• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VISTA L2TP/IPSEC DEPLOYMENT KIT? HELP!

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> VISTA L2TP/IPSEC DEPLOYMENT KIT? HELP! Page: [1]
Login
Message << Older Topic   Newer Topic >>
VISTA L2TP/IPSEC DEPLOYMENT KIT? HELP! - 29.May2008 1:18:31 PM   
admet0s

 

Posts: 2
Joined: 29.May2008
Status: offline
Dear all,

I have spent two months trying to make Vista computers via L2TP/IPSEC VPNs with certificates.  So far unsuccessful and have not found any official documentation from Microsoft to set this up.  I wish Dr. ISA publish a section in the VPN deployment kit for Vista.  I used the deployment kit to setup XP computers successfully and the same method does not work for Vista.

Here I provide a description of the problem for your consideration:

Infrastructure description:

- Windows 2003 Server Standard Enterprise CA with updated certificate templates to support Vista/Longhorn clients web enrollment
- Certificate web enrollment works great with Vista after the template upgrade
- XP computers can connect fine to the VPN server (ISA SERVER 2006) using L2TP/IPSEC
- Tried to setup the Vista clients the same way as  set up XP since there is no official documentation (step-by-step procedure) from Microsoft about Vista IPSEC setup. This does not work since it seems to me that Vista needs two certificates, one for the machine store and the other for the user.
- Tried installing another IPSEC cert in the other store, note that however this is a different certificate, not the same. So this way I have certificate A for my user account cert store and certificate B for my machine cert store.  It does not work
Here is the error I get when connecting in the Vista computer:
Error 810: A network connection between your computer and the VPN server was started, but the VPN connection was not completed. This is typically caused by the use of an incorrect or expired certificate for authentication between the client and the server. Please contact your Administrator to ensure that the certificate being used for authentication is valid.
Here is the most significant error message in the security log of the Vista computer:

Log Name: Security
Source: Microsoft-Windows-Security-
AuditingDate: 4/21/2008 10:30:12 PM
Event ID: 4652
Task Category: IPsec Main Mode
Level: Information
Keywords: Audit Failure
User: N/A
Computer: COMP12
Description:An IPsec Main Mode negotiation failed.
Local Endpoint: Principal Name: - Network Address: Keying Module Port: 4500
Local Certificate: SHA Thumbprint: - Issuing CA: - Root CA: -
Remote Endpoint: Principal Name: - Network Address: Keying Module Port: 4500
Remote Certificate: SHA thumbprint: - Issuing CA: - Root CA: -Additional Information: Keying Module Name: IKE Authentication Method: Certificate Role: Initiator Impersonation State: Not enabled Main Mode Filter ID: 67637
Failure Information: Failure Point: Local computer
Failure Reason: IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.
State: Sent second (KE) payload
Initiator Cookie: 536c74513a285fb0
Responder Cookie: c5247acd2e889518

Here I am assuming that the certificate setup in the Vista client is the same as in XP.  This might be the cause of the problem since I donít know if there is a different procedure for Vista.

Any help will be greatly appreciated!!!!

THANKS!

_____________________________

RA
Post #: 1
RE: VISTA L2TP/IPSEC DEPLOYMENT KIT? HELP! - 30.May2008 11:11:59 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Raul,
The IKE authentication requires one certificate: "machine" certificate. The certificate used for IKE authentication must be stored within the computer store.
You need a user certificate only if you want EAP-TLS for user authentication, the strongest user authentication method (using smartcards). You can actually store the user certificate within the user store if you want to use EAP-TLS and you do not have smartcards.
I've never used the updated web enrollment to support Vista, so I can't help you with it.
I see you are using an Enteprise CA.
If your Vista machines are domain members, use the mmc on them and request a computer certificate for them (the CA certificate was automativally installed on them). Most of my Vista machines are domain members.
If not, my method was to use an XP machine and request an admin certificate using the web enrollment, mark the private key as exportable. Then export the certificate with the private key, delete it from the XP machine, and import it on the Vista machine in the computer store. Now you also need to import the CA certificate into the trusted root CAs store within the *computer store* too.
What's different with Windows Vista, is the fact that you can have a strong IKE authentication, see (if you want to use this, you need to configure your Vista VPN clients to connect by FQDN and not by IP, and the FQDN to match the name from SAN field or the CN):
http://support.microsoft.com/kb/926182
Regards!

(in reply to admet0s)
Post #: 2
RE: VISTA L2TP/IPSEC DEPLOYMENT KIT? HELP! - 30.May2008 11:48:45 AM   
admet0s

 

Posts: 2
Joined: 29.May2008
Status: offline
Hello Justmee and thanks for your reply.

