I'm running into some issues with my Always On VPN setup and getting a RasClient error 13801. Here's the situation: my server certificate for the VPN expired recently and I had to issue a new one, but now the VPN connection just won't work. I've tried using both internal and external Fully Qualified Domain Names (FQDNs) for the certificate, and I've followed Microsoft's guidelines for setting things up. However, when I set DisableIKENameEkuCheck to 1 on the client, the connection works, but I get problems when trying to connect through the external FQDN. I'm wondering if there are any changes due to recent Windows Updates or if there's something else I'm messing up. Any advice on what to check or update?
2 Answers
It sounds like one possible issue could be related to Certificate Revocation List (CRL) checking. Have you considered if clients are failing to reach the CRL since they’re external? It's worth checking if the CRL is published externally. If it wasn’t exposed before, that might be part of the problem now.
If you still have LDAP in CRL, refreshing your PKI certificates could help.
Best practice with IKEv2 certificates is to ensure you issue a certificate from your private CA that uses the public hostname of the VPN server as the subject name and subject alternative name. It’s important not to include the internal NetBIOS name. I’ve pointed out the requirements for IKEv2 certificates on my site—following those should set you on the right track!
I’ve followed your guidelines along with some Microsoft documentation, and I thought I had it set up right, but it’s still not working.
CRL access was never a problem when it was working, but it might be worth revisiting your CRL setup if you're having issues. Hosting a CRL for your internal CA can be tricky, just make sure it's accessible.