Verification of Additional Fields in Peer Certificates during IKE Negotiation in Windows Vista for L2TP/IPSec Tunnel Connections

In Windows Vista IKE Layer authentication for L2TP/IPSec tunnel connections using machine certificates has been strengthened
by verifying additional fields in the certificate presented by the peer during the IKE negotiation apart from validating that
the certificate chains to the correct root certificate specified in the IPSec policy. These additional checks are

1. Verification that subject-alternative-name or the subject-name field on the certificate correspond to the name
   (or IP address) of the peer with which the client machine seeks to communicate.
2. Verify EKU field to ensure that the certificate presented by the peer was assigned for authentication purpose.

These additional checks are enabled by default on Windows Vista clients.

The checks could however cause IKE negotiation to fail even in scenarios where a Vista client is trying to
connect to an authentic down-level RRAS server if the machine certificate deployed on the RRAS server does not have one
or all of the verified fields set correctly. As a result L2TP tunnel connection setup also fails. Changing the machine
certificate on a working deployment is not a viable solution to resolve this problem. In such a situation an administrator
might want to disable these additional checks all-together. Following are the different ways to disable the checks

Method 1: Through rasapi32 RASENTRY Structure
A new flag named RASEO2_DisableIKENameEkuCheck has been added to the dwfOptions2 member of RASENTRY structure. If this flag
is set to 1 additional checks during IKE validation will not be done.  An application developer can create a VPN dialer with
additional checks disabled using this flag.

Method 2: through CMAK
Additional checks during IKE validation can be disabled for a CM VPN dialer when the profile is created through CMAK wizard.
A new key called DisableIKENameEkuCheck is explicitly added while creating the profile through CMAK’s Advance Customization.
The key is added in the .cms file under Networking&TunnelDUN section. If the value of the key is set to 1 additional checks
are disabled for the profile.

Method 3: through Network Connections Window
For VPN dialers created through the Network Connections wizard on Windows Vista, the additional checks during IKE validation
can be disabled in the properties window of the dialer through the Verify name and usage attributes of the server’s
certificate check-box. This checkbox can be found under
properties->networking->IPSec Settings->user certificate for authentication radio button
Changing this setting causes the DisableIKENameEKUCheck key in the rasphone.pbk file to change. When additional checks are
disabled the value of the key is set to 1 and when additional checks are enabled the value of the key is set to 0.

Method 4: through Registry
A new registry setting can be created called DisableIKENameEkuCheck  to control the additional checks during IKE validation
for all VPN dialers on the machine. The key is created under
When this registry key is set to 1 the additional checks are globally disabled for all VPN dialers on the machine.
Modifying or creating registry keys is not a recommended procedure though.

Additional checks during IKE validation is disabled if any of the methods that are described in this article are used
to disable the checks.

Comments (0)