Setting Up the Windows 2000 PPTP and L2TP/IPSec client
The Windows 2000 VPN client represents a major advance over the Windows 9x and Windows NT 4.0 based VPN clients. You can create a Windows 2000 VPN client connection with an easy to use Wizard. You can modify the VPN connectoid created by the Wizard to support any special requirements required of your co-located ISA Server firewall/VPN server.
In this ISA Server 2000 VPN Deployment Kit document we cover the following steps that allow you to connect a Windows 2000 VPN client to the ISA Server firewall/VPN Server using PPTP or L2TP/IPSec:
Obtaining a Computer Certificate from the Microsoft Certificate Server
You must obtain a computer certificate before you can create an L2TP/IPSec connection. In this example we have created a standalone Certificate Authority (CA) on our internal network using the Windows Server 2003 Certificate Server. Perform the following steps on the Windows 2000 VPN client in order to obtain a certificate from the Windows Server 2003 standalone Certificate Authority via the Web enrollment site:
This example assumes the Windows 2000 VPN client requesting the certificate is located on the internal network, behind the ISA Server firewall/VPN server. You also have the option to use Web Publishing Rules to publish the Certificate Server. A VPN client machine that is on an external network can access a published Certificate Server. Please see ISA Server VPN Deployment Kit document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List for details.
1. On the Windows 2000 computer, open Internet Explorer 6.0 and type in the URL http://<ip_address>/certsrv or http://fqdn/certsrv. Where <ip_address> and <fqdn> represent the IP address and Fully Qualified Domain Name of the standalone Microsoft Certificate Server.
2. On the Microsoft Certificate Services Welcome page (figure 1), click the Request a certificate link.
Figure 1 (Fig60)
3. On the Request a Certificate page (figure 2), click the advanced certificate request link.
Figure 2 (Fig61)
4. On the Advanced Certificate Request page (figure 3), click the Create and submit a request to this CA link.
Figure 3 (Fig62)
5. Fill out the information fields in the Advanced Certificate Request page (figure 4). In the Type of Certificate Needed drop down list box (figure 5), select the IPSec Certificate entry (figure 5). Put a checkmark in the Store certificate in the local computer certificate store checkbox. Click the Submit button at the bottom of the page.
Figure 4 (Fig85)
Figure 5 (Fig86)
6. Click Yes in the Potential Script Violation dialog box warning you the Web site is requesting a certificate on your behalf (figure 6).
Figure 6 (Fig87)
7. Click the Home link on the Certificate Pending page. Make sure you approve the certificate request at the Certificate Server before proceeding. On standalone Certificate Authorities, the default behavior is to require that the CA administrator approve the certificate request before the client can be assigned the certificate. Please refer to ISA Server VPN Deployment Kit Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA and Installing and Configuring a Windows Server 2003 Standalone Certification Authority for more details. On the Welcome page (figure 7), click the View the status of a pending certificate request link.
Figure 7 (Fig88)
On the View the Status of a Pending Certificate Request (figure 8) page,
click the link representing the pending certificate request. In this example,
the link says IPSec Certificate (Monday
Figure 8 (Fig89)
9. Click the Install this certificate link on the Certificate Issued page (figure 9).
Figure 9 (Fig90)
10. Click Yes in the Potential Scripting Violation dialog box that informs you the site is adding a certificate to your computer (figure 10).
Figure 10 (Fig91)
11. Close the browser after the certificate is installed and you see the Certificate installed page (figure 11).
Figure 11 (Fig92)
enrollment procedure adds an IPSec certificate to the machine’s certificate
store. We won’t be able to use this certificate to create L2TP/IPSec VPN
connections until we add the CA certificate to the Trusted Root Certification Authorities list the certificate of the
At this point we have a machine certificate, but we do not have the CA’s self-signed CA certificate in our Trusted Root Certification Authorities store.
