Yes these certificates should work but much easier to use openssl.

This often happens when CA is not setup correctly or the IP or domain is not 100% - usually just going over everything from start works... Also, when CA is on DC there could be problems. Please see other comments in our 3 certificate/VPN videos for similar matters.

Windows Ninja Thanks for the reply! I’ll go take a look.

This has been covered in previous comments... But I have had such too... Generally a full removal of such certificates from CA and VPN server and a carefull redo again ensuring 100% of each step - esp. server name and ip address!

@@Windows10NinjaWorld Thanks for your quick response. What do you mean with server name and ip address? I followed all your steps perfectly, and the only thing I couldn't do was downloading the certificate from the server beeing outside of the office. I am at home and I typed the external IP address of my office but I couldnt reach it. I had to stablish a PPTP vpn to be able to download the certificate as you showed us. Which ports should be opened in the office router? Should I make any exception in my bitdefender firewall on server? I watched your video about PKVIEW and CRTUTIL and my cercificate is working fine.

Ahh! Without the certificate on the client computer you will get such!

@@Windows10NinjaWorld I must explained myself bad, because I was able to get the certificate via PPTP and afer I installed it in my client computer. It doesn't work either. My CA is working perfectly as I proved before. It must be somthing with ports or any other issue....May you please give me any clue?

@@Windows10NinjaWorld I JUST OPENED THE PORT 443 IN MY ROUTER AND NOW IT THE ERROR IS DIFFERENT: "The CN name of the certificate is not the same that the value passed through" Any clue?

should try when have some free time!

Yes the key is not exported. All we did was what you saw in the video. To access over the internet in the previous video you would add you public ip and public domain name to the certificate. The rest is just allowing your router and any external firewall to not block and/or forward to the vpn server.

Thanks for response. Now, the SSTP works for me. But when I changed to IKEv2, it will show that "invalid certificate type". Do you know how to solve this? I followed you step by step from previous video.

good to hear you are almost there. You might want to generate another client ans server certificate, change the VPN server for the new certificate and try. If not tell me the full error message. Also for internet firewall see blogs.technet.microsoft.com/rrasblog/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through/ you need to unblock/forward those ports.

On the vpn server for IKEv2 did you tick use certificate?

LOL, I also have that page in my bookmark. It was tested in my local network for now. So the router's firewall will not affect it. I have made it work. Actually, I need to use the server's ip address as common name since I did not have a local DNS server. This step is really important when using IKEv2. It really requires that the server name or address is exactly same as certificate common name. In this step, my step is different from your tutorial. Also, I need to export the key with private key together installed in Client side. Otherwise, I could get 13801 error. "The trusted root for the certificate is not present on the client." technet.microsoft.com/en-us/library/dd941612(v=ws.10).aspx Now, everything is working and I change some parameters and make it available to access from outside network. It works on both windows and Macbook now. I need to modify the profile in Apple Configurator 2 to make IOS work too... I found that the whole process is simple but you really need to take care of the details... It is really annoying... In addition, I found that IKEv1 and IKEv2 are both much faster than L2TP over IPSec and openVPN in Raspberry Pi 2. Raspberry Pi 2 may be lack of performance. But I have tested L2TP over IPSec in MacOS server with i5 4278U and Windows Server 2016 with i7 4700MQ. They have same result which can reach 30Mbps of total download 100Mbps when doing speedtest.net. But IKEv1 with CiscoASA 5510, IKEv2 with WIndows Server 2016 can reach 80-90 Mbps of total download 100Mbps. OpenVPN with Raspberry Pi 2 only can reach 20 Mbps of total download 100Mbps. Is it a common result?

A DC gives a domain name for your system and you would probably add DNS etc to help CA and OCSP etc... you can try without but you would lose many features.

are you connecting by ip address or domain? you need to have those details in the certificate. This is part of 3 videos.

Great that some progress is made. Such issues happen when the OCSP or VPN or certificate has an issue. This matter has been covered before. Please see our 3 CA videos and previous comments.

Check VPN server to see that internet access is enabled for clients. Also think about firewalls, network policy restrictions etc if this is a long running business server.

Have you followed the previous tutorial for this?

@@Windows10NinjaWorld sorry i didn't see previous tutorial, now i have a new problem: "Policy Match Error" when i want to connect to vpn with Ikev2 !

@@ARMAGEDDON787 there are 3 tutorials for this to do on a lan using internal ips. If the certificate is not correctly configured then the client will have difficulty over the higher grade vpn links. I would suggest redoing it 100% as the videos or even a small change will cause problems.