In my case I am not trying to use the strong IKE authentication, just the regular IPSEC VPN with the machine certificate, since I did not know the difference between Vista and XP I thought I needed a user certificate.

I have tried this VPN with domain members and non domain members.  With non domain members I just download the CA cert and put it in the enterprise trust so the machine trust all certificates issued by my CA, that works fine just the way it works for Windows XP.

The big problem is with the IPSEC certificate.  I just discovered something that could be very relevant to the problem.  After I upgraded the web enrollment templates in my Windows 2003 CA to support Vista and Longhorn clients, there is something changed in the IPSEC template.   In the "Key Options" section, the checkbox "Store certificate in the local computer certificate store" is missing after the upgrade.  Note that this checkbox has to be marked when requesting the certificate in Windows XP according to the ISA VPN Deployment Kit (http://www.isaserver.org/img/upl/vpnkitbeta2/xpvpnclient.htm).

As you can see here, there is no way for me to make the template save my certificate in the machine store. The only thing that occurs to me is to try to force the template to install it in the machine store using the "Use specified key container name" option box.  However I do not know the correct syntax to specify the path to the machine store and I have not found any documentation from Microsoft to do this.

I think I did not make myself clear on the version of Windows Server I am using.  The CA is an Enterprise CA (meaning that it is not an stand alone CA), however, I am running this CA in Windows 2003 Server Standard Edition.  This version does not allow to modify the web enrollment templates.  If I was using Windows 2003 Server Enterprise or Datacenter I am allowed to duplicate the IPSEC template and then change the settings to allow private key export.  The default templates do not allow me to export the private keys so I can't use your solution involving XP computers to request the certificates and then export them to the Vista computer.

As you can see Microsoft does not seem to want people to use IPSEC VPNs with Vista, I have two other friends in other companies having the same problem and talking to Microsoft about it, no solution yet.

I keep working on this, thanks anyway for your help!

_____________________________

RA

(in reply to admet0s)
Post #: 3
RE: VISTA L2TP/IPSEC DEPLOYMENT KIT? HELP! - 26.Nov.2008 1:18:15 PM   
bank2640

 

Posts: 34
Joined: 20.Sep.2004
From: Pittsburgh
Status: offline
Hello admet0s.

I was wondering if you ever resolved this issue? I'm having the exact issue as you described with my Vista clients and if you did get this resolved, can you please share this information? If this wasn't resolved what did you do to provide VPN access to your users?

Thanks,
Mike

(in reply to admet0s)
Post #: 4
RE: VISTA L2TP/IPSEC DEPLOYMENT KIT? HELP! - 16.Jan.2009 9:44:13 AM   
davei0594

 

Posts: 21
Joined: 9.Feb.2008
Status: offline
I too have this problem and have, perhaps foolishly, started a new thread http://forums.isaserver.org/ISA%2c_Vista_and_OSX_L2TP%5cIPSec/m_2002079455/tm.htm.

Re: getting the IPSec certificate into the computer store, I requested it via the web-enrollment page from the ISA Server.  I tried two methods for getting it into the computer store, both appeared to work (but these methods may actually be the cause of my problem!):-

1.  Let IE install the cert into the user store.  Then create a new mmc snapin with both 'user' and 'computer' cert store snapins, and simply drag\drop the cert frm the user store into the computer store (under persoal\certs).

2.  Don't let IE install the cert, click the 'save the response' button, copy\paste the code into notepad and save, then open mmc computer cert store, right-click 'cetificates' and import the notepad file.

Then bounce the ISA server.

Both of these result in the certificate appearing in the computer store on ISA, and the properties of the cert all look good eg. private key exists, and the cert chains up to it's CA.  Under 'details', make a note of the thumbprint.

Attempt to connect and let it fail, then check the oakley.log file at c:\windows\debug.  Scroll down until you see the section where ISA starts to choose the right certificate, and you will see the thumprints for each certificate it is evaluating.  If the thumbprint for your IKE cet appears in the log then I have assumed that this means the cert is installed correctly in your computer store.

I personally am getting the error "AcquireContext Sig Key error: -2146893802" in my oakley.log when ISA assesses the IPSec certificate (yes, the one i manually dragged\dropped into the computer store).  So perhaps this isn't the best idea!

Any thoughts from anyone?

(in reply to bank2640)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> VISTA L2TP/IPSEC DEPLOYMENT KIT? HELP! Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts