I am running Win XP PRO SP2 and in the event log I find a warning
I have no idea what this is but I need to be sure it is not someone trying to connect to my computer from outside. I think chances are this is benign but I want to be sure.
Could it be the router just trying to set up something? Could this be internal to my computer? What are the calls not being accepted?
Should I install a certificate? How would I do that? Why would I need it? For VPN?
I need to know more about this.
It sounds like you’ve configured your workstation to accept incoming connections. Assuming you’ve configured it correctly, (and it sounds like you haven’t) it allows remote machines to initiate a direct connection to your machine. You can check for Incoming connections at Start → Settings → Network Connections. Unless you’ve intentionally configured your workstation to be a remote access server/endpoint, you should probably delete the connection(s) for security reasons.
Yes, I want to be able to connect remotely using the remote desktop and/or VPN. That is intended. But I do not understand the rest.
IPSec is a standard for the encryption of TCP packets. This relies on a Computer Certificate - a piece of data that contains a unique identifier for a computer, that is exchanged securely as part of the negotiation to set up L2TP VPNs (Layer 2 Tunnelling occurs at the ethernet level - layer 2 of the OSI stack, as opposed to Point-to-Point Tunnelling, which is a higher level protocol).
Now, in a corporate environment you use a Public Key Infrastructure system to generate certificates - you install a certificate for the Certificate Authority (CA) and a computer certificate generated by that CA, and thus your computer will trust any certs generated by the CA, and your computer certificate will trust and certs from the CA.
For a couple of stand-alone machines, it seems to be a bit unclear. You may need to obtain a certificate for each machine from a Certificate Authority, then install both the CA certificate and the appropriate Computer certificate on each machine. CACert.org lets you sign up and generate Client certificates for free, and supply the appropriate Root CA certificate to import.
To be honest, for what you want to do, this seems like a real hassle. This is a case of the MS solution being geared to a corporate infrastructure, and being unnecessarily complex for a small system setup.
Si
Thanks for that info si_blakely.
I have looked into this a bit further. It seems the errors in the log appear every time I start the computer so it seems it is not someone trying to break in but rather the computer trying to set up that service and then informing it failed and that service will not work.
I am not sure exactly for what it is needed but I’d like to get it to work in case I find out I need it for VPN or something else.
I found Administrator's Guide to Microsoft L2TP/IPSec VPN Client | Microsoft Learn which seems to deal with this quite in depth - - which means I don’t understand most of it.
So my next step is going to be to try to set up L2TP/IPSec to work with shared key rather than with certificate. Any help is welcome because I am totally lost.
I am looking into Microsoft Support although it says it is for Win 2000.
I wonder if I may have to install this on my laptop. But I’ll cross that bridge later.
I think that this is the least complex approach, but the instructions are not very clear. However, I think this involves playing with Security Policies - I try to leave that to the AD gurus.
Win 2000 does not have the same set of Security Policies as XP/2003/Vista, thus the special procedure. You can set the connecting system easily enough (there is a pre-shared key checkbox), but the issue is the RRas server. You should be able to set the configuration via the RRas mmc snapin, or maybe the SecPol mmc snapin, but it does not seem to be obvious. Sorry that I can’t be more helpful, but this is not something I would normally attempt and I don’t have access to a system I can play with - I prefer using OpenVPN.
You only need that on systems that don’t have a built in IPSec/L2PT client - XP machines should be fine (if not, apply at least SP2).
Si
I am looking into Microsoft Support although it says it is for Win 2000. I could not find specific for Win XP PRO SP2 which is what I have.
It gives the steps to follow in order to use pre-shared keys. Adding the value
The second part (How to create an IPSec policy for use with L2TP/IPSec Connections by using a preshared key) i do not understand and does not seem to match anything in my system. It may be because it is for domains and.or for win2000.
Any ideas?
OK. Launch the Local Security mmc snapin (Control Panel, Administrative Tools, Local Security). Select IP Security Policies on Local Computer, then double click Secure Server. You will see the rules. Select the Secure Server rule, and click the Edit… button. Click the Authentication Methods tab, and fill in the details for the Pre-shared key. I think that this will work, but YMMV. You may need to do the same for the Server rule as well, but try just the Secure Server rule first.
Good luck
Si
Thanks si_blakely, I would never have been able to find it if you hadn’t told me.
I have spent a couple of hours investigating and tinkering with all the security settings but I am still quite lost. And I can’t really test anything because I would need to have a second internet connection to see if I could connect to this computer from another computer. Still, just by looking around I am learning where some things are and what to look for.
I have set a shared key at
Control Panel - Administrative tools - Local Security Policy - IP Security Policies on Local Computer -
Secure server - Rules - Edit - Authentication Methods - Add - Use this preshared key
but, as I said, I cannot test it yet.
Still, if I remove the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\ProhibitIpSec
key I still get the error in the event log.
Whether there is a shared key or not makes no difference, only whether there is that key in the register.
I am lost. I think the error message should say “Connections that use the L2TP protocol over IPSec require the installation of a machine certificate or a shared key”. It seems IpSec may only work with certificates and not with shared keys.
I have been reading a bit about Kerberos and I think I undertand the need for certificates and an issuing authority like Verisign in that the issuing authority is involved, not just is issuing the certificates, but in every comunication.
Also a search gives me that ProhibitIpSec = 1 means L2TP works but without encryption (no IpSec) so that is not really the answer.
I wonder if it may be worth while looking for certificates.
Anyway, I continue to fumble around in the dark…
The issuing authority is not actually involved during the communication process. The CA issues an authorising certificate, installed into the Root Certificate store. By referring to this certificate, the authenticity of the client certificates can be verified. So there is no communication with the issuing authority during authentication, but the valid Root certificate is required.
As I say, I have never tried to use IPSec/L2TP on XP systems, so I probably will be not much further help.
Si
Thaks for your help.
I found in IE6 - Tools - Internet Options - Content - Certificates a certificate
issued to: sailor
issued by: sailor
I have no idea how this was created but it seems my own machine can create its own certificates and I can have it be a trusted issuer. The problem is that I still cannot see how I can get IpSec to see it and use it.
I will continue to waste time on this.
Well, I am still tinkering with this. I got a certificate from www.thawte.com but I cannot get it to work. Maybe it is that “Root certificate” missing or something. I don’t know.
The way I understand it now is that VPN can go over PPTP, which does not require certificates, or over L2TP/IPSec, which does require certificates and, for this reason, is more secure.
I guess for now I’m stuck with using VPN over PPTP until I can get L2TP/IPSec to work.
If anyone has any ideas I’d like to hear them.