L2TP over IPSEC..???

[TheSponge]

Users can no longer use VPN dial in to my server...

This is the error message:

A Certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted.

I have no idea what has happened here, everything was fine, i installed some updates...then it stopped working.

I would really apprecaite some help here, I got to get this up and running ASAP..

many thanks guys..

A+,CCNA

 

[buddafish]

for starters, have the certs from you CA expired?

scottie

 

[TheSponge]

CA? Whats that? do you mean Client Access? no they havent...

A+,CCNA

 

[buddafish]

CA = Certificate Authority. L2TP /IPSec VPN's require a vaild certificate from a trusted CA. (the computer account) So... 2 things I would begin with is to determine where your CA is located. (this could be running on any domain controller in your network), and maybe pop up a mmc --> certificates -->(computer account) console and look for personal certs. locate the one that may apply to your domain and check out the expiration date... (is it expired... this seems to be related to your error message)...

 

[TheSponge]

OK, Thanks, Ill check, if it has expired, what do I do if it has?

Cheers

A+,CCNA

 

[TheSponge]

Wheres the best place to look? I have a WIN2K AD DC...that controls everything..

Thanks

A+,CCNA

 

[buddafish]

depending where the CA is, you can refresh the root certificate for the CA and then clients will attempt to get a new one (else you can "request" a cert from the client)... if expired certs are your issue, then this approach may resolve it...

 

[buddafish]

from the w2k DC, administrative tools ---> look for certificate services (?). if cert services is installed, the management console should be too.

 

[TheSponge]

I have just looked and CA isnt even installed on the server?
it never has been, I did buy some CAL`s a while ago,

1 user, can access the server, no problems...its 2 others that get this error message. Could this be a client thing?

they are accessing outside of our LAN...

A+,CCNA

 

[buddafish]

if the cert is expired, then...

the name of the snap-in is Certificate Authority. load this and expand the CA. There should be a CA listed that is for your enviroment. right-click --> all tasks --> renew cert.

 

[TheSponge]

No, there isnt CA installed on the server? never has been. so it couldnt of expired?

What will renewing do? I can type mmc in the run box, but all that comes up is a console root box? with nothing else there..

You`ll have to excuse me as I have just inherited this network...

I really appreciate your assistance...

A+,CCNA

 

[buddafish]

if you have access to a client machine, pop open a mmc --> certificates --> choose computer account --> then expand personal certs... what do you see ???

 

[TheSponge]

I cant get to a client machine, as 1 is in Germany , the other in London!!

Nothing has changed on the client machine as I asked them...

Im really puzzled...

A+,CCNA

 

[buddafish]

road trip... ~

yea, well can you "manage the pc" via the mmc... ?

mmc --> add --> certificates --> "computer account" --> now on the next step, choose "another computer" --> select the target computer from the browse list... now you will interogate the remote machine certs...

scottie

 

[buddafish]

my bad... i guess they are not connected at the moment...doh!

 

[TheSponge]

Well, I thank you sir for your time,

I dug a little deeper, and there was an adapter that was controlling the VPN connections, a client machine somehow pinched the adapters IP address. so it wasnt working.

I shut down all client machines and refreshed DHCP, low and behold it worked!!!

I really do appreciate the time you took,

Thankyou

A+,CCNA