Announcement

Collapse
No announcement yet.

Server 2012 NPS Server not authenticating IKEv2 requests

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server 2012 NPS Server not authenticating IKEv2 requests

    Hello Experts,
    I am having a weird problem regarding NPS Server when I upgraded my vpn servers from server 2008 R2 to Server 2012 R2. Actually in my infrasturcture I have a Windows 2008 R2 based AD and in its domain I have an NPS server joined as member server. This NPS server is based on server 2012 R2, when I upgraded my VPN servers from server 2008 R2 to server 2012 R2 the IKEv2 stops working every other protocols works on windows 7 when I try to connect using IKEv2 it hangs at verifying username and password nad when I tested IKEv2 in Win 8 it says IKE authentication credentials are unacceptable, inspite that my server certificate is valid EKU compatible. When I connected IKEv2 via my other server whose server 2008 R2 based VPN Server The IKEv2 works like a charm without any issues successfully authenticating. The problem seems to be with Server 2012 R2 based RRAS VPN Server.On my both server 2012 VPN and server 2008 R2 VPN servers the NPS server is added in the Radius Authentication. With options of MS-CHAPv2 and EAP selected in authentication options.
    I try to connect to the VPN server from Windows 8 "13801: IKE authentication credentials are unacceptable." When I try to connect via Win 7 Client the session hangs at verifying username and password. In the event logs I see this error.. after this error the session just hangs at verifying username and password.....

    Any Ideas...????
    When I run the Best Practice Analyzer for Routing and Remote Access Services (RRAS) on the server I received two highlighted warning regarding server certificates. Any clues whats the problem with IKEv2....

    Please help me in this regards....this problem is driving me nuts...!!!
    Thanks



  • #2
    Looks pretty self explanatory to me.

    Check the certificate you are using for your IKEv2 communications.

    Comment


    • #3
      Hello

      I have checked the certificate it valid if the certificate is not valid then SSTP shouldn't work too....PPTP,L2TP,SSTP are working fine but only the problem is with IKEv2.

      Can anybody help me in understanding the two warnings I am using a public IP address on the RRAS external interface what is the logic of resolving of IP on the externalinterface of the RASS into a name mentioned in the certificate. The same certificate works fine on the Win 2008 R2 based RRAS VPN server why its giving warning in Best practise analyzer in Win 2012 R2.

      Thanks

      Comment


      • #4
        If you are using the same certificate on both servers that will be your issue.

        You will probably need to import the private key on the new Server 2012 R2 system.

        Comment


        • #5
          Can you tell me the produce to import the private key...

          Comment


          • #6
            Ok I have exported and imported the private key with the certificate but still the issue remains.

            Any ideas what could be the possible problem....

            Comment


            • #7
              So you've followed all the directions here?

              https://technet.microsoft.com/en-us/...(v=ws.10).aspx

              Comment


              • #8
                Yes,
                In the microsoft guide they are using their CA for the certificate.instead of that I used from comodo and put it in personal store while there are other two certificates which I put in Intermediate Root authority. But don't know where the problem is all the protocols are working fine except the IKEv2......The certificates works perfectly on server 2008 R2 based VPN Server whenever I try to connect the VPN CLient from Win 7 IKEv2 client and connect toa Win 2008 R2 based VPN SErver No error comes but but whenever I try connecting to my Server 2012 R2 VPN server from Win 7 the connections hangs at verifiying username and password and It stucks there I have to reboot the client machine. And from Win 8 client it gives me error IKE authentication credentials are unacceptable....

                Comment


                • #9
                  Hello,


                  I have traced the IKE errors using the netsh wfp capture start

                  <errorFrequencyTable numItems="97">
                  <item>
                  <error>ERROR_IPSEC_IKE_NEG_STATUS_BEGIN</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_AUTH_FAIL</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_ATTRIB_FAIL</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_NEGOTIATION_PENDING</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_GENERAL_PROCESSING_ERROR</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_TIMED_OUT</error>
                  <frequency>5</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_NO_CERT</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_SA_DELETED</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_SA_REAPED</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_MM_ACQUIRE_DROP</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_QM_ACQUIRE_DROP</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_QUEUE_DROP_MM</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_QUEUE_DROP_NO_MM</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_DROP_NO_RESPONSE</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_MM_DELAY_DROP</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_QM_DELAY_DROP</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_ERROR</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_CRL_FAILED</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_INVALID_KEY_USAGE</error>
                  <frequency>0</frequency>
                  </item>
                  <item>
                  <error>ERROR_IPSEC_IKE_INVALID_CERT_TYPE</error>
                  <frequency>0</frequency>
                  </item>
                  <item>



                  But i am unable to find the solution of the above errors google also doesn't have much articles on it

                  Please help







                  Comment

                  Working...
                  X