@@Windows10NinjaWorld i will try again, thank you.

Unfortunately I do not do Skype - sorry! Some issues to look for: 1. is it the Domain Controller that you did the certificates on or another domain JOINED server? If the controller you get cert mismatches. 2. Did you put the CN as IP address and another CN as your servers FQDN also? 3. DO you have a network policy service setup - you would need to configure this as this shall block connections. 4 As one user before look at their comments also in the past just do the certificate creations again and setup the VPN server to use the new certificate. 5. Are you connecting from outside the LAN - could cause name resolution issues etc. 6. Is the CA certificate installed on the workstation?

Windows Ninja wow so many questions! Hmmm making me think. Ok i want to rebuild from scratch. Let me tell you my setup. I have a hp proliant server with 16gb ram installed and 1tb hdd. On that i have a esxi 6.5 server. On that i have (or will) build (or rebuild) 4 VMs all running winsvr2016 ( all with 4gb ram and 250gb hdd each) 1 vm for DC (AD, DNS, DHCP)(dc.vinsta.vinsta) 1 vm for file server (fs.vinsta.vinsta) 1 vm for cert auth server (ca.vinsta.vinsta) and finally 1 vm for vpn (vpn.vinsta.vinsta). Is this a good starting point to follow your videos. Can you advise on my setup?

Well first point is that you are having 4 VM each on 4GB - 4 x 4 = 16 GB so, not much left for the base system that controls the VM - yes it will "steal" back a bit automatically. But just on those you system would be slow. Personally I would add the AD to the host - speeds up things and file servers etc I prefer to run on the host as in VM world they would run very slowly - unless you told me you had 256 GB rack servers etc! Why do you have two VPN guests as servers - just put the CA and VPN server on the same - this might be the issue as the VPN server might be having issues getting the CA server etc - maybe not registered etc. A simpler solution: Host = AD + DHCP + DNS + file server running Server 2016 and 1 guest = VPN and CA in VMware workstation. A much faster setup with only 4GB taken by the one VM guest and the remaining 12 for the memory and disk intensive roles. By having the VPN and CA on same server all should be recognized and work. If you want to stick with ESXI VMWare bare metal host - do the four above in one guest and then VPN and CA in another. Having one CA on one VM is more secure but does consume resources and unless properly connected you VPN guest server would have issues regarding getting certs etc. I hope the above makes sense - bottom line it is just one server with 16GB - splitting this into tiny chunks means you have 4 servers stealing the very limited computer resources and for what gain? Is it for security? If yes, then there are better solutions e.g. get another server box with 8GB and use that as the CA server etc. You have all 4 on the same box - if your CA is compromised the chances are that all other systems would be too!

Windows Ninja wow thanks for the swift reply!!! Hmmm you have again given me alot to think about. This is my own hp box i have which i am using for testing purposes. Reason im testing is because a client of mine wants this solution so im just practicing. Later on in terms of bare metal or direct svr 2016 or 2 boxes wont really matter as my client has a proper enterprise setup. Client wants to use ESXi 6.5 so we will have to stick with that instead of putting svr2016 direct on the hp box. So how about this for my specific setup after your notes. Hp proliant bare metal svr (16GB Ram + 1TB HDD) ESXI 6.5 on that. 1 SVR2016 VM as a DC,AD,DNS,DHCP @ 6GB ram (dc.vinsta.vinsta) 1 SVR2016 VM as VPN/CA @ 6GB (Vpnca.vinsta.vinsta) 1 SVR2016 VM as File SVR @ 3GB (Fs.vinsta.vinsta) (1GB ram left to run ESXI should be more than enough) Would that be okay for me to start your solution??

I also noticed that you domain naming system is obviously an internal LAN type vinsta.vinsta - yes this can work... but you would need the CA server to be AD joined with forest vinsta.vinsta and CA server name something like CA.vinsta.vinsta and AD joined and certs registered in your AD. Then VPN server AD joined and when setup it sees such certs when the VPN is setup and the correct cert is used. You may have issues at the time of workstations tying to connect as they would need the CA root cert installed - maybe a manual install would be better on the workstaion computer trying to connect. I can see a million issues and troubleshooting till next year - my simple solution below is clean and nice. You could also save money by just using hyper-v for the VM guests and install Server on the hardware as native!

If you follow the previous videos you should see the setup.