STEP 6: Configure EDGE1 and 3-EDGE1 to use certificates for site-to-site authentication
Applies To: Windows Server 2012 R2, Windows Server 2012
In Routing and Remote Access, right click EDGE1(local). Click Properties.
In the Security tab, click Authentication Methods. Check Allow machine certificate authentication for IKEv2.
Click OK twice.
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
PS C:\> $cert1 = ( Get-ChildItem -Path cert:LocalMachine\root | Where-Object -FilterScript { $_.Subject -Like "*CN=Contoso Root Certification Authority,*" } )
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate -RootCertificateNameToAccept $cert1 -PassThru
Note
This change is applicable to both L2TP and IKEv2 VPN (site-to-site and Remote Accesss) connections as well. If you change the authentication method on the server from certificates to pre-shared key, it impacts VPN client connections as well. If a server is configured to advertise only pre-shared key, VPN clients validating the server using certificates will fail to authenticate the server.
In the Start screen, type notepad, right-click Notepad and then click Run as administrator.
Click Yes in the User Account Control dialog.
In Notepad, click File and then click Open.
In the Open dialog, change file type to All Files. Navigate to C:/Windows/System32/drivers/etc.
Open the hosts file.
Go to end of the hosts file and type, 131.107.0.4 3-EDGE1.corp.fabrikam.com.
Close the file and click Save when prompted.
On EDGE1, click Start, type mmc, and then click mmc. Click Yes at the User Account Control prompt.
Click File, and then click Add/Remove Snap-ins.
Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.
In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates.
Right click corp-DC1-CA. Point to All Tasks and click Export.
On Certificate Export Wizard, click Next twice. Click Browse and select Desktop. In File Name box type DC1cert. Click OK.
Click Next and then click Finish.
Click OK on the dialog indicating the export was successful.
Go to Desktop. Right-click DC1cert, point to Share with and click Specific people.
In File Sharing dialog, select Everyone from dropdown list. Click Share. Click Done.
Warning
It is not advisable to share this file with everyone in a non-test production environment.
In Routing and Remote Access, right click 3-EDGE1(local). Click Properties.
In the Security tab, click Authentication Methods. Check Allow machine certificate authentication for IKEv2
Click OK twice.
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
PS C:\> $cert1 = ( Get-ChildItem -Path cert:LocalMachine\root | Where-Object -FilterScript { $_.Subject -Like "*CN=Contoso Root Certification Authority,*" } )
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate -RootCertificateNameToAccept $cert1 -PassThru
Note
This change is applicable to both L2TP and IKEv2 VPN (site-to-site and Remote Accesss) connections as well. If you change the authentication method on the server from certificates to pre-shared key, it impacts VPN client connections as well. If a server is configured to advertise only pre-shared key, VPN clients validating the server using certificates will fail to authenticate the server.
In the Start screen, type notepad, right-click Notepad and then click Run as administrator.
Click Yes in the User Account Control dialog.
In Notepad, click File and then click Open.
In the Open dialog, change file type to All Files. Navigate to C:/Windows/System32/drivers/etc.
Open the hosts file.
Go to end of the hosts file and type, 131.107.0.2 3-EDGE1.corp.contoso.com.
Close the file and click Save when prompted.
On 3-EDGE1, click Start, type mmc, and then click mmc. Click Yes at the User Account Control prompt.
Click File, and then click Add/Remove Snap-ins.
Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.
In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates.
Right click corp-3-DC1-CA. Point to All Tasks and click Export.
On Certificate Export Wizard, click Next twice. Click Browse and select Desktop. In File Name box type 3-DC1cert. Click OK.
Click Next and then click Finish.
Click OK on the dialog indicating the export was successful.
Go to Desktop. Right-click 3-DC1cert, point to Share with and click Specific people.
In File Sharing dialog, select Everyone from dropdown list. Click Share. Click Done.
Warning
It is not advisable to share this file with everyone in a non-test production environment.
On 3-EDGE1, click Start, type mmc, and then click mmc. Click Yes at the User Account Control prompt.
Click File, and then click Add/Remove Snap-ins.
Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.
In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Trusted Root Certification Authorities.
Right click Trusted Root Certification Authorities, point to All Tasks and click Import.
On Certificate Import Wizard, click Next. Click Browse. In the address bar in Open dialog type \\131.107.0.2\Users\Desktop and press Enter. Select DC1cert and click Open.
Click Next twice and then click Finish.
In the Routing and Remote Access snap-in, expand EDGE1, and then click Network Interfaces.
Right-click 3-EDGE1.corp.fabrikam.com and then click Properties.
Click the Security tab, select Use machine certificates, and then click Verify the Name and Usage attributes of the server’s certificate.
Click OK.
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
$cert1 = Get-ChildItem -Path cert:LocalMachine\My | Where-Object –FilterScript { $_.Subject -Like "*CN edge1.contoso.com*" }
Set-VpnS2SInterface –Name edge1 -AuthenticationMethod MachineCertificates -Certificate $cert1 -ResponderAuthenticationMethod MachineCertificates -Protocol IKEv2
In the Routing and Remote Access snap-in, expand 3-EDGE1, and then click Network Interfaces.
Right-click EDGE1.corp.contoso.com and then click Properties.
Click the Security tab, select Use machine certificates, and then click Verify the Name and Usage attributes of the server’s certificate.
Click OK.
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
$cert1 = Get-ChildItem -Path cert:LocalMachine\My | Where-Object –FilterScript { $_.Subject -Like "*CN=3-edge1.contoso.com*" }
Set-VpnS2SInterface –Name 3-edge1 -AuthenticationMethod MachineCertificates -Certificate $cert1 -ResponderAuthenticationMethod MachineCertificates -Protocol IKEv2
On 3-EDGE1, in the console tree of the Routing and Remote Access snap-in, click Network Interfaces.
In the Details pane, right-click EDGE1.corp.contoso.com, and then click Connect.
Confirm that the connection state of VPN_Corpnet is connected.
- On DC1 at the Start menu, type cmd and then hit Enter. At the command prompt, type ping 10.6.0.2. Verify that there are four replies from 10.6.0.2