[Openswan Users] X.509 key usage

Jacco de Leeuw jacco2 at dds.nl
Mon Jul 19 20:14:27 CEST 2004


Andreas Steffen wrote:

> What if *swan is the client and Windows the LT2P server?

No problem. *swan is much more flexible (thanks to your efforts)
so unlike the Windows client you can configure any authentication
policy you want.

 > Am I right in the assumption that the client EKU is used in the
 > user certificates only but not in IPsec machine certificates?

No, at least not according to Microsoft:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_VPN_und15.asp

   "When an L2TP/IPSec VPN connection is attempted between VPN client and
   server, computer authentication fails if the VPN client certificate (from
   a smart card or the certificate store on the local computer) is not
   configured with the Client Authentication purpose in EKU extensions,
   and the VPN server certificate is not configured with the Server
   Authentication purpose in EKU extensions".

They also include the following table (excerpt):

   Object membership    Certificate server template    Cert purposes
   -----------------------------------------------------------------
   VPN or IAS server    Computer               Server Authentication
   Windows XP client    Computer               Client Authentication
   User, domain user    User                   Client Authentication

If I remember correctly, if a client connects with a certificate containing
a Server Auth EKU, it will report:

   "Error 789: The L2TP connection attempt failed because the security layer
    encountered a processing error during initial negotiations with the remote
    computer."

This only seems to be an issue for L2TP/IPsec connections created with the
VPN Wizard. I don't think it matters for Marcus Muellers IPSEC.EXE tool.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list