• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

L2TP VPN during forest migration. This is a tough one.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> L2TP VPN during forest migration. This is a tough one. Page: [1]
Login
Message << Older Topic   Newer Topic >>
L2TP VPN during forest migration. This is a tough one. - 19.Mar.2010 3:34:57 PM   
Ross G

 

Posts: 11
Joined: 5.Aug.2004
From: Michigan
Status: offline
We're presently in the middle of a migration to another forest, as a result of a merger. Here are the key facts:

* The source and destination forest both have their own root CA and issuing CA.
* Users in the source forest use an ISA 2006 server for L2TP VPN.
* Our desire is to continue to use that L2TP server throughout the migration.

Most other services work fine between forests - Currently we have a CTL and a 2-way forest trust in place and working, and we migrate accounts with SID history. A radius proxy exists for cross-forest authentication of accounts that use our EAP/802.1x wireless.

The ISA L2TP VPN, though, is proving to be tough to get to work. The ChapV2 part works fine (for example, I can type in credentials of a destination forest user and that works fine due to trust), but once the computer is migrated, I get an IKE authentication failure. This surprised me because I have the CTL in place for the needed certificate purposes and the computer is a member of the group needed for VPN access. Then I read this and it has me troubled: http://www.dscoduc.com/2010/01/rras-and-certificate-troubles/

What that site says is that a MS L2TP VPN server will only ever accept a client certificate from the same certificate authority as the one which issued its certificate. Is this true? If this is true, is there some workaround? The problem is users aren't all migrating at once. If they were, I'd just move the server to the destination domain and get a cert there when they migrated.

Thanks in Advance,
Ross

< Message edited by Ross G -- 19.Mar.2010 3:44:07 PM >
Post #: 1
RE: L2TP VPN during forest migration. This is a tough ... - 7.Apr.2010 2:36:02 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
My guess is that you will have to switch to a Pre-shared Key or switch to PPTP until the migration is complete.

_____________________________

Phillip Windell

(in reply to Ross G)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> L2TP VPN during forest migration. This is a tough one. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts