Windows 7 L2TP/IPSec client won't connect if verifying server certificate
I have a Windows Server 2003 box accessible from the Internet, whose only task is to act as an L2TP/IPSec VPN server. I'm trying to connect to that from a Windows 7 client. The client won't connect if the "Verify the Name and Usage attributes of the server's certificate" checkbox is checked, otherwise it works just fine. It says "The L2TP connection attempt failed because the security layer could not authenticate the remote computer." The client's Application Log has an entry (Source: RasClient, Event ID: 20227) saying: "The user COMPANY\MyUser dialed a connection named Company VPN which has failed. The error code returned on failure is 835." Certificates for both the client and the server are issued by the same standalone root CA, which is trusted by both computers. The client has an IPSec certificate for client.company.local (its FQDN), and the server has two certificates, one for vpn.company.local (its internal FQDN) and vpn.company.com (the hostname used by clients for connection). The CRL is published to a location where it is accessible by all computers (internally and from the Internet, too). The CDP is http://cert.company.com/Company%20Root%20CA.crl. It can be downloaded from both the client and the server -- I've double checked it. The CRL is up to date and valid. I've already tried installing only one certificate on the server (first only the internal, then only the external), but no difference. What am I missing here? How can I debug the L2TP/IPSec client? How can I find out why the client fails the Security Association?
February 17th, 2011 11:44am

Hi MartonSz, Thanks for posting in Microsoft TechNet forums. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Best Regards, Miya Yao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2011 11:45pm

MartonSz On the RAS server run the following command and look for the issuing CA cert. certutil -enterprise NTAuth > NTAuthCA.txt Also running the IPsec diagnostic tool on the client while reproducing the issue will give you some good information. If you need assistance analyzing the wfpdiag log then you will need to open a case with Microsoft Support. Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone Regards, Clark Satter Microsoft Online Community Support Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
April 6th, 2011 9:58am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics