Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, April 1, 2011 2:05 PM
[quote]
For IKEv2 machine certificate authentication: Ensure the trusted root certificate store on the VPN Server contains **only** the trust root certificate that matches the trust chain with which the client will send the machine certificate. And you MUST delete all the other trust chain on the VPN Server – to avoid any malicious client machine having a certificate with one of those trust chain to be able to successfully connect to this VPN server using IKEv2 machine certificate authentication.
[/quote]
Is this still true with a Windows 2008 R2 SP1 RRAS server?
If so, IKEv2 behaves quite differently than the IPsec AuthN in the L2TP/IPsec VPN solution where the client must present a certificate from the same Root CA as the RRAS server.
Thanks,
Stefaan
All replies (5)
Tuesday, April 12, 2011 7:55 AM ✅Answered | 1 vote
Hi Tiger Li,
after some testing I can confirm that IKEv2 accepts any certificate presented by the client as long as the issueing CA is trusted by the RRAS server. That's definitely not the case with L2TP/IPsec (IKEv1). Here the client must present a certificate issued by the same CA as the one used by the RRAS itself.
Best Regards,
Stefaan
Monday, April 4, 2011 3:10 AM
Hi Stefaan,
Thanks for posting here.
> Is this still true with a Windows 2008 R2 SP1 RRAS server?
Based on my knowledge this mechanism has not been changed since service pack 1 was released.
Windows Server 2008 R2 Service Pack 1
http://technet.microsoft.com/en-us/library/ff817647(WS.10).aspx
For more information please refer to the links below:
Enhancements to VPN Reconnect in W7 RC
http://blogs.technet.com/b/rrasblog/archive/2009/05/11/enhancements-to-vpn-reconnect-in-w7-rc.aspx
About Remote Access with VPN Reconnect
http://technet.microsoft.com/en-us/library/dd637803(WS.10).aspx
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact [email protected]
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Wednesday, April 6, 2011 1:03 AM
Hi Stefaan,
Please feel free to let us know if the information was helpful to you.
Thanks,
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact [email protected]
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Wednesday, April 6, 2011 11:39 AM
Hi Tiger Li,
how will I put it nicely...
If IKEv2 with machine certificate authentication doesn't behave like the IPsec AuthN part in the L2TP/IPsec VPN solution than it is rather useless. Manually tuning the computer Root certificate store is a bad idea because it is, as far as I know, managed by Windows Update.
In the next weeks I will try to test this scenario.
Best Regards,
Stefaan
Monday, August 18, 2014 2:17 PM | 3 votes
From Windows 2012 onwards you can configure which CA to accept for the IKEv2 client certificates. This is done through powershell: Set-VpnAuthProtocol -RootCertificateNameToAccept.
Regards,
Stefaan