Dear all, I have Server A (Win2k8 Std as stand-alone srv, at a Data center in place A, directly facing Internet) --- | Corp firewall --- Server B (Win2k8 Std as stand-alone srv, at my workplace) I have tried IPSec with Presharedkey, and it works. Now I would like to try out Certificates as authentication methods. And I did the following: Use a server C (Win2k8 Std stand-alone srv), installed AD Certificate Servcie; At A and B, running MMC with Certificates Snap-in, choosing local machine, then "create customer request", using this request to get certificates issued from C. On A and B, still using MMC, install the new cert to localmachine-personal, also install C root cert to Trusted Root. On A and B, re-config Connection Security Rules to use cert from C. ------------------------------------------------------------------------------- Then start testing, it seems doesn't work. So had a look of Event log -security. This is the info: ============================================================= Event ID: 4653, Audit Failure, Task Category: IPsec Main Mode An IPsec Main Mode negotiation failed. Local Endpoint: Local Principal Name: - Network Address: Keying Module Port: 500 Remote Endpoint: Principal Name: - Network Address: Keying Module Port: 500 Additional Information: Keying Module Name: AuthIP Authentication Method: Unknown authentication Role: Responder Impersonation State: Not enabled Main Mode Filter ID: 74280 Failure Information: Failure Point: Remote computer Failure Reason: IKE authentication credentials are unacceptable State: Sent second (KE) payload Initiator Cookie: 3d322bfd61c0c156 Responder Cookie: 38643844c8b50deb ============================================================== Then I fired up Microsoft Network Monitor 3.3, one of the records saying: AuthIP: version 1.0, Notify, Initiator, 0x000035E9 - ERROR_IPSEC_IKE_AUTH_FAIL - IKE authentication credentials are unacceptable , Payloads = HDR, CRYPTO, N, Flags = ..., Length = 52 ============================================================== So my questions here: 1, Please someone from within MSFT or outside confirm that IPSec Server-to-Server with Certificate does work, not in theory, but you actually did it yourself. 2, Then point to me where I did wrong. Waiting... Waiting... Please... Thanks! :) Dong

Certificates for IPSec must have "IPSec intermediate" and/or "Client authentication" purpose. Certificates based on IPSec or IPSec (Offline request) templates will do.

I have these. It's not working. I've raised this issue to MS support.

Did MS provide you with a solution to this? Would you mind posting? Thanks!

Are you experiencing the same problem? MS still working on this, haven't got any meaningful to share with yet. I feel more and more this is a bug inside either AuthIP or IPSEC code. A second thought is that: For a simple setup, PreSharedKey may work as good as Certs. The security level is the same no matter which. Documents I read mention PreSharedKey is not secure because it was stored in plain text. That is ture but it took someone with Admin rights to find out this key (I reckon, either by mmc or by NETSH ADV CONSEC in cmd); if Joe could do that, this machine is hacked. But Joe can't harm the other server even he knows the key now, because he has no access to it to setup a Connection Security Rule to take advantage of it. (e.g. having an IPSEC link then start to bomb SMB or SQL). If using Certs, Joe could find out which CA root was used, he may or maynot to be able to create a Cert for himself, again he was stopped because he has no access to the other server. I feel the true good of using Certs is on the management level, not on the security level. Best, dong