How to configure verification of additional fields in peer certificates during IKE negotiation for L2TP/IPsec tunnel connections in Windows Vista

This article discusses how to disable verification of additional fields in peer certificates during Internet Key Exchange (IKE) negotiation for Layer 2 Tunneling Protocol (L2TP)/Internet Protocol security (IPsec) tunnel connections in Windows Vista.

Windows Vista strengthens IKE Layer authentication for L2TP/IPsec tunnel connections by verifying the following:

• That the name or the IP address of the peer with which the computer seeks to communicate corresponds to one of the following fields on the certificate that is presented during the IKE negotiation:
  • The subject-alternative-name field
  • The subject-name field
• That other certificate fields on the certificate that is presented by the peer were assigned for authentication purposes. These other certificate fields include the extended key usage (EKU) field.
• That the certificate that is presented by the peer chains to the correct root certificate. The correct root certificate is specified in the IPsec policy.

However, these additional checks may cause IKE negotiation to fail. For example, IKE negotiation may fail when a Windows Vista client is trying to connect to an authentic Routing and Remote Access server. In this scenario, if the computer certificate that is deployed on the Routing and Remote Access server does not have one or more of the verified fields set correctly, IKE negotiation fails. Therefore, L2TP tunnel connection setup also fails. We do not recommend that an administrator change the computer certificate on a working deployment to resolve this problem. In this scenario, the administrator may want to disable these additional checks.

Methods to disable additional checks that occur during IKE validation

Method 1: Use the rasapi32 RASENTRY structure

A new flag that is named RASEO2_DisableIKENameEkuCheck has been added to the dwfOptions2 member of the RASENTRY structure. If this flag is set to 1, additional checks that occur during IKE validation are not performed. A software developer can create a virtual private network (VPN) dialer that uses this flag to disable additional checks.

Method 2: Use the Connection Manager Administration Kit

When you use the Connection Manager Administration Kit (CMAK) Wizard to create a Connection Manager VPN dialer profile, additional checks that occur during IKE validation can be disabled. A new key that is named DisableIKENameEkuCheck is added when you use the CMAK Wizard's Advance Customization option to create a profile. This key is added in the "[Networking&TunnelDUN]" section of the .cms file. If the value of the key is set to 1, additional checks for the profile are disabled.

Method 3: Use the Network Connections window

When you use the Set Up A Connection Or Network Wizard in Windows Vista to create a VPN dialer, you can use the Properties dialog box for the dialer to disable additional checks. To do this, use the Verify name and usage attributes of the server’s certificate check box. To locate this check box, follow these steps:

1. Click Start
   Collapse this imageExpand this image

   
   , and then click Connect to.
2. Right-click the VPN connection, and then click Properties.
3. Click the Networking tab, and then click IPsec Settings.
4. Click User certificate for authentication. The Verify name and usage attributes of the server’s certificate check box is now available.

When you change this setting, the DisableIKENameEKUCheck key in the Rasphone.pbk file is changed. When you disable additional checks, the value of the key is set to 1. When you enable additional checks, the value of the key is set to 0.

Method 4: Use the registry

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Add a DWORD value that is named DisableIKENameEkuCheck to the following registry subkey: You can set this registry key to 1 to globally disable additional checks that occur during IKE validation for all VPN dialers on the computer. To do this, follow these steps:

1. Click Start
   Collapse this imageExpand this image

   
   , type regedit in the Start Search box, and then click Regedit in the Programs list.
   
   
   Collapse this imageExpand this image

   
   If you are prompted for an administrator password or for confirmation, type your password, or click Continue.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type DisableIKENameEkuCheck for the name of the DWORD, and then press ENTER.
5. Right-click DisableIKENameEkuCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Exit Registry Editor, and then restart the computer.

Note If you use more than one of the methods in this section to disable additional checks, additional checks are disabled if any one of the settings is disabled.