On 2021/01/16 13:35, Ian Timothy wrote: > > > > On 14 Jan 2021, at 01:28, Stuart Henderson <s...@spacehopper.org> wrote: > > > > On 2021-01-13, Ian Timothy <i...@thrivedata.it> wrote: > >> Looking at some of the other information provided, I tried this along with > >> the registry edit below: > >> > >> PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" > >> -TunnelType IKEv2 -AuthenticationMethod MachineCertificate > >> -AllUserConnection -Force > > > > "-AuthenticationMethod MachineCertificate" - I thought you were using > > MSCHAP not machine certs? > > I’m just trying anything and everything at this point. I’ll do whatever works.
I can't help with machine cert config, but the config I outlined works well for mschapv2 for me, it needs the CA and server certificate on the server, and just the CA cert installing on the client, no machine cert on the client. (There should be a way of getting machine cert to work, but I haven't gone down that rabbit hole). > $ ikectl show ca vpn certificates > subject= /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=VPN/emailAddress=t...@company.com > SHA256 > Fingerprint=83:BE:37:FD:A9:B1:53:11:F6:7D:90:25:20:42:21:46:13:52:E1:C3:14:9B:F9:E1:74:C8:89:6A:3E:55:0F:FC > notBefore=Jan 16 19:51:53 2021 GMT > notAfter=May 13 19:51:53 2033 GMT > > subject= /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=vpn.company.com/emailAddress=t...@company.com > SHA256 > Fingerprint=9F:93:75:73:6A:F2:BE:59:4A:14:BD:C6:F3:1C:C0:DC:20:26:0D:B7:AE:1C:07:BC:FE:6A:04:C2:20:07:BC:6D > notBefore=Jan 16 19:52:15 2021 GMT > notAfter=Jan 16 19:52:15 2022 GMT Make a calendar note to generate a new server certificate. The CA certificate will still be valid so you don't need to touch clients for that change, just the new server cert. > subject= /C=US/ST=State/L=City/O=Company/OU=Information > Systems/CN=10.0.2.100/emailAddress=t...@company.com > SHA256 > Fingerprint=BF:E5:C4:64:55:4D:4E:E7:BC:7F:D9:6E:90:C2:06:BD:66:9A:40:04:EB:C3:BE:A3:2A:DA:91:1A:E7:3D:42:A4 > notBefore=Jan 16 19:52:41 2021 GMT > notAfter=Jan 16 19:52:41 2022 GMT If you are using client machine certs (rather than mschapv2), you will need to be prepared to get that cert updated on the clients (or use some other CA tool that allows setting a longer time). > # Install certificates on Windows > # > > 1. scp 10.0.2.100.zip from vpn.company.com to Windows client > 2. Unzip > 3. Double click ca.pfx > 1. Select “Local Machine” > 2. Select “Place certificates in following store” > 1. Select “Trusted Root Certificate Authorities” fwiw I normally put them in Enterprise under there so they don't get mixed up with internet CAs, either should work though. Be aware that after this change is made, someone with access to the key for the CA certificate is able to use it to spoof/intercept https requests to sites on the internet in a way that they will usually be accepted by the client machines. This is what needs doing here, but do look after the key carefully, it protects more than just vpn access.
