Stefaan,
So even if my client's L2TP/IPSec transport supports NAT-T, the gateway I'm connecting to also needs to support it?
I suppose that would make sense. That's very disapointing however ![[Frown]](/image/smiles/frown.gif)
At home, I'm working on replacing my NAT box with an ISA server, running on .Net 2003. .Net 2003 supposedly will do NAT-T. But I will still be presented with the same problems, as the end node is still a server that doesn't support NAT-T, am i correct in this assumption?
I would love to go to a Smartcard type solution, but remote access isn't a primary feature for our network, so, at least at this juncture, getting finances for it would be pretty hard, especially because at this point only 2 people would be using it.
I'm thinking the best route to go is just create a gateway to gateway VPN.
Thanks alot for all the info, Stefaan!
Mike
|
|
|
|
|
RE: WinXP l2TP/IPSec VPN Client issues - 18.Oct.2002 10:31:00 PM
|
|
|
Guest
|
FINALLY! Someone having the same problem I have had! A couple of months ago I was experimenting with setting up an IPSec VPN to an ISA server. But since I had long switched to XP on my notebook, and I have experienced the exact same problem as you describe, Mike, I had abandoned it all and switched to PPTP for the 2 persons who required remote VPN access. Since I was *new* at certificates, IPSec and L2TP, this was quite a confusing time. Especially because there are not very much diagnostics available when an IPSec connection fails... BTW: in my setup, I was not connecting over NAT... The idea about fragmentation is perhaps worth research. I'm going to set up the home lab again and read those links from Stefaan.
Anyway, I had found out something that you might find useful: I had discovered that MS puts a .Net CA on-line for testing purposes (http://sectestca1.rte.microsoft.com). When I used certificates for the ISA server and for the client from this CA, it worked! I had heard from someone else that Win2K boxes connect just fine in this scenario, so I concluded that in order to use IPSec between an xp box and ISA, you need a .Net CA server. Which is only in beta at that time (and in RC1 now), so my attempt to create an IPSec VPN ended there.
Bart (also from Belgium; bart.ramharter@advalvas.be)
|
|
|
|
|
RE: WinXP l2TP/IPSec VPN Client issues - 19.Oct.2002 6:13:00 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hey guys,
I used an WinXP notebook to connect to our office whenever we leave town. I use L2TP/IPSec and our own enterprise root certificate server. It all works fine. I DO NOT use the Windows 2003 certificiate server, so I'm not sure what the problem is that you're having.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
![[Cool]](/image/smiles/cool.gif)
![[Razz]](/image/smiles/tongue.gif)
).![[Smile]](/image/smiles/smile.gif)
