2003 VPN / IPSec

[RKB]

After much headache and way too many whitepapers, and it
not working the way the white papers say it should, here
is my situation.

Scenario
- 2003 VPN server for remote, (Non-Domain systems)
- L2TP / IPSec connections
- Stand Alone Root CA for certificates needed for L2TP
How can this be done?

I have tried the straight forward approach of installing
the required systems, setting up web based enrollment,
issuing IPSec certificates and setting up both XP and 2k
clients. They never connect. Usually timing out on
security negotiations. I have changed all the settings to
the point of complete frustration.

Any help would be GREATLY appreciated.

-Richard

 

[Boyd Benson [MSFT]]

Hi Richard,

#1
During your test, I would attempt the connection with PPTP to verify that
the RRAS server is accepting connections. If this does not work, then we
need to troubleshoot the configuration of RRAS. If this does work, then we
move to troubleshooting IPsec.

#2
If PPTP does work, then the next step is to do a web based request for
Computer/Machine certificate in the Local Machine Store. This must be done
from the clients and the server (Even if Certificate Services is installed
on the RRAS server itself - There is a certificate already in the correct
store that lists "Intended Purposes", and this equals "All". This
certificate does not work for IPsec.)

Please follow this KB to install the certificate on the client and RRAS
server:
253498 HOW TO: Install a Certificate for Use with IP Security
http://support.microsoft.com/?id=253498

#3
Does this L2TP/IPsec connection traverse a NAT device?
If they do, then you'll need to make sure that the NAT-T update to W2k and
XP is installed:
818043 L2TP/IPSec NAT-T Update for Windows XP and Windows 2000
http://support.microsoft.com/?id=818043

#4
Also, when you mention "(Non-Domain systems)" do you mean the clients are
not in a domain?
Is the server in a domain?

Thanks,
Boyd Benson
Microsoft Technical Support
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

 

[Dreez]

Most AWESOME step-by-step on:
http://www.tacteam.net/isaserverorg/vpnkitbeta2/rraspolicyeaptlsradius.htm

if you dig around there is an index of tons of great articles
but hard to find index