VPN and Cetificate Help

[asylumgal]

I'm set up VPN on a windows 2000 server, when I go to connect in via the client, i get an error 781. It seems as though a certificate is needed on the server, but which one, and how do I do it?

 

[buddafish]

are you connecting with L2TP / IPSec ? If so, you will need to establish a CA in your network and each machine attempting to connect via VPN will need to have a cert from this CA. you can connect with PPTP without a cert.

scottie

 

[asylumgal]

I am using L2TP / IPSec. How would I set up the certificate, and which one would I use?

 

[asylumgal]

The router is a linksys router, in the udp settings i added the 2 required ports for vpn, tcp 47, and tcp 1403.

note when i did do pptp i got a different error, i think it was 631, server is not picking up request. hope this helps

 

[buddafish]

You can install the Certificate Services CA on one of your DC's. It has been several years since i did it. You begin from the add-remove windows components and choose Enterprise root CA (if using AD). Anyway, then you fill in all the info and i believe that is it.

from a client machine, run the mmc, add certificates, then expand the personal. if the machine did not get on automatically, right click and choose to request a cert.
choose "computer" cert. if the CA is working correctly, then you will see the cert.

choose the CA wisely. i believe it is impossible to move the root CA once it is established. at least that is what i am up against this comming year.

best of luck

scottie

 

[buddafish]

L2TP requires port 1701, protocol 49 /50 (GRE ?) and udp 500.

port 1723 for PPTP.

scottie

 

[asylumgal]

scottie,

We had to reset the linksys router, would this affect the CA on the 2000 server? Also on the client pc, running 2000, where would I check to see if the CA id being accepted from the server. Also on the 2000 server?

 

[buddafish]

well, if the CA is running, it is running. if the router is rebooting, then no traffic will get through until it is back up. for the cert, well, you gotta get that from the CA. i think (and i am just thinking here...) that if you can tunnel in via PPTP, that you should be able to request a computer certificate over the VPN. first off, the computer must have an account in AD. are your VPN client's in AD? do the user accounts you are using for the VPN have the "dial-in" "Remote Access Permissions" set to Allow? (it is deny by default - unless upgraded from NT 4.0) and "no callback" for the callback.

are you connecting to RRAS ?

scottie

 

[buddafish]

there is also a certificate server snap-in from the administrative tools on the server that the CA is installed from. this will show you issued certs, and other info.

 

[asylumgal]

the router is up before i try to connect. when i try to connect using dial up properties i get the errror 781, looking for a CA, which leads me to believe that the server does not have a CA on it. BUT. Before the hard reset of the router VPN did work correctly? Any ideas

 

[asylumgal]

when i switch it to pptp i get a different error that the server is not picking up, are these two issues corralated?

 

[buddafish]

so does the client machine have a certificate from a trusted CA on your LAN?

and you say that a L2TP /IPSec tunnel was possible before the router was reset?

if this is true, i would focus on the router and it's interfaces and any ACL's that may not have been written to memory prior to the hard re-boot...

just guessing, cause i am here and you are there ...

good luck

scottie

 

[asylumgal]

Before the router was resetted the client and server communicated fine through VPN. I think this may be an issue with the router, any possible ideas as to what I should look for in the router?