How to create offline L2TP/IPSec Certificates

Author:

Jesper Hanno MVP

COMMUNITY SOLUTIONS CONTENT DISCLAIMER

MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

SYMPTOMS

When non domain member clients wants to establish a VPN connection to ISA Server 2004 using L2TP/IPSec you need to request an IPSec certificate on behalf on the client. This article describes how to install, configure an enterprise certificate service and how to create a certificate request to non domain members. Please note that you need a Microsoft Windows Server 2003 Enterprise edition to create the L2TP/IPSec template.

CAUSE

You need to create a custom template to issue certificates offline to a non domain member

RESOLUTION

In This Task
 
Summary
How to Install the Certificate Services
How to create a custom MMC
How to create a custom L2TP/IPSec (Offline request) template
How to issue a custom L2TP/IPSec (Offline request) template
How to request a L2TP/IPsec Certificate to ISA Server 2004
How to export a PFX certificate to ISA Server 2004
How to import the certificates to ISA Server 2004
How to request a L2TP/IPSec Certificate to the Offline Client
How to export a PFX certificate to the Offline Client
How to import the certificates to the Offline Client
Additional Information
 
 
Summary
 
When non domain member clients wants to establish a VPN connection to ISA Server 2004 using L2TP/IPSec you need to request an IPSec certificate on behalf on the client. This article describes how to install, configure an enterprise certificate service and how to create a certificate request to non domain members. Please note that you need a Microsoft Windows Server 2003 Enterprise edition to create the L2TP/IPSec template.
 
 
 
How to Install the Certificate Services
 
The first step is to install the Certificate Services and Internet Information Services (IIS).
 
On the Server you wish to install Certificate Services and Internet Information Services
Click Start, click Control Panel, click Add/Remove Programs, click Add/Remove Windows Components
Select Application Server, click Details
Select Internet Information Services (IIS), click Details
Scroll down and put a check mark in World Wide Web Service, click Ok
Put a check mark in Certificate Services, click Yes to the warning about machine name
Click Next
On the CA Type page, leave the default settings (Enterprise root CA), click Next
On the CA Identifying Information page, provide the root CA with a name such as Company Name Enterprise Root CA, you might change the Validity period to 10 or 20 years, click Next
On the Certificate Database Settings page, click Next
Click Yes to the warning about Active Server Page (ASPs) must be enabled in the Internet Information Services (IIS)…
Click Finish to Completing the Windows Components Wizard
 
 
How to create a custom MMC
 
In order to manage the certificate templates and export certificates you need to create a custom Microsoft Management Console (MMC).
 
On the Certificate Server
Click Start, click Run, type MMC, and then press Enter
Click File, and then click Add/Remove Snap in
Click Add, and then select Certificates from the list and click Add, select Computer account, click Next, select Local computer, click Finish
Select Certificate Templates from the list and click Add
Select Certification Authority from the list and click Add, select Local computer
Click Close, click Ok
 
 
How to create a custom L2TP/IPSec (Offline request) template
 
On  then Certificate Server 
Click Certificate Templates
Right clickon the IPSec (Offline Request), select Duplicate Template
On the General page type L2TP/IPSec (Offline request) in the Template display name 
You might change the Validity period
Select Request Handling page, set a checkmark in Allow private key to be exported
Click CSPs…, and select Requests can use any CSP available on the subject’s computer, click Ok
Click Ok
 
How to issue the custom L2TP/IPSec (Offline request) template
 
On the Certificate Server 
Expand Certification Authority (Local)
Expand <Enterprise Root CA Name>
Right click Certificate Templates, select New, click Certificate Template to Issue
On the Enable Certificate Templates page select L2TP/IPSec (Offline request) on the list and click Ok
 
 
How to request a L2TP/IPsec Certificate to ISA Server 2004
 
On the Certificate Server
Open Internet Explorer and browse to
Select Request a certificate
Select Advanced certificate request
Select Create and submit a request to this CA
In the Certificate Template, select L2TP/IPSec (Offline request)
In the Identifying Information For Offline Template, type the Fully Qualified Domain Name (FQDN) for the ISA Server 2004 in the Name field e.g. ISASrv.Domain.Local
Put a checkmark in Store certificate in the local computer certificate store
Click Submit
Click Yes to the Potential Scripting Violation box
Click Install this certificate
Click Yes to the Potential Scripting Violation box
 
 
 
How to export a PFX certificate to ISA Server 2004
 
 
On the Certificate Server
In the Custom Microsoft Management Console, expand Certificates (Local Computer)
Expand Personal
Expand Certificates
Right click on the certificate you just created, select All Tasks, select Export
On the Welcome to the Certificate Export Wizard page, click Next
On the Export Private Key page, select Yes, export the private key, click Next
On the Export file format page, leave the default and click Next
On the Password page, type a Password for the certificate, click Next
On the File to Export page, type a name for the certificate e.g. c:\L2TP Certificate for ISASRV.Domain.Local, click Next
On the Completing the Certificate Export Wizard page, click Finish
Click Ok
 
 
 
How to import the certificates to ISA Server 2004
 
First you need to import the certificate for the ISA Server 2004, and then import the Root Certificate for the new Enterprise Certificate Services.
 
