IPSec Server-to-Server with Certificates doesn't work, SOS!
Dear all,
I have
Server A (Win2k8 Std as stand-alone srv, at a Data center in place A, directly facing Internet) --- | Corp firewall ---
Server B (Win2k8 Std as stand-alone srv, at my workplace)
I have tried IPSec with Presharedkey, and it works.
Now I would like to try out Certificates as authentication methods. And I did the following:
Use a server C (Win2k8 Std stand-alone srv), installed AD Certificate Servcie;
At A and B, running MMC with Certificates Snap-in, choosing local machine, then "create customer request", using this request to get certificates issued from C.
On A and B, still using MMC, install the new cert to localmachine-personal, also install C root cert to Trusted Root.
On A and B, re-config Connection Security Rules to use cert from C.
-------------------------------------------------------------------------------
Then start testing, it seems doesn't work. So had a look of Event log -security. This is the info:
=============================================================
Event ID: 4653, Audit Failure, Task Category: IPsec Main Mode
An IPsec Main Mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address:
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address:
Keying Module Port: 500
Additional Information:
Keying Module Name: AuthIP
Authentication Method: Unknown authentication
Role: Responder
Impersonation State: Not enabled
Main Mode Filter ID: 74280
Failure Information:
Failure Point: Remote computer
Failure Reason: IKE authentication credentials are unacceptable
State: Sent second (KE) payload
Initiator Cookie: 3d322bfd61c0c156
Responder Cookie: 38643844c8b50deb
==============================================================
Then I fired up Microsoft Network Monitor 3.3, one of the records saying:
AuthIP: version 1.0, Notify, Initiator, 0x000035E9 - ERROR_IPSEC_IKE_AUTH_FAIL - IKE authentication credentials are unacceptable , Payloads = HDR, CRYPTO, N, Flags = ..., Length = 52
==============================================================
So my questions here:
1, Please someone from within MSFT or outside confirm that IPSec Server-to-Server with Certificate does work, not in theory, but you actually did it yourself.
2, Then point to me where I did wrong.
Waiting... Waiting... Please...
Thanks! :)
Dong
March 24th, 2010 10:07pm
Certificates for IPSec must have "IPSec intermediate" and/or "Client authentication" purpose. Certificates based on
IPSec or IPSec (Offline request) templates will do.
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2010 12:50pm
I have these. It's not working. I've raised this issue to MS support.
May 2nd, 2010 12:51am
Did MS provide you with a solution to this? Would you mind posting? Thanks!
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2010 9:25pm
Are you experiencing the same problem?
MS still working on this, haven't got any meaningful to share with yet.
I feel more and more this is a bug inside either AuthIP or IPSEC code.
A second thought is that:
For a simple setup, PreSharedKey may work as good as Certs. The security level is the same no matter which. Documents I read mention PreSharedKey is not secure because it was stored in plain text. That is ture but it took someone with Admin rights to find
out this key (I reckon, either by mmc or by NETSH ADV CONSEC in cmd); if Joe could do that, this machine is hacked. But Joe can't harm the other server even he knows the key now, because he has no access to it to setup a Connection Security Rule to take advantage
of it. (e.g. having an IPSEC link then start to bomb SMB or SQL).
If using Certs, Joe could find out which CA root was used, he may or maynot to be able to create a Cert for himself, again he was stopped because he has no access to the other server.
I feel the true good of using Certs is on the management level, not on the security level.
Best,
dong
May 14th, 2010 3:54pm