Hi everyone,
I am trying to configure L2TP IPsec with certificates for my road warriors via group policy and I’m going around in circles trying to figure it out. The part I am stuck with is generating certificates and deploying them correctly to users via GPO.
To sum it up:
- Problem: when I try to connect client via L2TP VPN profile, Windows complains that there is no certificate and that a machine/computer certificate must be installed. From what I understand, these certificates need to be installed in the “Personal” certificate store on the client computer, which means I need to use a CA server and auto-enrollment to do it automatically.
- rOS v6.39.2 has been running as PPTP and L2TP/IPsec PSK endpoint successfully for some time.
- User accounting is done via RADIUS and Windows NPS for AD auth.
- PPTP VPN profiles deployed via group policy already and working.
- Windows CA and auto-enrollment enabled for domain users.
As I have L2TP/IPsec with PSK working, what I feel like I need is a quick walk-through on the steps to create the certificates in rOS for use with IPsec and then implement those certificates in group policy or with the auto-enrollment process.
I have been following several guides to generate certificates either using GUI or terminal in rOS, self sign the certificates, export them, import them directly on the Windows client or to the Windows CA server. I don’t understand if I am generating the certificates correctly (is key usage correct) and how to properly import them to the Personal cert store, if that’s even the correct place to put them. I also don’t understand how the L2TP VPN profile selects the certificate once it’s in the store, does it do it automatically or do you need to specify it somewhere?
Thanks for any help you can provide.