To import the ISA Server 2004 certificate
 
Copy the c:\<name of the certificate server name of the enterprise root ca.crt from the Certificate Server to the ISA Server 2004 computer
Copy the c:\L2TP Certificate for ISASRV.Domain.Local.pfx from the Certificate Server to the ISA Server 2004 computer
On the ISA Server 2004
Create a custom MMC for the Certificates
Click Start, click Run, type MMC, and then press Enter
Click File, and then click Add/Remove Snap in
Click Add, and then select Certificates from the list and click Add, select Computer account, click Next, select Local computer, click Finish
Click Close, click Ok
Expand Certificates
Right click Personal, select All Tasks, select Import
On the Welcome to the Certificate Import Wizard page, click Next
On the File to Import page, type c:\L2TP Certificate for ISASRV.Domain.Local.pfx, click Next
On the Password page, type the Password for the certificate, click Next
On the Certificate Store page, select Place all certificates in the following store, and select Personal, click Next
On the Completing the Certificate Import Wizard page, click Finish
Click Ok
 
 
To import the Root Certificate
 
In the Custom Management Console on the ISA Server 2004
Expand Trusted Root Certification Authorities
Right click Certificates, select All Tasks, select Import
On the Welcome to the Certificate Import Wizard page, click Next
On the File to Import page, type c:\<name of the certificate server name of the enterprise root ca.crt, click Next
On the Certificate Store page, select Place all certificates in the following store, and select Trusted Root Certification Authorities, click Next
On the Completing the Certificate Import Wizard page, click Finish
Click Ok
 
Restart the ISA Server 2004 computer to allow the IPSec policies to take effect, after the restart check for eventID 4295 and 4294 in the system event log.
 
 
 
How to request a L2TP/IPSec Certificate to the Offline Client
 
 
On the Certificate Server
Open Internet Explorer and browse to
Select Request a certificate
Select Advanced certificate request
Select Create and submit a request to this CA
In the Certificate Template, select L2TP/IPSec (Offline request)
In the Identifying Information For Offline Template, type the Fully Qualified Domain Name (FQDN) for the non domain member computer in the Name field e.g. Remote.Client.Local
Put a checkmark in Store certificate in the local computer certificate store
Click Submit
Click Yes to the Potential Scripting Violation box
Click Install this certificate
Click Yes to the Potential Scripting Violation box
 
How to export a PFX certificate to the Offline Client
 
On the Certificate Server
In the Custom Microsoft Management Console, expand Certificates (Local Computer)
Expand Personal
Expand Certificates
Right click on the certificate for the non domain computer, select All Tasks, select Export
On the Welcome to the Certificate Export Wizard page, click Next
On the Export Private Key page, select Yes, export the private key, click Next
On the Export file format page, leave the default and click Next
On the Password page, type a Password for the certificate, click Next
On the File to Export page, type a name for the certificate e.g. c:\L2TP Certificate for Remote.Client.Local, click Next
On the Completing the Certificate Export Wizard page, click Finish
Click Ok
 
 
 
How to import the certificates to the Offline Client
 
First you need to import the certificate for the Remote.Client.Local computer, and then import the Root Certificate for the new Enterprise Certificate Services.
 
To import the Remote.Client.Local certificate
 
Copy the c:\<name of the certificate server name of the enterprise root ca.crt from the Certificate Server to the ISA Server 2004 computer
Copy the c:\L2TP Certificate for Remote.Client.Local.pfx from the Certificate Server to the non domain member computer
On the non domain member computer
Create a custom MMC for the Certificates
Click Start, click Run, type MMC, and then press Enter
Click File, and then click Add/Remove Snap in
Click Add, and then select Certificates from the list and click Add, select Computer account, click Next, select Local computer, click Finish
Click Close, click Ok
Expand Certificates
Right click Personal, select All Tasks, select Import
On the Welcome to the Certificate Import Wizard page, click Next
On the File to Import page, type c:\L2TP Certificate for Remote.Client.Local.pfx, click Next
On the Password page, type the Password for the certificate, click Next
On the Certificate Store page, select Place all certificates in the following store, and select Personal, click Next
On the Completing the Certificate Import Wizard page, click Finish
Click Ok
 
 
To import the Root Certificate
 
In the Custom Management Console on the ISA Server 2004
Expand Trusted Root Certification Authorities
Right click Certificates, select All Tasks, select Import
On the Welcome to the Certificate Import Wizard page, click Next
On the File to Import page, type c:\<name of the certificate server name of the enterprise root ca.crt, click Next
On the Certificate Store page, select Place all certificates in the following store, and select Trusted Root Certification Authorities, click Next
On the Completing the Certificate Import Wizard page, click Finish
Click Ok

MORE INFORMATION

After this step by step guide is completed you can create at new connection from a remote non domain member to the ISA Server 2004. Remember to configure ISA Server 2004 to accept inbound VPN connections and create a Firewall rule to allow traffic from VPN Clients network to the internal network. On the Client side remember to set the VPN type to L2TP IPSec VPN. To automate the client configuration use Connection Manager Administrative kit (CMAK).
Properties

Article ID: 555281 - Last Review: 14 Feb 2017 - Revision: 1

Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

Feedback