General discussion

Locked

IPsec using certificates (Win2k)

By fjaramillo ·
We are trying to connect from a Win2k Pro client from a remote site to our RRAS server using L2TP.
We currently connect using pptp and everything works fine.
We are trying to connect "external" customers using :L2TP with certificates. The remote clients are all Win2k (not members of our domain)
We have setup our RRAS server as a Standalone Cert Authority toissue certificates to these remote users. The remote users connect to our Cert Authority and get the certificates issued (we are selecting IPSEC for usage)
But when we try to connect via L2TP from the client to the RRAS server we get the following error.

Error 792 The L2TP connection attempt failed because security
negotiation timed out.


Here are the parameters that I'm using to first request the
certificate:
Intended Purpose: IPSEC
CSP: Microsoft Base Crypto Privider 1.0
Key Usage:Signature
Key Size:1024
Use Local machine Store
Hash Algo: SHA-1
We have all the proper ports opened on Cisco Pix.

Thanks
Nando

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

IPsec using certificates (Win2k)

by lenz.rudiger In reply to IPsec using certificates ...

First question would be due to the error messages indicates that IPSec is not working properly.

Is IPSec enabled on the client machine?

Connections Properties -> TCP/IP -> properties -> advanced -> options

Is the root cert installed on theclient machines?

Is EAP enabled?

Is the client machine enabled to check the server Cert?

There might be many other questions to be answered before dragging down that problem, but it's a start.

Collapse -

by fjaramillo In reply to IPsec using certificates ...

Poster rated this answer.

Collapse -

IPsec using certificates (Win2k)

by fjaramillo In reply to IPsec using certificates ...

Thanks for the response.
This is my first experience with IPSec, I need to ask some stupid questions.

I have removed the certificate from the client and obtained a new certificate from the server. I also went through the http://servername/certsrv and requested for the CA to be installed on the client.

Do I need to enable IPSec on the Network Card or just the Dial up IPSEc session?

Here's my current configuration On the NIC I have IPSec NOT Checked. On the VPN Dial Session under security I have:

Advanced Seetings->Require Data Encrypt (disconn if server declines)

Use EAP (checked)
Use Smartcard or Certificate (checked)
Properties of Smart Card or Certificate
"Use a certificate on this computer"
Validate Server Cert (checked)
Connect only if server name ends with (NOT Checked)
Trusted Certificate Authority (Our RRAS server OMNIRAS)
Use a diff't username (NOT Checked)

When I try to dial the VPN L2TP session I now get a different error:

Cannot load dialog
Errror 798 A certificate could not be found that can be used with EAP.

Thanks for your patience.!
Nando

Collapse -

by fjaramillo In reply to IPsec using certificates ...

This question was closed by the author

Back to Windows Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums