IPSec StrongCRLCheck does not work on Windows Server 2008 R2-based RRAS
September 15th, 2011
Comments off
SYMPTOMS:
- You install the Routing and Remote Access Service (RRAS) role on a server that is running Windows Server 2008 R2.
- You configure the server to accept Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) connections.
- You run the Netsh ipsec dynamic set config property=strongcrlcheck value=2 command to configure the StrongCRLCheck setting on the server.
- You revoke a certificate on a client computer. The certificate is used to make L2TP/IPsec connections to the RRAS server.
- You establish an L2TP/IPsec connection from the client computer to the server.
- The connection to the RRAS server is successful. However, you expect that the client computer cannot connect to the server.
The issue occurs because the Remote Access Service (RAS) ignores the StrongCRLCheck setting!
To correct this you need a hot fix and a new registry key as instructed by KB2351254 http://support.microsoft.com/kb/2351254
Categories: certificate, certifikat, CRL check, L2TP/IPSec, Revocation, säkerhet, Security Certificate, Certifikat, CRL Ckeck, L2TP/IPSec, Revocation, Säkerhet, Security