Perform the following steps to add the standalone root CA’s self signed certificate to the Trusted Root Certification Authorities list:
1. Click Start and click the Run command. In type mmc in the Open text box and click OK.
2. In the Console1 window, click the File menu and then click the Add/Remove Snap-in command (figure 12).
Figure 12 (Fig143)
3. In the Add/Remove Snap-in dialog box, click the Add button (figure 13).
Figure 13 (Fig144)
4. In the Add Standalone Snap-in dialog box, select the Certificates snap-in from the list of Available Standalone Snap-ins list. Click Add (figure 14).
Figure 14 (Fig145)
5. In the Certificates snap-in page, select the Computer account option and click Next (figure 15).
Figure 15 (Fig146)
6. On the Select Computer page (figure 16), select Local computer and click Finish.
Figure 16 (Fig147)
7. Click the Close button in the Add Standalone Snap-in dialog box, then click OK in the Add/Remove Snap-in dialog box.
8. Expand the Certificates (Local Computer) node in the left pane of the console (figure 17), then expand the Certificates (Local Computer)\Personal node. Click on the Certificates (Local Computer)\Personal\Certificates node. You should see the computer certificate in the right pane of the console. In this example, the certificate is issued to vpnuser.
Figure 17 (Fig148)
Double click on the certificate in
the right pane of the console. Click on the Certification Path tab in the Certificate
dialog box. Note the Red “X” on the WIN2003DC
entry in the certificate hierarchy (figure 18). This indicates the CA Root
certificate isn’t in this machine’s Trusted
Root Certification Authorities certificate store. There are a number of
ways you can import the standalone
Figure 18 (Fig149)
10. Click on the WIN2003DC entry and then click on the View Certificate button (figure 18). Another Certificate dialog box opens (figure 19), but this time it’s for
Figure 19 (Fig150)
11. The Welcome to the Certificate Export Wizard page appears (figure 20). Click Next.
Figure 20 (Fig151)
12. On the Export File Format page (figure 21), select the Crytographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option. Put a checkmark in the Include all certificates in the certification path if possible checkbox. Click Next.
Figure 21 (Fig152)
13. On the File to Export page (figure 22), type in a path and file name for the exported certificate. Then click Next.
Figure 22 (Fig153)
14. Click Finish in the Completing the Certificate Export Wizard page (figure 23).
Figure 23 (Fig154)
15. Click OK in the Certificate Export Wizard dialog box that informs you that The export was successful (figure 24).
Figure 24 (Fig155)
16. Close both of the Certificate dialog boxes.
17. Now that the stand-alone
Figure 25 (Fig156)
18. Click Next on the Welcome to the Certificate Import Wizard page (figure 26).
Figure 26 (Fig157)
19. On the File to Import page of the Certificate Import Wizard (figure 27), use the Browse button to locate the stand-alone CA certificate you exported earlier. Find the certificate and confirm that the path and name of the certificate appears in the File name text box. Click Next.
Figure 27 (Fig158)
20. On the Certificate Store page (figure 28), select the Place all certificates in the following store option. The Certificate store text box should say Trusted Root Certification Authorities. This is entered for you automatically. Click Next.
Figure 28 (Fig159)
21. Click Finish on the Completing the Certificate Import Wizard page (figure 29).
Figure 29 (Fig160)
22. Click OK in the Certificate Import Wizard dialog box that informs you that The import was successful (figure 30).
Figure 30 (Fig161)
Creating the VPN Client Dial-up Connectoid
Now that the Windows 2000 VPN client has a machine certificate, it can negotiate both L2TP/IPSec and PPTP VPN connections. The default behavior of the Windows 2000 VPN client is to use L2TP/IPSec first and if the L2TP/IPSec negotiation doesn’t work, the client attempts to connect using PPTP. You can control this by changing the properties of the VPN Dial-up connectoid. We will discuss this procedure after creating the VPN connectoid.
