none
IKEv2 Machine Certificate Authentication

    Question

  • In http://blogs.technet.com/b/rrasblog/archive/2009/06/10/what-type-of-certificate-to-install-on-the-vpn-server.aspx I read:

    [quote]

    For IKEv2 machine certificate authentication: Ensure the trusted root certificate store on the VPN Server contains **only** the trust root certificate that matches the trust chain with which the client will send the machine certificate. And you MUST delete all the other trust chain on the VPN Server – to avoid any malicious client machine having a certificate with one of those trust chain to be able to successfully connect to this VPN server using IKEv2 machine certificate authentication.

    [/quote]

    Is this still true with a Windows 2008 R2 SP1 RRAS server?

    If so, IKEv2 behaves quite differently than the IPsec AuthN in the L2TP/IPsec VPN solution where the client must present a certificate from the same Root CA as the RRAS server.

    Thanks,
    Stefaan

    Friday, April 1, 2011 2:05 PM

Answers

  • Hi Tiger Li,

    after some testing I can confirm that IKEv2 accepts any certificate presented by the client as long as the issueing CA is trusted by the RRAS server. That's definitely not the case with L2TP/IPsec (IKEv1). Here the client must present a certificate issued by the same CA as the one used by the RRAS itself.

    Best Regards,
    Stefaan

    • Marked as answer by spouseele Tuesday, April 12, 2011 7:55 AM
    Tuesday, April 12, 2011 7:55 AM

All replies

  • Hi Stefaan,

     

    Thanks for posting here.

     

    > Is this still true with a Windows 2008 R2 SP1 RRAS server?

    Based on my knowledge this mechanism has not been changed since service pack 1 was released.

     

    Windows Server 2008 R2 Service Pack 1

    http://technet.microsoft.com/en-us/library/ff817647(WS.10).aspx

     

    For more information please refer to the links below:

     

    Enhancements to VPN Reconnect in W7 RC

    http://blogs.technet.com/b/rrasblog/archive/2009/05/11/enhancements-to-vpn-reconnect-in-w7-rc.aspx

     

    About Remote Access with VPN Reconnect

    http://technet.microsoft.com/en-us/library/dd637803(WS.10).aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, April 4, 2011 3:10 AM
  • Hi Stefaan,

    Please feel free to let us know if the information was helpful to you.

    Thanks,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, April 6, 2011 1:03 AM
  • Hi Tiger Li,

    how will I put it nicely...

    If IKEv2 with machine certificate authentication doesn't behave like the IPsec AuthN part in the L2TP/IPsec VPN solution than it is rather useless. Manually tuning the computer Root certificate store is a bad idea because it is, as far as I know, managed by Windows Update.

    In the next weeks I will try to test this scenario.

    Best Regards,
    Stefaan

    • Marked as answer by spouseele Tuesday, April 12, 2011 7:47 AM
    • Unmarked as answer by spouseele Tuesday, April 12, 2011 7:48 AM
    Wednesday, April 6, 2011 11:39 AM
  • Hi Tiger Li,

    after some testing I can confirm that IKEv2 accepts any certificate presented by the client as long as the issueing CA is trusted by the RRAS server. That's definitely not the case with L2TP/IPsec (IKEv1). Here the client must present a certificate issued by the same CA as the one used by the RRAS itself.

    Best Regards,
    Stefaan

    • Marked as answer by spouseele Tuesday, April 12, 2011 7:55 AM
    Tuesday, April 12, 2011 7:55 AM
  • From Windows 2012 onwards you can configure which CA to accept for the IKEv2 client certificates. This is done through powershell: Set-VpnAuthProtocol -RootCertificateNameToAccept.

    Regards,
    Stefaan

    • Proposed as answer by WageN Wednesday, November 15, 2017 9:56 AM
    Monday, August 18, 2014 2:17 PM