Setting Up the Windows 2000 PPTP and L2TP/IPSec client

 

The Windows 2000 VPN client represents a major advance over the Windows 9x and Windows NT 4.0 based VPN clients. You can create a Windows 2000 VPN client connection with an easy to use Wizard. You can modify the VPN connectoid created by the Wizard to support any special requirements required of your co-located ISA Server firewall/VPN server.

 

In this ISA Server 2000 VPN Deployment Kit document we cover the following steps that allow you to connect a Windows 2000 VPN client to the ISA Server firewall/VPN Server using PPTP or L2TP/IPSec:

 

  • Obtaining a computer certificate from the Microsoft Certificate Server
  • Creating the VPN Connectoid
  • Customizing the VPN Connectoid
  • Optionally installing the L2TP/IPSec Client for Windows 2000 if the client is behind a NAT device

 

Obtaining a Computer Certificate from the Microsoft Certificate Server

 

You must obtain a computer certificate before you can create an L2TP/IPSec connection. In this example we have created a standalone Certificate Authority (CA) on our internal network using the Windows Server 2003 Certificate Server.  Perform the following steps on the Windows 2000 VPN client in order to obtain a certificate from the Windows Server 2003 standalone Certificate Authority via the Web enrollment site:

 

*       Note:
This example assumes the Windows 2000 VPN client requesting the certificate is located on the internal network, behind the ISA Server firewall/VPN server. You also have the option to use Web Publishing Rules to publish the Certificate Server. A VPN client machine that is on an external network can access a published Certificate Server. Please see ISA Server VPN Deployment Kit document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List for details.

 

1.       On the Windows 2000 computer, open Internet Explorer 6.0 and type in the URL http://<ip_address>/certsrv or http://fqdn/certsrv. Where <ip_address> and <fqdn> represent the IP address and Fully Qualified Domain Name of the standalone Microsoft Certificate Server.

2.       On the Microsoft Certificate Services Welcome page (figure 1), click the Request a certificate link.

 

Figure 1 (Fig60)

 

3.       On the Request a Certificate page (figure 2), click the advanced certificate request link.

 

Figure 2 (Fig61)

 

4.       On the Advanced Certificate Request page (figure 3), click the Create and submit a request to this CA link.

 

Figure 3 (Fig62)

 

5.       Fill out the information fields in the Advanced Certificate Request page (figure 4). In the Type of Certificate Needed drop down list box (figure 5), select the IPSec Certificate entry (figure 5). Put a checkmark in the Store certificate in the local computer certificate store checkbox. Click the Submit button at the bottom of the page.

 

Figure 4 (Fig85)

 

Figure 5 (Fig86)

 

6.       Click Yes in the Potential Script Violation dialog box warning you the Web site is requesting a certificate on your behalf (figure 6).

 

Figure 6 (Fig87)

 

7.       Click the Home link on the Certificate Pending page. Make sure you approve the certificate request at the Certificate Server before proceeding. On standalone Certificate Authorities, the default behavior is to require that the CA administrator approve the certificate request before the client can be assigned the certificate. Please refer to ISA Server VPN Deployment Kit Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA and Installing and Configuring a Windows Server 2003 Standalone Certification Authority for more details. On the Welcome page (figure 7), click the View the status of a pending certificate request link.

 

Figure 7 (Fig88)

 

8.       On the View the Status of a Pending Certificate Request (figure 8) page, click the link representing the pending certificate request. In this example, the link says IPSec Certificate (Monday May 12 2003 10:57:58 PM).

 

Figure 8 (Fig89)

 

9.       Click the Install this certificate link on the Certificate Issued page (figure 9).

 

Figure 9 (Fig90)

 

10.   Click Yes in the Potential Scripting Violation dialog box that informs you the site is adding a certificate to your computer (figure 10).

 

Figure 10 (Fig91)

 

11.   Close the browser after the certificate is installed and you see the Certificate installed page (figure 11).

 

Figure 11 (Fig92)

 

The Web enrollment procedure adds an IPSec certificate to the machine’s certificate store. We won’t be able to use this certificate to create L2TP/IPSec VPN connections until we add the CA certificate to the Trusted Root Certification Authorities list the certificate of the standalone Root CA that issued the machine certificate to the VPN client.

 

At this point we have a machine certificate, but we do not have the CA’s self-signed CA certificate in our Trusted Root Certification Authorities store.

 

Perform the following steps to add the standalone root CA’s self signed certificate to the Trusted Root Certification Authorities list:

 

1.       Click Start and click the Run command. In type mmc in the Open text box and click OK.

2.       In the Console1 window, click the File menu and then click the Add/Remove Snap-in command (figure 12).

 

Figure 12 (Fig143)

 

3.       In the Add/Remove Snap-in dialog box, click the Add button (figure 13).

 

Figure 13 (Fig144)

 

4.       In the Add Standalone Snap-in dialog box, select the Certificates snap-in from the list of Available Standalone Snap-ins list. Click Add (figure 14).

 

Figure 14 (Fig145)

 

5.       In the Certificates snap-in page, select the Computer account option and click Next (figure 15).

 

Figure 15 (Fig146)

 

6.       On the Select Computer page (figure 16), select Local computer and click Finish.

 

Figure 16 (Fig147)

 

7.       Click the Close button in the Add Standalone Snap-in dialog box, then click OK in the Add/Remove Snap-in dialog box.