Perform the following steps to create the Windows 2000 VPN Dial-up connectoid:
Figure 31 (Fig105)
Figure 32 (Fig106)
You can use a Fully Qualified Domain Name (FQDN) to connect to the ISA Server firewall/VPN server. This name must be entered into a public DNS server, and it must resolve to the primary IP address bound to the external interface of the ISA Server firewall/VPN server. The primary IP address is the IP on the top of the list of addresses bound to the external adapter.
Figure 33 (Fig107)
This prevents other users who may log onto the same computer from using this connectoid. However, if you select this option, you will not be able to log on via Dial-up Networking from the Log On dialog box when you start the computer. This will prevent you from logging into the domain using the VPN connection and will prevent you from being able to automatically send domain credentials to servers on the internal network when accessing shared resources.
In this example we’ll select the Only for myself option and click Next.
Figure 34 (Fig108)
Figure 35 (Fig109)
Customizing the VPN Dial-up Connectiod’s Properties
Let’s now look at some of the common or interesting configuration options for the connectoid:
Figure 36 (Fig162)
Figure 37 (Fig163)
Put a checkmark in the Redial if line is dropped checkbox. Then enter the number of times you want the client to redial after the dropped connection in the Redial attempts text box. You may want to reduce the time between redial attempts so a smaller value, such as 5 seconds, in the Time between redial attempts drop-down list box.
If you want to stay connected until you manually log off, leave the Idle time before hanging up value as never; otherwise, click the drop-down list box and select the among of idle time you want to pass before the connection to the VPN server is dropped.
Figure 38 (Fig164)
Figure 39 (Fig165)
Figure 40 (Fig166)
If the L2TP/IPSec negotiation fails, then the client tries to connect using PPTP. You can force the client to use either PPTP or L2TP/IPSec by selecting the appropriate protocol in the list.
A helpful troubleshooting tip is that if you have problems getting a VPN client to connect using L2TP/IPSec after you’ve configured the ISA Server firewall/VPN server to support L2TP/IPSec connections, try forcing the client to use L2TP/IPSec by selecting the Layer-2 Tunneling Protocol (L2TP) option from this list.
Figure 41 (Fig167)
In the Advanced TCP/IP Properties dialog box (figure 42), click the Advanced button. On the General tab in the Advanced TCP/IP Settings note the Use default gateway on remote network checkbox (figure 42). This option is checked by default and it should remain that way.
The Use default
gateway on remote network option forces the VPN client to use the VPN
interface as its default gateway and prevents “split tunneling”.
Figure 42 (Fig168)
Install the Windows 2000 L2TP/IPSec VPN Client if the VPN Client is Behind a NAT Server
Up to this point we have assumed the L2TP/IPSec VPN client was directly connected to the Internet and that the L2TP/IPSec client had a public IP address. In some cases the Windows 2000 L2TP/IPSec VPN client computer will be located behind a NAT device. The NAT device can be a simple SOHO NAT Router or an advanced NAT-based firewall such as ISA Server 2000.
You must download and install the L2TP/IPSec NAT-T Update for Windows XP and Windows 2000. The updated VPN client software is located at http://support.microsoft.com/default.aspx?SCID=KB;EN-US;818043#4 and it is Microsoft Knowledge Base Article 818043. Use the Windows Catalog to locate the file. Perform the following steps to locate and download the L2TP/IPSec NAT-T update setup file:
Figure 43 (Fig223)
Figure 44 (Fig224)
Figure 45 (Fig225)
Figure 46 (Fig226)
Figure 47 (Fig227)
Figure 48 (Fig228)
The Windows 2000 VPN client is now able to create L2TP/IPSec connections while behind a NAT device or NAT-based firewall. The only requirements are that the UDP 500 and UDP 4500 are allowed outbound. Details on how to configure ISA Server 2000 to allow outbound L2TP/IPSec connections, as well as instructions on how to allow Windows Server 2003 to accept these L2TP/IPSec connections, can be found in the ISA Server VPN Deployment Kit document Configuring the ISA Server Firewall/VPN Server to Support L2TP/IPSec NAT Traversal Client Connections and Configuring the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections.