I'm trying to configure an L2TP VPN connection on my testlab environment but I'm not able to. I was able to configure PPTP and SSTP.
here the config:
RRAS SERVER: gate.mydoamin.local
-NIC 1
IP 192.168.0.3/255.255.255.0
-NIC 2
IP 192.168.1.1/255.255.255.0
Domain controller: dc.mydomain.local IP 192.168.1.2/255.255.255.0
Client IP 192.168.0.10
client host file pointing vpn.mydomain.com to 192.168.0.3
---------------------------------------------------------------------------
RRAS config
General tab: set as NAT+VPN
security: EAP, MS-CHAP-v2, ikev2. NPS is installed so other settings not here
IPv4: DHCP
--------------------
NPS config:
first tab: Allow access
second tab:
tunnel type: L2TP
NAS port: virtual or wireless
EAP allowed:
"Microsoft Smartcard or..."
"Microsoft "PEAP..." both options (smart card and password)
third tab:
Auth methods:
Microsoft smart card (set with certificate for vpn.mydoamin.com)
microsoft PEAP:
smart card or other certificate (set with vpn.mydomain.com)
password (EAP-MS-CHAP-V2)
fourth tab:
radius standard:
PPP framed
network protection: allow full access
encription: 128 but
IP settings: DHCP
-------
server: firewall
opened ports:
UDP 500
UDP 4500
UDP 1701
protocol: 50 allowed
----------------------------------------------
Certificates:
server has 3 certificates in personal/computer folder:
-gate.mydomain.local
client auth, server auth standard AD certificate
-sstp-mydomain.com
server auth certificate used for sstp connections
-vpn.mydoamin.com
server auth, smart card access, IKE IP security mediatorissued to deal with L2TP and ike vpn
Client has standard AD certificate for client auth and server auth
------------------------------------------------------------------------------------
Client config:
Address: vpn.mydoamin.com
Kind: L2TP or IKEv2
security settings: I tried all possible configurations
check server certificate disabled
-----------------------------------------------------------------------------------
result: it does not work.
If I set L2TP, I keep getting error 789 on the client, and on the server in the event viewer i can see one error ID 4652 and many error 4653 following
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4652</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12547</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-03T16:48:22.613422500Z" />
<EventRecordID>40569519</EventRecordID>
<Correlation />
<Execution ProcessID="616" ThreadID="4984" />
<Channel>Security</Channel>
<Computer>GATE.mydomain.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="LocalMMPrincipalName">-</Data>
<Data Name="LocalMMCertHash">-</Data>
<Data Name="LocalMMIssuingCA">-</Data>
<Data Name="LocalMMRootCA">-</Data>
<Data Name="RemoteMMPrincipalName">client.mydomain.local</Data>
<Data Name="RemoteMMCertHash">f801bac7f68a62bb95b96d84b2373d586eda8a72</Data>
<Data Name="RemoteMMIssuingCA">mydoamin-DC-CA</Data>
<Data Name="RemoteMMRootCA">DC=local, DC=mydomain, CN=mydomain-DC-CA</Data>
<Data Name="LocalAddress">192.168.0.3</Data>
<Data Name="LocalKeyModPort">500</Data>
<Data Name="RemoteAddress">192.168.0.10</Data>
<Data Name="RemoteKeyModPort">500</Data>
<Data Name="KeyModName">%%8222</Data>
<Data Name="FailurePoint">%%8199</Data>
<Data Name="FailureReason">IKE: impossibile trovare un certificato di computer valido. Contattare l'amministratore della rete addetto alla sicurezza per l'installazione di un certificato valido nel corretto Archivio certificati.</Data>
<Data Name="MMAuthMethod">%%8227</Data>
<Data Name="State">%%8203</Data>
<Data Name="Role">%%8206</Data>
<Data Name="MMImpersonationState">%%8217</Data>
<Data Name="MMFilterID">128310</Data>
<Data Name="InitiatorCookie">d093a0cb7ec6075f</Data>
<Data Name="ResponderCookie">0b3a28cabe0780c2</Data>
</EventData>
</Event>
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4653</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12547</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-03T16:48:23.610141000Z" />
<EventRecordID>40569536</EventRecordID>
<Correlation />
<Execution ProcessID="616" ThreadID="4984" />
<Channel>Security</Channel>
<Computer>GATE.mydomain.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="LocalMMPrincipalName">-</Data>
<Data Name="RemoteMMPrincipalName">-</Data>
<Data Name="LocalAddress">192.168.0.3</Data>
<Data Name="LocalKeyModPort">500</Data>
<Data Name="RemoteAddress">192.168.0.10</Data>
<Data Name="RemoteKeyModPort">500</Data>
<Data Name="KeyModName">%%8222</Data>
<Data Name="FailurePoint">%%8199</Data>
<Data Name="FailureReason">Ricevuto cookie non valido.</Data>
<Data Name="MMAuthMethod">%%8194</Data>
<Data Name="State">%%8201</Data>
<Data Name="Role">%%8206</Data>
<Data Name="MMImpersonationState">%%8217</Data>
<Data Name="MMFilterID">0</Data>
<Data Name="InitiatorCookie">d093a0cb7ec6075f</Data>
<Data Name="ResponderCookie">0000000000000000</Data>
</EventData>
</Event>
If I try IKEv2 instead, I get error 13806