Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

L2TP VPN - error 810 with non-domain clients

RRAS, VPN, TS/RDP, Routing and remote Access.

L2TP VPN - error 810 with non-domain clients

Postby guest » Sun Aug 26, 2012 12:16 am

I have successfully setup a L2TP VPN server with MS TMG 2010. The clients that are part of the domain can successfully establish the connection.

I have my own CA that I use to generate the certificates.

When I generate the exact same certificate with the same CA for a client that is not part of any domain then I get the 810 error.

Specifically, the client I am testing is on Windows 7. It belongs to a WORKGROUP (Windows default) and it is freshly installed with nothing else on it. It is called "burgvpc-PC".
I have test with another non-domain client - same problem.

I made sure that the CA certificate is in the clients stores (in Trusted Root and Intermediate Certification Authorities - for both use and computer stores).

I also have the client certificate in the computer store.

In the VPN trace logs on the client, the only relevant information I get is "RASDiag: Mapping to new errorcode: 810 (ERROR_VPN_BAD_CERT) instead of 786 (ERROR_OKLEY_NO_CERT)"
There is not information why Windows considers it a bad certificate.

I have also tried the subject name for the certificate to be both "burgvpc-PC" and "burgvpc-PC.WORKGROUP" - both give the same error.

Does anyone have any idea how the certificate should be different when the client is not part of the domain?
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 10191
Joined: Mon Nov 27, 2006 1:10 pm

Re: L2TP VPN - error 810 with non-domain clients

Postby guest » Sun Aug 26, 2012 12:16 am

I got it solved now, although I cannot say exactly what the issue was.

The link you posted did not really solve this issue, but I am sure it will help a whole lot of other people.



What I did was to remove all the CA certificates of my CA in all stores and also all the client computer certificates.

I then imported the client certificate again in the MMC console by right-clicking on the Personal Certificate store of the Computer store and telling it to store in that store where I had right-clicked.
The CA certificate I imported in the same way, but I chose the Trusted Root Certification Authority of the computer store.

This time it worked.

I don't know the exact problem, because previously I had the exact same certificates in the exact same places.
Although previously when I imported certificates, I had imported the CA and client certificate in my User stores and then I just copy/paste from there into the computer store - don't know if that caused an issue?
I did it this way because when you double-click a PFX file to import and you use the defaults then it imports the certificate to the User store and not the computer store.

So for the record, the details on my client cert:

Subject Common Name: burgvpc-PC
Public Key: RSA 2048 Bits
Signature Algorithm: sha1RSA
Signature hash algorithm: sha1
Enhanced Key Usage (EKU): Server Authentication, Client Authentication
Key Usage: Digital Signature, Key Encipherment
Thumbprint algorithm: sha1

Note that I did not need to add WORKGROUP or anything like that to the subject - just the computer name was fine.
Also, my CA's CRL URL is not accessible from the client and for L2TP does not need to be - only for SSTP it does.


So it seems to have been an issue with the CA certificate imports.
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 10191
Joined: Mon Nov 27, 2006 1:10 pm


Return to VPN, TS and Remote Access

Your Ad Here

Who is online

Users browsing this forum: No registered users and 4 guests