Hi folks
I'm trying to figure out where this goes wrong but has been unsuccessful so far.
Scenario
Windows XP SP3 client attempts L2TP/IPSec VPN connection to TMG 2010 SP2 RU3 server.
Using PSK, it works.
Using computer certificates, it fails.
Client logs event 547, Negotiation timed out, failure point me with following being a bit interesting:
Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
Note the missing data for Peer subject, issuing CA and root CA as well as the zero'ed out thumbprint.
Now the client and server share the same Root and Intermediate CA all the way through.
The client has the right NAT-T configuration (AssumeUDPEnc...)
Looking at a netsh trace on the server it reports that Main Mode SA has been established and lists boht client and server certificates correctly. Client then continues to negotiate before it eventually times out as per above.
I am very well aware of the fact that it could be certificate related in some way but if anyone has specifics of what to look for, then that would be very much appreciated. As a note, I can only may offline requests for certificates for both the client and server for variousl reasons.
The only difference I've been able to spot when comparing to a working setup is that the server cert has no SAN DNS ntry in the cert. I am unable to request a certificate that has the SAN DNS entry populated.
Hth, Anders Janson Enfo Zipper