I apologizr if this isn't the exact area to be asking this. but Ok
heres my current configuration. I
currently have a 2003 domain with 2003 enterprise ras server with pptp
vpn working fine in my corporate network. My boss wants to upgrade to
L2TP security with certificates. Now please bare with me as I am new to
certificates. He wants to physically hand out the certificates via
email or floppy disc. NOT use auto enrollment. As far as VPN users,
Some computers are part of the domain and most are not. Now I setup A
enterprise CA on the VPN server. I installed (or at least i think i
did) the certificates on the client. If i open the
mmc>certificates(LOCAL), the certificate shows up in personal and also
in trusted root ca. My problem is this, #1, I'm not sure what EXACTLY
they mean by machine certificate. I setup IPsec (offline) template and
used that, is that correct for this situation? am i missing something.
As of right now, my status is when i go to connect, it tells me error
786, cant find valid machine cert. I would greatly appreciate it if
anyone has ANY input or direction. Thank you in advance.

Hi,

To setup L2TP certs connection please check following things.
1. You must have valid certificates on client and server.
2. Valid certificate means - The certificate must be obtained from the same
CA for both client and server. The certificates must not be expired. Root
cert must be present in the "Trusted Root Certification Authorities" node.
3. Open the certificate and check the details. Expiry date must be valid,
Certification path will show you the root cert and that root cert must be
present under "Trusted Root Certification Authorities". Check the intended
purpose of the certificate.
4. Machine certificates are located in the mmc in Local Computer certificate
store. L2TP requires machine level certs.
5. Auto enroll would be a good option to try to generate certificates but
you can also export the certicates and then import it on the desired
machine.

--
Thanks,
Puja
---------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jimbob" <jlathamjr@gmail.com> wrote in message
news:1158348231.319375.42320@m73g2000cwd.googlegroups.com...
>I apologizr if this isn't the exact area to be asking this. but Ok
> heres my current configuration. I
> currently have a 2003 domain with 2003 enterprise ras server with pptp
> vpn working fine in my corporate network. My boss wants to upgrade to
> L2TP security with certificates. Now please bare with me as I am new to
> certificates. He wants to physically hand out the certificates via
> email or floppy disc. NOT use auto enrollment. As far as VPN users,
> Some computers are part of the domain and most are not. Now I setup A
> enterprise CA on the VPN server. I installed (or at least i think i
> did) the certificates on the client. If i open the
> mmc>certificates(LOCAL), the certificate shows up in personal and also
> in trusted root ca. My problem is this, #1, I'm not sure what EXACTLY
> they mean by machine certificate. I setup IPsec (offline) template and
> used that, is that correct for this situation? am i missing something.
> As of right now, my status is when i go to connect, it tells me error
> 786, cant find valid machine cert. I would greatly appreciate it if
> anyone has ANY input or direction. Thank you in advance.
>

Ok,
1. I'm pretty sure the certificates are installed on the client and
server. I open up mmc > (locaL) personal and see the certs there. also,
I see them in trusted root ca folder.
2. Here is where I get a bit lost, when you have to install on the
server, do I have to install a certificate on the VPN server for EVERY
client ? or is it just 1 certificate to match all my clients?
3. Exporation date is valid. (2 years)
4. I am running enteprise edition so i have installed IPSec (V2)
certificate templates
5. I know Auto enroll would probably be easier but unfortunately my
boss is demanding that we export them out through email/cd and them
have them import them.
My other question that confuses me is "which type (extension) is it
that I have to import/export ? I see like 4 different kinds. I see .cer
, .p7b, pfx... I'm not sure what they all mean, whichs ones i really
need and there purpose... maybe this is where im screwing it up. Thanks
again for your response

