I have spent two months trying to make Vista computers via L2TP/IPSEC VPNs with certificates. So far unsuccessful and have not found any official documentation from Microsoft to set this up. I wish Dr. ISA publish a section in the VPN deployment kit for Vista. I used the deployment kit to setup XP computers successfully and the same method does not work for Vista.
Here I provide a description of the problem for your consideration:
- Windows 2003 Server Standard Enterprise CA with updated certificate templates to support Vista/Longhorn clients web enrollment - Certificate web enrollment works great with Vista after the template upgrade - XP computers can connect fine to the VPN server (ISA SERVER 2006) using L2TP/IPSEC - Tried to setup the Vista clients the same way as set up XP since there is no official documentation (step-by-step procedure) from Microsoft about Vista IPSEC setup. This does not work since it seems to me that Vista needs two certificates, one for the machine store and the other for the user. - Tried installing another IPSEC cert in the other store, note that however this is a different certificate, not the same. So this way I have certificate A for my user account cert store and certificate B for my machine cert store. It does not work Here is the error I get when connecting in the Vista computer: Error 810: A network connection between your computer and the VPN server was started, but the VPN connection was not completed. This is typically caused by the use of an incorrect or expired certificate for authentication between the client and the server. Please contact your Administrator to ensure that the certificate being used for authentication is valid. Here is the most significant error message in the security log of the Vista computer:
Log Name: Security Source: Microsoft-Windows-Security- AuditingDate: 4/21/2008 10:30:12 PM Event ID: 4652 Task Category: IPsec Main Mode Level: Information Keywords: Audit Failure User: N/A Computer: COMP12 Description:An IPsec Main Mode negotiation failed. Local Endpoint: Principal Name: - Network Address: Keying Module Port: 4500 Local Certificate: SHA Thumbprint: - Issuing CA: - Root CA: - Remote Endpoint: Principal Name: - Network Address: Keying Module Port: 4500 Remote Certificate: SHA thumbprint: - Issuing CA: - Root CA: -Additional Information: Keying Module Name: IKE Authentication Method: Certificate Role: Initiator Impersonation State: Not enabled Main Mode Filter ID: 67637 Failure Information: Failure Point: Local computer Failure Reason: IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store. State: Sent second (KE) payload Initiator Cookie: 536c74513a285fb0 Responder Cookie: c5247acd2e889518
Here I am assuming that the certificate setup in the Vista client is the same as in XP. This might be the cause of the problem since I donít know if there is a different procedure for Vista.
Hi Raul, The IKE authentication requires one certificate: "machine" certificate. The certificate used for IKE authentication must be stored within the computer store. You need a user certificate only if you want EAP-TLS for user authentication, the strongest user authentication method (using smartcards). You can actually store the user certificate within the user store if you want to use EAP-TLS and you do not have smartcards. I've never used the updated web enrollment to support Vista, so I can't help you with it. I see you are using an Enteprise CA. If your Vista machines are domain members, use the mmc on them and request a computer certificate for them (the CA certificate was automativally installed on them). Most of my Vista machines are domain members. If not, my method was to use an XP machine and request an admin certificate using the web enrollment, mark the private key as exportable. Then export the certificate with the private key, delete it from the XP machine, and import it on the Vista machine in the computer store. Now you also need to import the CA certificate into the trusted root CAs store within the *computer store* too. What's different with Windows Vista, is the fact that you can have a strong IKE authentication, see (if you want to use this, you need to configure your Vista VPN clients to connect by FQDN and not by IP, and the FQDN to match the name from SAN field or the CN): http://support.microsoft.com/kb/926182 Regards!
In my case I am not trying to use the strong IKE authentication, just the regular IPSEC VPN with the machine certificate, since I did not know the difference between Vista and XP I thought I needed a user certificate.
I have tried this VPN with domain members and non domain members. With non domain members I just download the CA cert and put it in the enterprise trust so the machine trust all certificates issued by my CA, that works fine just the way it works for Windows XP.
The big problem is with the IPSEC certificate. I just discovered something that could be very relevant to the problem. After I upgraded the web enrollment templates in my Windows 2003 CA to support Vista and Longhorn clients, there is something changed in the IPSEC template. In the "Key Options" section, the checkbox "Store certificate in the local computer certificate store" is missing after the upgrade. Note that this checkbox has to be marked when requesting the certificate in Windows XP according to the ISA VPN Deployment Kit (http://www.isaserver.org/img/upl/vpnkitbeta2/xpvpnclient.htm).
As you can see here, there is no way for me to make the template save my certificate in the machine store. The only thing that occurs to me is to try to force the template to install it in the machine store using the "Use specified key container name" option box. However I do not know the correct syntax to specify the path to the machine store and I have not found any documentation from Microsoft to do this.
I think I did not make myself clear on the version of Windows Server I am using. The CA is an Enterprise CA (meaning that it is not an stand alone CA), however, I am running this CA in Windows 2003 Server Standard Edition. This version does not allow to modify the web enrollment templates. If I was using Windows 2003 Server Enterprise or Datacenter I am allowed to duplicate the IPSEC template and then change the settings to allow private key export. The default templates do not allow me to export the private keys so I can't use your solution involving XP computers to request the certificates and then export them to the Vista computer.
As you can see Microsoft does not seem to want people to use IPSEC VPNs with Vista, I have two other friends in other companies having the same problem and talking to Microsoft about it, no solution yet.
I keep working on this, thanks anyway for your help!
I was wondering if you ever resolved this issue? I'm having the exact issue as you described with my Vista clients and if you did get this resolved, can you please share this information? If this wasn't resolved what did you do to provide VPN access to your users?
Re: getting the IPSec certificate into the computer store, I requested it via the web-enrollment page from the ISA Server. I tried two methods for getting it into the computer store, both appeared to work (but these methods may actually be the cause of my problem!):-
1. Let IE install the cert into the user store. Then create a new mmc snapin with both 'user' and 'computer' cert store snapins, and simply drag\drop the cert frm the user store into the computer store (under persoal\certs).
2. Don't let IE install the cert, click the 'save the response' button, copy\paste the code into notepad and save, then open mmc computer cert store, right-click 'cetificates' and import the notepad file.
Then bounce the ISA server.
Both of these result in the certificate appearing in the computer store on ISA, and the properties of the cert all look good eg. private key exists, and the cert chains up to it's CA. Under 'details', make a note of the thumbprint.
Attempt to connect and let it fail, then check the oakley.log file at c:\windows\debug. Scroll down until you see the section where ISA starts to choose the right certificate, and you will see the thumprints for each certificate it is evaluating. If the thumbprint for your IKE cet appears in the log then I have assumed that this means the cert is installed correctly in your computer store.
I personally am getting the error "AcquireContext Sig Key error: -2146893802" in my oakley.log when ISA assesses the IPSec certificate (yes, the one i manually dragged\dropped into the computer store). So perhaps this isn't the best idea!