In Windows Vista IKE Layer authentication for L2TP/IPSec tunnel connections using machine certificates has been strengthened by verifying additional fields in the certificate presented by the peer during the IKE negotiation apart from validating thatthe certificate chains to the correct root certificate specified in the IPSec policy. These additional checks are
1. Verification that subject-alternative-name or the subject-name field on the certificate correspond to the name (or IP address) of the peer with which the client machine seeks to communicate.2. Verify EKU field to ensure that the certificate presented by the peer was assigned for authentication purpose.
These additional checks are enabled by default on Windows Vista clients.
The checks could however cause IKE negotiation to fail even in scenarios where a Vista client is trying to connect to an authentic down-level RRAS server if the machine certificate deployed on the RRAS server does not have one or all of the verified fields set correctly. As a result L2TP tunnel connection setup also fails. Changing the machine certificate on a working deployment is not a viable solution to resolve this problem. In such a situation an administrator might want to disable these additional checks all-together. Following are the different ways to disable the checks
Method 1: Through rasapi32 RASENTRY StructureA new flag named RASEO2_DisableIKENameEkuCheck has been added to the dwfOptions2 member of RASENTRY structure. If this flag is set to 1 additional checks during IKE validation will not be done. An application developer can create a VPN dialer with additional checks disabled using this flag.
Method 2: through CMAKAdditional checks during IKE validation can be disabled for a CM VPN dialer when the profile is created through CMAK wizard. A new key called DisableIKENameEkuCheck is explicitly added while creating the profile through CMAK’s Advance Customization. The key is added in the .cms file under Networking&TunnelDUN section. If the value of the key is set to 1 additional checks are disabled for the profile.
Method 3: through Network Connections WindowFor VPN dialers created through the Network Connections wizard on Windows Vista, the additional checks during IKE validation can be disabled in the properties window of the dialer through the Verify name and usage attributes of the server’s certificate check-box. This checkbox can be found under properties->networking->IPSec Settings->user certificate for authentication radio buttonChanging this setting causes the DisableIKENameEKUCheck key in the rasphone.pbk file to change. When additional checks are disabled the value of the key is set to 1 and when additional checks are enabled the value of the key is set to 0.
Method 4: through RegistryA new registry setting can be created called DisableIKENameEkuCheck to control the additional checks during IKE validation for all VPN dialers on the machine. The key is created under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters. When this registry key is set to 1 the additional checks are globally disabled for all VPN dialers on the machine.Modifying or creating registry keys is not a recommended procedure though.
Additional checks during IKE validation is disabled if any of the methods that are described in this article are used to disable the checks.