Certificate Challenges with Multiple Point-to-Site VPN Gateways

Multiple Point-to-Site VPN Gateways

I ran into an extremely common issue with a Point-to-Site configuration with a not so common resolution. The Point-to-Site configuration guide provided by Microsoft is pretty easy to follow. Microsoft provides specific instructions and recommendations and I’ve followed this guide on numerous occasions.

In this particular instance, I needed to configure a Point-to-Site connections between two separate VPN Gateways, all existing in the same subscription/region.

I created a Root and Client certificate using PowerShell and uploaded the Base-64 .cer from my Root certificate to both of my test VPN Gateways. Copy and pasting directly from Notepad as most of us generally do:

The certificate uploaded to both of my “test” gateways and I was able to configure the Point-to-Site connections from both of these gateways.

The Problem

Production deployment was the next step. Everything was going just fine until it came to testing the connections. I had already uploaded the certificate, set my address space, and downloaded the client for both gateways. I was able to connect to “Gateway01” just fine, but I received an error when trying to connect to “Gateway02”.

A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

This issue usually results from not creating your certificates correctly or not having them installed to the correct certificate store (they need to be located in the Personal store as opposed to the Computer). I was a little unsure about this instance because “Gateway01” was using the same exact Root and Client certificate, and I already had my connection in place. Either way, I went ahead and recreated my Root and Client certificates, uploaded them to both of my gateways, and re-downloaded the VPN client. Tried connecting to my gateways and…..

A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)

Ok, well this was frustrating. So based on the error I received I was confident that the Root certificate had to be the issue. I wondered if it was something about the way the certificate was pasted within the Point-to-Site configuration. What if that “Enter” character that copied over from the Base-64 .cer file was pasting incorrectly into my P2S certificate line. I tested this theory out by reformatting my certificate to look a little something like this, making sure not to include the “BEGIN” and “END” sections of course:

So essentially I was uploading the certificate without any spaces or strange “Enter” characters that could have been copied over from the generic certificate format. I went to re-upload the certificate to my “Gateway02” P2S configuration and sure enough I was met with an error:

Operation name
Write VirtualNetworkGateways
Time stamp
Event initiated by
Error code
Virtual Network Gateway /subscriptions/SubscriptionId/resourceGroups/ResourceGroupName/providers/
cannot have same certificate used across two vpnclient root Certificate elements. Certificate for
virtualNetworkGateways/VPNGateway01/vpnClientRootCertificates/CertName and
virtualNetworkGateways/VPNGateway02/vpnClientRootCertificates/CertName are same.

How strange that Azure hadn’t caught this based off the way I had been copy/pasting the certificate previously. And what about my test gateways that successfully used the same Root certificate? Possibly just a fluke? Maybe my copy/paste skills are lacking? Whatever the case may be, I was excited that I found an error and decided to just create separate Root certificates for each VPN Gateway. Both connections fired right up.

Key Takeaway:

Always create separate root certificates when creating more than one Point-to-Site Gateway.

Leave a Comment

Your email address will not be published. Required fields are marked *