[Openswan Users] X.509 key usage
Jacco de Leeuw
jacco2 at dds.nl
Mon Jul 19 20:14:27 CEST 2004
Andreas Steffen wrote:
> What if *swan is the client and Windows the LT2P server?
No problem. *swan is much more flexible (thanks to your efforts)
so unlike the Windows client you can configure any authentication
policy you want.
> Am I right in the assumption that the client EKU is used in the
> user certificates only but not in IPsec machine certificates?
No, at least not according to Microsoft:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_VPN_und15.asp
"When an L2TP/IPSec VPN connection is attempted between VPN client and
server, computer authentication fails if the VPN client certificate (from
a smart card or the certificate store on the local computer) is not
configured with the Client Authentication purpose in EKU extensions,
and the VPN server certificate is not configured with the Server
Authentication purpose in EKU extensions".
They also include the following table (excerpt):
Object membership Certificate server template Cert purposes
-----------------------------------------------------------------
VPN or IAS server Computer Server Authentication
Windows XP client Computer Client Authentication
User, domain user User Client Authentication
If I remember correctly, if a client connects with a certificate containing
a Server Auth EKU, it will report:
"Error 789: The L2TP connection attempt failed because the security layer
encountered a processing error during initial negotiations with the remote
computer."
This only seems to be an issue for L2TP/IPsec connections created with the
VPN Wizard. I don't think it matters for Marcus Muellers IPSEC.EXE tool.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list