Share via

How to renew/restore expired IKEv2 VPN certificate when not in the office

Adam Lacey 1 Reputation point
2021-06-05T16:31:41.277+00:00

Hi, I am new to VPNs and currently have an issue where our IKEv2 VPN has stopped working for everyone. We have not been back in the office since the start of Lockdown (March 2020) but we have been connecting to the VPN daily. From what I believe I have discovered, the VPN certificate on the Secondary DC (The subordinate CA) , which is where the IKEv2 VPN is running from, has expired. This is in everyone's "Local Computers\Personal\Certificates\". Luckily we have an old SSTP VPN still active so I am able to remote on to the Secondary DC. This is what I have tried so far and hope I haven't made things harder:
As the vpn certificate had expired in the subordinate CA:

  1. I went to renew the VPN cert and it only renewed it until the following day, I believe that meant I had to renew the CA Root Certificate, which updated on the subordinate CA and it changed to November this year (as that's what the primary Root CA is, I believe)
  2. This allowed me to update the VPN Certificate until November also.
  3. Doing this I believed changed the keys for the certificate which I don't know if that means you have to physically be in the office for GP you give your laptop those keys or if we are able to somehow get them using the old Office VPN still. I tried manually exporting the cert and importing it on my laptop but no joy. I have an old export of the old expired VPN cert if needed, but not of the updated root cert.

Basically, what is the best way to get everyone's IKEv2 VPN to connect again, which I'm pretty sure is this expired certificate issue. I've tried using the old VPN and doing a GPUPDATE /FORCE, but my laptop seems to have issues using the old VPN and drops connection now and then and not 100% if that's not updating my computer to have the new certs, so I manually exported the new VPN cert off the server and imported it on my laptop, but this is still not connecting, I have noticed though a cert in my Intermediate Certification Authorities still with the expiry day of when the VPN cert expired.

Does anyone have any recommendations, please?

Many thanks in advance.

Windows for business | Windows Server | User experience | Other

9 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adam Lacey 1 Reputation point
    2021-06-18T12:30:50.207+00:00

    This is event viewer on Server 2 (the IKEv2 VPN Server):

    CoId={8*******-****-****-****-***********6}: The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: vpn.*******.co.uk. IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.

    But as previously mentioned "The Cert on my local computer has the has the same thumbprint as the cert in the RAS "SSL Certificate Binging" for the VPN connection", and the CN subject of the Certificate has the line is (1 of 2 lines):
    CN = vpn.*******.co.uk
    CN = office.*******.co.uk

    so this is why its really confusing me. I could look at removing the other CN if needed if you think that would help?

    Kind regards
    Adam

  2. Adam Lacey 1 Reputation point
    2021-06-23T09:42:59.44+00:00

    Hi @Anonymous ,

    I can confirm the Serial number on my local laptop ( "Local Computer" > "personal" > "Certificate" ) and the serial number on the Server ( "Routing and Remote Access" > "Server node" > "Properties" > "Security" > "SSL Certificate Binding" > "View" )

    I have since deleted and remade the Certificate on both the Server and Laptop, but I made the CN the same as the old one and it is the the certificate I manually exported and imported in the last comment, so it shouldn't matter if it wasn't the same because I did that, wouldn't it? (As the Serial Number and CN match on both the Server and Laptop from exporting and importing it)

    Are you able to confirm where all the different types of certificates should be on both the local and for IKEv2 to work in case I'm missing a cert somewhere? I have:
    Server Sub_CA / VPN Server:

    "Local Computer" > "personal" > "Certificates" > VPN cert
    "Local Computer" > "Trusted Root Certification" > "Certificates":
    Issued to: | Issued by: | Date: | Certificate Template
    -Server2-CA | SVR01-CA | 24/11/2021 | Subordinate Certificate Authority
    -SVR01-CA | SVR01-CA | 16/06/2026 |
    -SVR01-CA | SVR01-CA | 16/06/2026 |

    "Local Computer" > "Intermediate Certification" > "Certificates":
    Issued to: | Issued by: | Date: | Certificate Template
    -Server2-CA | SVR01-CA | 17/06/2023 | Subordinate Certificate Authority
    X-Server2-CA | SVR01-CA | 17/06/2023 | Subordinate Certificate Authority
    X-SVR01-CA | SVR01-CA | 16/06/2026 |
    -SVR01-CA | SVR01-CA | 24/11/2021 |
    -SVR01-CA | SVR01-CA | 14/06/2026 |
    -SVR01-CA | SVR01-CA | 16/06/2026 |
    -SVR01-CA | SVR01-CA | 16/06/2026 | Cross Certificate Authority
    -SVR01-CA | SVR01-CA | 24/11/2021 | Cross Certificate Authority
    -SVR01-CA | SVR01-CA | 14/06/2026 | Cross Certificate Authority
    -SVR01-CA | SVR01-CA | 16/06/2026 |
    -SVR01-CA | SVR01-CA | 24/11/2021 | Cross Certificate Authority
    -SVR01-CA | SVR01-CA | 14/06/2026 | Cross Certificate Authority
    -SVR01-CA | SVR01-CA | 16/06/2026 | Cross Certificate Authority

    Laptop:

    "Local Computer" > "personal" > "Certificates" > VPN cert (Same SN and CN as the server because I exported and manually imported as last comment)
    "Local Computer" > "Trusted Root Certification" > "Certificates":
    Identical as Server
    "Local Computer" > "Intermediate Certification" > "Certificates":
    Same as Server BUT MISSING THE CERTS ABOVE PREFIXED WITH "X" (Could this be the issue and should I manually import these, should they not have populated by them self as I would need them all all the other laptops in the company if they don't have them?)

    Kind regards
    Adam

    0 comments
  3. Anonymous
    2021-06-24T07:48:05.607+00:00

    Hello @Adam Lacey ,

    Is your laptop in the domain network?

    If so, you can renew VPN cert in the domain network and install such cert on this laptop.

    If your laptop is not in the domain network, then you cannot connect CA server.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  4. Adam Lacey 1 Reputation point
    2021-06-24T12:28:27.097+00:00

    Hi @Anonymous , Yes my laptop is on the domain, registered in AD, I connect to the old SSTP VPN, run GPUPDATE /FORCE (log off and on while still on the old VPN) but I still can't connect to the IKEv2 VPN for some unknown reason. I've asked my colleagues also working from home to do the same and they still can't connect to the IKEv2 VPN either.

    This is really confusing me, there must be something conflicting somewhere but I don't know where. We used to work on this VPN until the Certificate expired and I've tried updating it as mentioned previously, and still nothing.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.