RRAS: To use IKEv2, at least one valid certificate must be present on the RRAS server

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Storage Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Network Policy and Access Service (NPAS) Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2012, Windows Server 2008 R2

Product/Feature

Routing and Remote Access Service (RRAS)

Severity

Error

Category

Configuration

Issue

A certificate that is usable for IKEv2 is not present on your RRAS server.

Impact

If you do not have a correctly configured and accessible IKEv2 certificate, then remote access clients cannot communicate with the RRAS server by using an IKEv2 tunnel.

Your Routing and Remote Access server must be configured with a certificate that it can present to client computers upon connection for authentication.

A valid certificate for IKEv2 must meet the following requirements:

  1. The certificate is configured with the Server Authentication purpose in the Enhanced Key Usage (EKU) extensions.

  2. The certificate ideally is also configured with the IKE Intermediate purpose in the EKU extensions. This is not required, but assists Windows in determining which among several certificates to use for IKEv2 authentication.

  3. The certificate has a private key.

  4. The certificate is not expired.

  5. The subject name of the certificate is the IP address of the external interface on the remote access server, or a regular expression containing a DNS name that resolves to that IP address. If the remote access server is located behind a NAT device, then the IP address or DNS name must be that of the external interface of the NAT device.

Resolution

Use the Certificates MMC snap-in to request and configure certificates on the RRAS server for IKEv2.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To view the certificates in the local computer store

  1. Start the Microsoft Management Console. Click Start, type MMC, and then press ENTER.

  2. Click File and then click Add/Remove Snap-in.

  3. In the Available snap-ins list, select Certificates and then click Add.

  4. Select Computer account, and then click Next.

  5. Select Local computer, click Finish, and then click OK.

  6. Expand Certificates (Local Computer), expand Personal, and then expand Certificates

  7. Double-click a certificate to see the details.

  8. On the Details tab, select Enhanced Key Usage to see in the box below the currently assigned purposes.

  9. Click OK to close the dialog box.

Additional references

For more information about IKEv2 deployment, see Step-by-Step Guide: Deploy Remote Access with VPN Reconnect in a Test Lab (https://go.microsoft.com/fwlink/?linkid=143464).

For more about creating certificates by using the Active Directory Certificate Services server role, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?linkid=136444) in the Windows Server Technical Library.

For more about the Routing and Remote Access role service, see Routing and Remote Access (https://go.microsoft.com/fwlink/?linkid=153482) on TechNet, and Routing and Remote Access Service in the Windows Server Technical Library.