Puja Pandey[MSFT] wrote:
> Hi,
>
> To setup L2TP certs connection please check following things.
> 1. You must have valid certificates on client and server.
> 2. Valid certificate means - The certificate must be obtained from the same
> CA for both client and server. The certificates must not be expired. Root
> cert must be present in the "Trusted Root Certification Authorities" node.
> 3. Open the certificate and check the details. Expiry date must be valid,
> Certification path will show you the root cert and that root cert must be
> present under "Trusted Root Certification Authorities". Check the intended
> purpose of the certificate.
> 4. Machine certificates are located in the mmc in Local Computer certificate
> store. L2TP requires machine level certs.
> 5. Auto enroll would be a good option to try to generate certificates but
> you can also export the certicates and then import it on the desired
> machine.
>
> --
> Thanks,
> Puja
> ---------------------------------------------------------
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Jimbob" <jlathamjr@gmail.com> wrote in message
> news:1158348231.319375.42320@m73g2000cwd.googlegroups.com...
> >I apologizr if this isn't the exact area to be asking this. but Ok
> > heres my current configuration. I
> > currently have a 2003 domain with 2003 enterprise ras server with pptp
> > vpn working fine in my corporate network. My boss wants to upgrade to
> > L2TP security with certificates. Now please bare with me as I am new to
> > certificates. He wants to physically hand out the certificates via
> > email or floppy disc. NOT use auto enrollment. As far as VPN users,
> > Some computers are part of the domain and most are not. Now I setup A
> > enterprise CA on the VPN server. I installed (or at least i think i
> > did) the certificates on the client. If i open the
> > mmc>certificates(LOCAL), the certificate shows up in personal and also
> > in trusted root ca. My problem is this, #1, I'm not sure what EXACTLY
> > they mean by machine certificate. I setup IPsec (offline) template and
> > used that, is that correct for this situation? am i missing something.
> > As of right now, my status is when i go to connect, it tells me error
> > 786, cant find valid machine cert. I would greatly appreciate it if
> > anyone has ANY input or direction. Thank you in advance.
> >

You need only one certificate on the server if all the certs on clients and
server are issued from the same CA. You can use either .pfx file or p7b file
for export/import.

I am just guessing but does the root cert get installed on your client when
u import the certs? What is the intended purpose of the certs on client and
server?

--
Thanks,
Puja
---------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jimbob" <jlathamjr@gmail.com> wrote in message
news:1158583390.621734.161810@d34g2000cwd.googlegroups.com...
> Ok,
> 1. I'm pretty sure the certificates are installed on the client and
> server. I open up mmc > (locaL) personal and see the certs there. also,
> I see them in trusted root ca folder.
> 2. Here is where I get a bit lost, when you have to install on the
> server, do I have to install a certificate on the VPN server for EVERY
> client ? or is it just 1 certificate to match all my clients?
> 3. Exporation date is valid. (2 years)
> 4. I am running enteprise edition so i have installed IPSec (V2)
> certificate templates
> 5. I know Auto enroll would probably be easier but unfortunately my
> boss is demanding that we export them out through email/cd and them
> have them import them.
> My other question that confuses me is "which type (extension) is it
> that I have to import/export ? I see like 4 different kinds. I see .cer
> , .p7b, pfx... I'm not sure what they all mean, whichs ones i really
> need and there purpose... maybe this is where im screwing it up. Thanks
> again for your response
>
> Puja Pandey[MSFT] wrote:
>> Hi,
>>
>> To setup L2TP certs connection please check following things.
>> 1. You must have valid certificates on client and server.
>> 2. Valid certificate means - The certificate must be obtained from the
>> same
>> CA for both client and server. The certificates must not be expired. Root
>> cert must be present in the "Trusted Root Certification Authorities"
>> node.
>> 3. Open the certificate and check the details. Expiry date must be valid,
>> Certification path will show you the root cert and that root cert must be
>> present under "Trusted Root Certification Authorities". Check the
>> intended
>> purpose of the certificate.
>> 4. Machine certificates are located in the mmc in Local Computer
>> certificate
>> store. L2TP requires machine level certs.
>> 5. Auto enroll would be a good option to try to generate certificates but
>> you can also export the certicates and then import it on the desired
>> machine.
>>
>> --
>> Thanks,
>> Puja
>> ---------------------------------------------------------
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Jimbob" <jlathamjr@gmail.com> wrote in message
>> news:1158348231.319375.42320@m73g2000cwd.googlegroups.com...
>> >I apologizr if this isn't the exact area to be asking this. but Ok
>> > heres my current configuration. I
>> > currently have a 2003 domain with 2003 enterprise ras server with pptp
>> > vpn working fine in my corporate network. My boss wants to upgrade to
>> > L2TP security with certificates. Now please bare with me as I am new to
>> > certificates. He wants to physically hand out the certificates via
>> > email or floppy disc. NOT use auto enrollment. As far as VPN users,
>> > Some computers are part of the domain and most are not. Now I setup A
>> > enterprise CA on the VPN server. I installed (or at least i think i
>> > did) the certificates on the client. If i open the
>> > mmc>certificates(LOCAL), the certificate shows up in personal and also
>> > in trusted root ca. My problem is this, #1, I'm not sure what EXACTLY
>> > they mean by machine certificate. I setup IPsec (offline) template and
>> > used that, is that correct for this situation? am i missing something.
>> > As of right now, my status is when i go to connect, it tells me error
>> > 786, cant find valid machine cert. I would greatly appreciate it if
>> > anyone has ANY input or direction. Thank you in advance.
>> >
>