RE: L2TP Tunnels with Certificates
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 18 Sep 2003 14:37:36 -0500
Hi Glenn,
I have to say that none of this makes much sense to me, as I've never
had to do any secedit stuff. Also, I've never put a certificate server
in my DMZ, which is even stranger!
I've never had to restart the policy agent either to be L2TP/IPSec
working. Its all left field sort of stuff going on here!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Thursday, September 18, 2003 2:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: L2TP Tunnels with Certificates
http://www.ISAserver.org
Tom,
I am equally as puzzled, but I can tell you this is the
case, at least with my setup, here it is .. I have 2 ISA servers with
the Internet between them, I have built the ISA servers as Stand ALone
servers, built a Windows 2003 servers with IIS and Certificate services
that resides on my DMZ, this is the Cert server that all my ISA servers
get the Cert from, after all is configured I then need to run the
secedit utility before the L2TP Tunnel will connect, even after I bounce
the IPSEC Policy Agent and RRAS Services I need to re-run the secedit
utility again so the Tunnels can connect ??? this comes from Microsoft,
I need to read more about secedit but I am stumped as to why I need to
run this every time IPSEC Policy Agent and RRAS Services are bounced, I
would think running this once would be enough ?
-----Original Message-----
From: Thomas W Shinder
[mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, September 18, 2003 3:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: L2TP Tunnels with Certificates
http://www.ISAserver.org
Hi Glenn,
I'm curious why you would need to run secedit for
L2TP/IPSec gateawy to gateway links. Once the certificates are
installed, that's it. I can see it if you want to force machines to get
a certificate immediately if you have configured AD for autoenrollment
for machine certificates, but that only needs to be done once.
The demand dial interface on the calling router should
just fire up as soon as someone triggers it.
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Thursday, September 18, 2003 1:55 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: L2TP Tunnels with
Certificates
http://www.ISAserver.org
Hi Tom,
Thank U for responding, Yes you are correct
on the calling and Persistent part, but what I am trying to figure out
is Why? I have to run the secedit command each and every time the RRAS
and IPSEC Policy Agent services are bounced? I have to run this command
"secedit refreshpolicy machine_policy /enforce" on the downstream ISA
server. I discovered this secedit utility dealing with Microsoft support
when I first started to dabble in L2TP Tunnels with Certificates, you
can set everything right when
building the L2TP Tunnels complete with
Certificates, but it will not connect unless you run the above secedit
command I provided in this email ... any clues ?
Thank you Tom
G.
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: gmaks@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
