Reading today RRAS’ blog, I saw this interesting and useful blog entry:
What caught my attention was the paragraph regarding IKEv2 machine certificate authentication, an excerpt from it:
”Ensure the trusted root certificate store on the VPN Server contains **only** the trust root certificate that matches the trust chain with which the client will send the machine certificate. …”
Also there is a red warning somewhere in that paragraph.
If you read my blog(you do that don’t cha –;) ), then you might know about that issue, as I’ve already pointed it out, along with other issues, here(search for Machine authentication with certificates):
Still no mention on RRAS’ blog entry about CN vs SAN entries from VPN server’s certificate(SSTP, VPN Reconnect, L2TP/IPsec). Or how exactly you get a certificate with the EKU field containing Server Authentication and IP Security IKE intermediate, say from the Windows Enterprise CA. There is some info about those here though –:) :