Deploying Ipsec

Another from mspress book, exercise has you configuring certificate services for ipsec authentication, opening certificates snap-in for computer account on local computer. Expanding certificates, right-clicking Personal and choosing Request New Certificate. In Certificate Request Wizard on Certificate types page you are supposed to select IPsec, it isn't listed, only options are Diredtory Email Replication, Domain Controller, and Domain Controller Authentication.
Why doesn't IPsec show up in the list?

Comments

  • PsoasmanPsoasman Senior Member Member Posts: 2,687 ■■■■■■■■■□
    I believe you need to add the template. You would R-click the certificates template folder, then choose new template to issue, then select IPSec. This should add the IPSec template to your list of available templates to choose from.
  • MikdillyMikdilly Member Posts: 309
    Psoasman wrote: »
    I believe you need to add the template. You would R-click the certificates template folder, then choose new template to issue, then select IPSec. This should add the IPSec template to your list of available templates to choose from.

    Thanks, will try this.
  • MikdillyMikdilly Member Posts: 309
    Mikdilly wrote: »
    Thanks, will try this.

    Sorry, my fault, missed a section of the exercise that covered exactly what you described in your post. Now further on in the exercise when you are configuring ipsec policy in gpo, on the 'Default response rule authentication method' you are to click 'Use a certificate from this CA'. Click Browse, after clicking browse get:


    Active Directory does not contain a shared certificate store...

    Do you want to select a CA from the certificate store on the local computer?

    If I select yes and finish the rest of the steps I can't establish a connection between 2 computers, negotiation failures in ipsec monitor increase, event viewer shows an event id 547 with failure reason:
    IKE failed to find valid machine certificate

    Is this caused by not having a shared certificate store in AD?
  • PsoasmanPsoasman Senior Member Member Posts: 2,687 ■■■■■■■■■□
    Uncheck use the default response rule, this will force the computer to negotiate IPSec before any connections can be made.
  • MikdillyMikdilly Member Posts: 309
    Psoasman wrote: »
    Uncheck use the default response rule, this will force the computer to negotiate IPSec before any connections can be made.

    I'd like to leave the options the same as they specify in the exercise which is to leave it selected.

    Further on in the exercise I get an error when enrolling the client by using the Certificates snap-in :

    The wizard cannot be started because of one or more of the following conditions:
    - There are no trusted certification authorities (CAs) available.
    - You do not have the permissions to request certificates from the available CAs.
    - The available CAs issue certificates for which you do not have permissions.

    The error comes up after clicking finish on the steps below.

    1. Open a blank Microsoft Management Console (MMC) console, and then add the Certificates snap-in. When prompted to select the account, select Computer Account, and then select Local Computer.
    2. Expand Certificates. Right-click Personal, click All Tasks, and then click Request New Certificate. The Certificate Request Wizard appears.
    3. Click Next. On the Certificate Types page, click IPSec.
    4. Click Next twice, and then click Finish.

    Searched the error and came to

    Error message when a client computer requests a certificate from a computer that is running Windows Server 2003 with Service Pack 1: "The wizard cannot be started because of one or more of the following conditions"

    but it describes this error happening in 2003 SP1, i have SP2 on the CA server and the client, could this error still occur in SP2?
  • MikdillyMikdilly Member Posts: 309
    Mikdilly wrote: »
    I'd like to leave the options the same as they specify in the exercise which is to leave it selected.

    Further on in the exercise I get an error when enrolling the client by using the Certificates snap-in :

    The wizard cannot be started because of one or more of the following conditions:
    - There are no trusted certification authorities (CAs) available.
    - You do not have the permissions to request certificates from the available CAs.
    - The available CAs issue certificates for which you do not have permissions.

    The error comes up after clicking finish on the steps below.

    1. Open a blank Microsoft Management Console (MMC) console, and then add the Certificates snap-in. When prompted to select the account, select Computer Account, and then select Local Computer.
    2. Expand Certificates. Right-click Personal, click All Tasks, and then click Request New Certificate. The Certificate Request Wizard appears.
    3. Click Next. On the Certificate Types page, click IPSec.
    4. Click Next twice, and then click Finish.

    Searched the error and came to

    Error message when a client computer requests a certificate from a computer that is running Windows Server 2003 with Service Pack 1: "The wizard cannot be started because of one or more of the following conditions"

    but it describes this error happening in 2003 SP1, i have SP2 on the CA server and the client, could this error still occur in SP2?


    Both the CA and the client are domain controllers, got rid of the error by adding the domain controllers group to CERTSVC_DCOM_ACCESS, might have saved a headache or two had the book mentioned this.
Sign In or Register to comment.