IPSec VPN problems

[billybob]

I setup both a CA server and VPN server on a Win2k Server
that used to be a member of a domain. I unjoined the
domain and now it is member of workgroup WORKGROUP. But
the problem is that my server certificate (.crt file)
created in c:/winnt/system32/certsrv/CertEnroll and in
c:/certconfig has the FQDN of the active directory that
it used to be a member of which I think is causing error
786 when VPN client tries to connect when set to use
L2TP/IPSec instead of PPTP/MPPE.
I have tried deleting both of these .crt files and then
reinstalling CA server but it keeps using the FQDN for
the .crt files.
How do I stop this without having to reinstall the OS
from scratch ?
Are there entries in the registry I have to manually
delete ??


Thanks in advance to the guru that figures this out for
me !

 

[Steven L Umbach]

I have never done what you did, but many times the problems with certificate
authentication is that the computer does not trust the certificate. Error 786 means
there is no valid certificate. I would first check that the CA certificate for your
CA is in the trusted CA store for both the CA computer [your vpn server] and on the
vpn client. You can use the mmc certificate snapin for computers to view certificates
in the Trusted Root folder where you can import a certificate .cer file if need be. I
would also view the computer certificates in the personal certificates folder to make
sure there is one that can be used for the vpn server and that it shows that the
matching private key is available and no problems are shown on any of the property
pages particularly on the certification path page. It may also be a good idea to
issue another computer certificate for the vnp server. --- Steve

 

[billybob]

I noticed that the CA cert was only in Current User
(Trusted Root Cert Authorities) and not in Local Computer
on the VPN client, so I exported and imported it in there.
Now when I try to connect to VPN server using L2TP/IPSec
I get the 792 error (More Info - the remote server may be
offline, the server you are reaching does not have the
correct credentials, your connection is not configured
with the correct credentials, your connection is
configured to use a different security method than the
remote computer)
I also requested and installed a server cert on the
CA/VPN server

- any more ideas ??

Thanks in advance.

-----Original Message-----
I have never done what you did, but many times the problems with certificate
authentication is that the computer does not trust the certificate. Error 786 means
there is no valid certificate. I would first check that the CA certificate for your
CA is in the trusted CA store for both the CA computer [your vpn server] and on the
vpn client. You can use the mmc certificate snapin for computers to view certificates
in the Trusted Root folder where you can import a

certificate .cer file if need be. I

would also view the computer certificates in the

personal certificates folder to make

 

[Steven L Umbach]

Can't think of much more as I have never removed a CA from a domain to experience
what happens. The KB link below may be worth a look as it refers to the 792
rror. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;247231

I noticed that the CA cert was only in Current User
(Trusted Root Cert Authorities) and not in Local Computer
on the VPN client, so I exported and imported it in there.
Now when I try to connect to VPN server using L2TP/IPSec
I get the 792 error (More Info - the remote server may be
offline, the server you are reaching does not have the
correct credentials, your connection is not configured
with the correct credentials, your connection is
configured to use a different security method than the
remote computer)
I also requested and installed a server cert on the
CA/VPN server

- any more ideas ??

Thanks in advance.

-----Original Message-----
I have never done what you did, but many times the problems with certificate
authentication is that the computer does not trust the certificate. Error 786 means
there is no valid certificate. I would first check that the CA certificate for your
CA is in the trusted CA store for both the CA computer [your vpn server] and on the
vpn client. You can use the mmc certificate snapin for computers to view certificates
in the Trusted Root folder where you can import a

certificate .cer file if need be. I

would also view the computer certificates in the

personal certificates folder to make

sure there is one that can be used for the vpn server and that it shows that the
matching private key is available and no problems are shown on any of the property
pages particularly on the certification path page. It may also be a good idea to
issue another computer certificate for the vnp server. - -- Steve




.