IPSEC Stopped Working - Network

This is a discussion on IPSEC Stopped Working - Network ; I had IPSEC working between two machines, one outside our firewall and one on inside our firewall. I was using certificates for authentication. The machine outside the firewall is running IIS 6 in IIS 5 mode and it has a ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: IPSEC Stopped Working

  1. IPSEC Stopped Working

    I had IPSEC working between two machines, one outside our firewall and one on
    inside our firewall. I was using certificates for authentication. The
    machine outside the firewall is running IIS 6 in IIS 5 mode and it has a
    seperate certificate for server authentication. The machine inside the
    firewall also has a non-IPSEC certificate for Identification purposes (it is
    necessary for the software that we are running). The two non-IPSEC
    certificates expired (the IPSEC certificates are fine) and were replaced.
    Now IPSEC has quit working. The error that I am seeing is:
    IKE failed to find valid machine certificate

    Any thoughts on how to resolve this?

    TIA.

  2. Re: IPSEC Stopped Working

    Likely re-hashing some old data but just in case.....

    IPsec provides the ability to authenticate computers during IKE using
    certificates. All certificate validation is performed by the Cryptographic
    API (CAPI). IKE simply serves to negotiate which certificates to use and
    provides security for the exchange of the certificate credentials. The IPsec
    policy specifies which root certificate authority (CA) to use, not which
    specific certificate to use. Both sides must have a common root CA in their
    IPSec policy configuration.

    Here are the requirements for the certificate to be used for IPsec:

    • Certificate stored in computer account (machine store)
    • Certificate contains an RSA public key that has a corresponding private
    key that can be used for RSA signatures.
    • Used within certificate validity period
    • The root certificate authority is trusted
    • A valid certificate authority chain can be constructed by the CAPI module

    So at the end of the day, IPsec does not require the machine certificate to
    be an IPsec type of certificate (based on OID/EKU) because existing
    certificate authorities may not issue these type of certificates.

    Question:
    If you open the Certificates MMC snap in and target the local Machine, in
    the Personal store, does each machine have a valid machine/workstation
    Authentication certificate that meets the above requirements?

    Jason




    "ribst" wrote in message
    news:83C587B5-252B-4CE8-A10C-385DB151F1BB@microsoft.com...
    >I had IPSEC working between two machines, one outside our firewall and one
    >on
    > inside our firewall. I was using certificates for authentication. The
    > machine outside the firewall is running IIS 6 in IIS 5 mode and it has a
    > seperate certificate for server authentication. The machine inside the
    > firewall also has a non-IPSEC certificate for Identification purposes (it
    > is
    > necessary for the software that we are running). The two non-IPSEC
    > certificates expired (the IPSEC certificates are fine) and were replaced.
    > Now IPSEC has quit working. The error that I am seeing is:
    > IKE failed to find valid machine certificate
    >
    > Any thoughts on how to resolve this?
    >
    > TIA.



  3. Re: IPSEC Stopped Working

    Yes they meet them. The weird thing is that one set of certificates expired
    and it seems that they were the ones being used by IPSEC instead of the ones
    that were made explicitly for useage by IPSEC. I have it working useing
    preshared keys. I have redone the certificates that expired but I have not
    tried to use them as the IPSEC certificates. I guess I will try that.
    Thanks for your help.


    "Jason Popp [MS]" wrote:

    > Likely re-hashing some old data but just in case.....
    >
    > IPsec provides the ability to authenticate computers during IKE using
    > certificates. All certificate validation is performed by the Cryptographic
    > API (CAPI). IKE simply serves to negotiate which certificates to use and
    > provides security for the exchange of the certificate credentials. The IPsec
    > policy specifies which root certificate authority (CA) to use, not which
    > specific certificate to use. Both sides must have a common root CA in their
    > IPSec policy configuration.
    >
    > Here are the requirements for the certificate to be used for IPsec:
    >
    > • Certificate stored in computer account (machine store)
    > • Certificate contains an RSA public key that has a corresponding private
    > key that can be used for RSA signatures.
    > • Used within certificate validity period
    > • The root certificate authority is trusted
    > • A valid certificate authority chain can be constructed by the CAPI module
    >
    > So at the end of the day, IPsec does not require the machine certificate to
    > be an IPsec type of certificate (based on OID/EKU) because existing
    > certificate authorities may not issue these type of certificates.
    >
    > Question:
    > If you open the Certificates MMC snap in and target the local Machine, in
    > the Personal store, does each machine have a valid machine/workstation
    > Authentication certificate that meets the above requirements?
    >
    > Jason
    >
    >
    >
    >
    > "ribst" wrote in message
    > news:83C587B5-252B-4CE8-A10C-385DB151F1BB@microsoft.com...
    > >I had IPSEC working between two machines, one outside our firewall and one
    > >on
    > > inside our firewall. I was using certificates for authentication. The
    > > machine outside the firewall is running IIS 6 in IIS 5 mode and it has a
    > > seperate certificate for server authentication. The machine inside the
    > > firewall also has a non-IPSEC certificate for Identification purposes (it
    > > is
    > > necessary for the software that we are running). The two non-IPSEC
    > > certificates expired (the IPSEC certificates are fine) and were replaced.
    > > Now IPSEC has quit working. The error that I am seeing is:
    > > IKE failed to find valid machine certificate
    > >
    > > Any thoughts on how to resolve this?
    > >
    > > TIA.

    >
    >


+ Reply to Thread