none
RRAS IKEv2 VPN CRL Checking

    Question

  • Hi All, 

    I've installed a RRAS (Win2016) as an IKEv2 VPN server. The VPN authentication is configured to use a machine certificate on the clients. The clients (Windows 10) receive a computer certificate from an internal CA. So far everything is working as expected. Clients are connecting without any problems. The tighten the security I want to revoke certificates when necessary. When I revoke a certificate of a client and publish the CRL, clients are still able to connect. I double checked the CRL and confirmed the revoked certificate is on the list.

    I already tried this setting: Netsh ipsec dynamic set config property=strongcrlcheck value=2

    Any tips?

     

    Monday, February 26, 2018 1:23 PM

All replies

  • I Also have this issue, Did you manage to find an answer?
    Friday, May 11, 2018 10:28 AM
  • Hi,

    Thanks for your question.

    Please try the following steps to see if it could be of help.

    1 Please check if this certificate was deleted on personal certificates of the PC. Type the command certmgr in the RUN.

    2 Check local CRL cache if it exists, and delete the cache via below command.

    certutil -urlcache crl delete

    You could check its cache with the following thread,  

    http://www.b-blog.info/en/viewing-and-deleting-the-ocsp-and-crl-cache-on-windows.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    3 You can use network monitor tool to capture the trace for VPN connected authentication, to see if there is a new re-generated cert to exchange and authenticate.  

    4 If the client has a new re-generated cert, we’ll next check if it is configured user certificates auto-enroll for domain clients in the domain group policy. If auto-enrolling is configured, it will re-generate for rightful domain users.

    You may refer to the following article to check GPO settings.

    https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

    Hope this helps. If you have any questions and concerns, please feel free to let me know.

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 14, 2018 9:05 AM
  • Hi,

    Thanks for your question.

    Please try the following steps to see if it could be of help.

    1 Please check if this certificate was deleted on personal certificates of the PC. Type the command certmgr in the RUN.

    2 Check local CRL cache if it exists, and delete the cache via below command.

    certutil -urlcache crl delete

    You could check its cache with the following thread,  

    http://www.b-blog.info/en/viewing-and-deleting-the-ocsp-and-crl-cache-on-windows.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    3 You can use network monitor tool to capture the trace for VPN connected authentication, to see if there is a new re-generated cert to exchange and authenticate.  

    4 If the client has a new re-generated cert, we’ll next check if it is configured user certificates auto-enroll for domain clients in the domain group policy. If auto-enrolling is configured, it will re-generate for rightful domain users.

    You may refer to the following article to check GPO settings.

    https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

    Hope this helps. If you have any questions and concerns, please feel free to let me know.

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 14, 2018 9:05 AM
  • Hi,

    How are things going on? Was your issue resolved?

    If you would like further assistance, please feel free to let us know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, May 15, 2018 3:08 PM