L2TP/IPsec sites-to-sites vpn

TheMSsForum.com: The Microsoft Software Forum

Hi

Here are my scenario. I have two sites that are connected through a isdn
lines but I don't want to use that line anymore, instead I will use a
site-to-site vpn connection.

My main site is using a Windows 2000 server with ISa 2000, this computer is
a member of my domain. Ip adress 10.10.x.x/16. On this site I have a Stand
alone certificate server on Windows 2003. This server is not a Domain
Controller.

The remote site is using a Windows 2003 server with ISA server 2004, he is
also a member of my domain. Ip adress 10.30.x.x/16

On both isa server I have made the necessary configuration to make a pptp
conection, and with this type of connnection I am able to make the connection
between both sites.

My problem is when i'm trying to use a L2TP/IPsec connection. On the ISA
2004, I change the protocol type of the remote site to L2TP. On the ISA
server 2000, packet filters for this type of traffic is there, and I changed
the type of protocol the netwotk interface is using for LP2TP vpn type.

My concerns are about the certificates part. On the ISA 2000, I use the
certifictaes mmc to request and install a computer certificates with success.


On the ISA server 2004, I tried the same thing but I receive this error The
certificate request was submitted to CA that is not started or you don't have
permissions to request certificates from availabe CAs. I restarted the
routing and remote access and IPSec policies services on both computers
without success. So on this server I use the a web request
(http://10.10.0.x/certsrv) to request a administrator template certificates.

When I tried to connect I receive this error on both ISA servers
Event Type: Error
Event Source: RemoteAccess
Event Category: None
Event ID: 20111
Date: 12/23/2005
Time: 8:53:50 AM
User: N/A
Computer: MASTER3
Description:
A Demand Dial connection to the remote interface IsaMoncton on port VPN2-0
was successfully initiated but failed to complete successfully because of the
following error: The L2TP connection attempt failed because security policy
for the connection was not found.
Data:
0000: 17 03 00 00 ....

I have read many articles and some articles tells that I need a computer
certificates, some other a IPsec template, others a Router(offline)
templates... So my first idea was to use a computer type certificates but I
can not use the MMC Certificates snap-in on the ISA 2004 to reuqest one and
the the computer templates is not available for installation when I'm using
the web.

I can't figured out where is my errors and all my reading haven't help me it
mixed me up instead

Thanks
Top

Re: L2TP/IPsec sites-to-sites vpn by S

S
Sat Dec 24 21:52:10 CST 2005

Either use offline enrollment or connect temporarily (eg - create a network
connection object on the remote server to connect it to the corporate
network as a stand-alone computer - using PPTP and password authentication)
and enroll online.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"totomaster" <totomaster@news.postalias> wrote in message
news:DEA575EB-CBCC-4F51-83B6-1EB257385F8D@microsoft.com...
> Hi
>
> Here are my scenario. I have two sites that are connected through a isdn
> lines but I don't want to use that line anymore, instead I will use a
> site-to-site vpn connection.
>
> My main site is using a Windows 2000 server with ISa 2000, this computer
> is
> a member of my domain. Ip adress 10.10.x.x/16. On this site I have a
> Stand
> alone certificate server on Windows 2003. This server is not a Domain
> Controller.
>
> The remote site is using a Windows 2003 server with ISA server 2004, he is
> also a member of my domain. Ip adress 10.30.x.x/16
>
> On both isa server I have made the necessary configuration to make a pptp
> conection, and with this type of connnection I am able to make the
> connection
> between both sites.
>
> My problem is when i'm trying to use a L2TP/IPsec connection. On the ISA
> 2004, I change the protocol type of the remote site to L2TP. On the ISA
> server 2000, packet filters for this type of traffic is there, and I
> changed
> the type of protocol the netwotk interface is using for LP2TP vpn type.
>
> My concerns are about the certificates part. On the ISA 2000, I use the
> certifictaes mmc to request and install a computer certificates with
> success.
>
>
> On the ISA server 2004, I tried the same thing but I receive this error
> The
> certificate request was submitted to CA that is not started or you don't
> have
> permissions to request certificates from availabe CAs. I restarted the
> routing and remote access and IPSec policies services on both computers
> without success. So on this server I use the a web request
> (http://10.10.0.x/certsrv) to request a administrator template
> certificates.
>
> When I tried to connect I receive this error on both ISA servers
> Event Type: Error
> Event Source: RemoteAccess
> Event Category: None
> Event ID: 20111
> Date: 12/23/2005
> Time: 8:53:50 AM
> User: N/A
> Computer: MASTER3
> Description:
> A Demand Dial connection to the remote interface IsaMoncton on port VPN2-0
> was successfully initiated but failed to complete successfully because of
> the
> following error: The L2TP connection attempt failed because security
> policy
> for the connection was not found.
> Data:
> 0000: 17 03 00 00 ....
>
> I have read many articles and some articles tells that I need a computer
> certificates, some other a IPsec template, others a Router(offline)
> templates... So my first idea was to use a computer type certificates but
> I
> can not use the MMC Certificates snap-in on the ISA 2004 to reuqest one
> and
> the the computer templates is not available for installation when I'm
> using
> the web.
>
> I can't figured out where is my errors and all my reading haven't help me
> it
> mixed me up instead
>
> Thanks
>
>
>
>


Top