Microsoft ISA L2TP IPSec with certs

[haktan]

Hi,

We have quite big troubles with getting Mac-clients (Leopard)to connect to a Microsoft ISA Server for VPN. It seems that Leopard/OSX supports L2TP with certificates, but we have not been able to import certificates to the Mac and make it show up in the machine certificates.

Anyone succedded to use L2TP IP Sec with Microsoft ISA as server and Leopard/Mac as client? If yes, please tell how in details - especially how to generate/import/export certifcates ind the respective systems.

Thanks in advance & Best regards

Haktan

 

[ozofriendly]

Hi Haktan,

I'm having similar problems. My first effort to request a certificate for IPSEC(Offline Use) seemed to generate a certificate that imported into the System keychain without drama, but when I try to use it as a machine certificate, OSX complains that there is no valid certificate available. It can be selected for user authentication, rather than machine authentication, but then, when I try to connect, the L2TP client complanis that the IPSEC certificate could not be found ???

Have you had any luck getting this to work yet?

Thanks

 

[Satcomer]

Make sure you both are using the same NTP (time) server as the VPN server you are trying to connect to, this is important! Plus is this VPN in the same subnet (do Windows machine reside in the same subnet and can successfully connect) or are you trying the VPN through a firewall?

Lastly are the "certs" show up in /Applications/Utilities/KeyChain Access?

One More Thing: Maybe you could use the free IPSecuritas to see if it helps.

 

[ozofriendly]

Hi Satcomer,

The Mac client and VPN server are both using NTP (albeit different servers), so the time stamp is the same give or take a couple of seconds.

We already have a number of XP and Vista clients using L2TP with certificates both internallyt and externally without any problem.

We use MS Certificate Server 2003 to create IPSEC Offline machine certificates for these clients, which I think is the crux of the problem here.

The certificate I generated using the KeyChain utility's cert request wizard installed fine. The Root CA certs for the MS Cert Srvr along with the generarted IPSec certificate are all installed in the System keychain as directed and appear to be fine, but the L2TP client is looking for a machine certificate, not a user certificate, for authentication.

How can I generate a request for a machine certificate in OSX 10.5?

Thanks for your help.

 

[Satcomer]

Well open /Applications/Utilities/KeyChain Access and in the left hand column select the "Certifications" word in the left hand column and highlight it and in the right hand column find the Certification that work gave you for the VPN. Highlight that cert and right click on it and select "Get Info". In the pop-up window look through it.

Plus read this OSXHints entry to see if it helps you (be sure to read the comments in Article).