0

I've got a RRAS VPN setup using IKEv2 and certs issued by the domain's CA. It has a cert for the public domain and I know this is getting presented to the client.

How ever it seems that either the server is sending the wrong cert, or is sending all its server authentication certs which includes one issued by MS-Organization-P2P-Access [2022]. This of course isn't trusted by the clients who then kick it back.

Looking at Get-VpnAuthProtocol I can see that its told to use the domain's CA.

Not sure how I tell RRAS to use the right cert.

Tom Newton
  • 93
  • 1
  • 8
Arcath
  • 513
  • 4
  • 13
  • 27

1 Answers1

1

It'd be really helpful to know what your RRAS config actually is, what OS, anything.

Anyway, if Get-VpnAuthProtocol shows TunnelAuthProtocolsAdvertised = "Certificate", then you can use Set-VpnAuthProtocol -CertificateAdvertised to set the correct cert.

Or do Set-VpnS2Snterface –MachineCertificate <-X509Certificate>. Your cert subject name or SAN must match the external interface name.

I can't imagine why RRAS would present the junky Azure P2P access one - it's a client cert, not a server cert. Maybe try the best-practice analyzer and see if it flags anything useful: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn535711(v=ws.11)

LeeM
  • 1,388
  • 9
  • 14