8.       Expand the Certificates (Local Computer) node in the left pane of the console (figure 17), then expand the Certificates (Local Computer)\Personal node. Click on the Certificates (Local Computer)\Personal\Certificates node. You should see the computer certificate in the right pane of the console. In this example, the certificate is issued to vpnuser.

 

Figure 17 (Fig148)

 

9.       Double click on the certificate in the right pane of the console. Click on the Certification Path tab in the Certificate dialog box. Note the Red “X” on the WIN2003DC entry in the certificate hierarchy (figure 18). This indicates the CA Root certificate isn’t in this machine’s Trusted Root Certification Authorities certificate store. There are a number of ways you can import the standalone Root CA’s certificate into the VPN client’s Trusted Root Certification Authorities certificate store. In this example, we’ll export the standalone Root CA certificate from here and then import it into the Trusted Root Certification Authorities\Certificates node.

 

Figure 18 (Fig149)

 

10.   Click on the WIN2003DC entry and then click on the View Certificate button (figure 18). Another Certificate dialog box opens (figure 19), but this time it’s for the standalone Root CA’s certificate. Click on the Details tab and then click the Copy to File button.

 

Figure 19 (Fig150)

 

11.   The Welcome to the Certificate Export Wizard page appears (figure 20). Click Next.

 

Figure 20 (Fig151)

 

12.   On the Export File Format page (figure 21), select the Crytographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option. Put a checkmark in the Include all certificates in the certification path if possible checkbox. Click Next.

 

Figure 21 (Fig152)

 

13.   On the File to Export page (figure 22), type in a path and file name for the exported certificate. Then click Next.

 

Figure 22 (Fig153)

 

14.   Click Finish in the Completing the Certificate Export Wizard page (figure 23).

 

Figure 23 (Fig154)

 

15.   Click OK in the Certificate Export Wizard dialog box that informs you that The export was successful (figure 24).

 

Figure 24 (Fig155)

 

16.   Close both of the Certificate dialog boxes.

17.   Now that the stand-alone Root CA certificate has been exported and saved to disk, we can import this certificate into the Trusted Root Certification Authorities\Certificates node in the local machine (Local Computer) certificate store. Right click on the Trusted Root Certification Authorities\Certificates node in the left pane of the console, point to All Tasks and click on the Import command (figure 25).

 

Figure 25 (Fig156)

 

18.   Click Next on the Welcome to the Certificate Import Wizard page (figure 26).

 

Figure 26 (Fig157)

 

19.   On the File to Import page of the Certificate Import Wizard (figure 27), use the Browse button to locate the stand-alone CA certificate you exported earlier. Find the certificate and confirm that the path and name of the certificate appears in the File name text box. Click Next.

 

Figure 27 (Fig158)

 

20.   On the Certificate Store page (figure 28), select the Place all certificates in the following store option. The Certificate store text box should say Trusted Root Certification Authorities. This is entered for you automatically. Click Next.

 

Figure 28 (Fig159)

 

21.   Click Finish on the Completing the Certificate Import Wizard page (figure 29).

 

Figure 29 (Fig160)

 

22.   Click OK in the Certificate Import Wizard dialog box that informs you that The import was successful (figure 30).

 

Figure 30 (Fig161)

 

 

Creating the VPN Client Dial-up Connectoid

 

Now that the Windows 2000 VPN client has a machine certificate, it can negotiate both L2TP/IPSec and PPTP VPN connections. The default behavior of the Windows 2000 VPN client is to use L2TP/IPSec first and if the L2TP/IPSec negotiation doesn’t work, the client attempts to connect using PPTP. You can control this by changing the properties of the VPN Dial-up connectoid. We will discuss this procedure after creating the VPN connectoid.

 

Perform the following steps to create the Windows 2000 VPN Dial-up connectoid:

 

  1. Right click on the My Network Places icon on the desktop, and then click the Properties command.
  2. Double click on the Make New Connection icon in the Network and Dial-up Connections window.
  3. If this is the first time you have configured a Dial-up connection on this computer, then you will be presented with the Location Information dialog box (figure 31). Enter an area code in the What area code (or city code) are you in now text box. You won’t need to dial up an outside line for a VPN link, so click OK after entering your area code.

 

Figure 31 (Fig105)

 

  1. There are no dialing rules required for the VPN link. You may want to configure Phone And Modem Options later, but this is not required for the VPN connectoid. Click OK in the Phone and Modem Options dialog box.
  2. Click Next on the Welcome to the Network Connection Wizard page.
  3. Select the Connect to a private network through the Internet option on the Network Connection Type page (figure 32). Click Next.

 

Figure 32 (Fig106)

 

  1. On the Destination Address page (figure 33), type in the Fully Qualified Domain Name or IP address of the external interface of the ISA Server firewall/VPN server in the Host name or IP address text box. In this example we do not have a FQDN that resolves to the external IP address on the ISA Server firewall/VPN server, so we’ll enter the IP address instead. Click Next.

 

*       Note:
You can use a Fully Qualified Domain Name (FQDN) to connect to the ISA Server firewall/VPN server. This name must be entered into a public DNS server, and it must resolve to the primary IP address bound to the external interface of the ISA Server firewall/VPN server. The primary IP address is the IP on the top of the list of addresses bound to the external adapter.

 

Figure 33 (Fig107)

 

  1. On the Connection Availability page (figure 34), you can choose to make this connection available For all users or Only for myself. The Only for myself is the more secure option because you must be logged on with the user account that created the VPN connectoid to access it.

 

This prevents other users who may log onto the same computer from using this connectoid. However, if you select this option, you will not be able to log on via Dial-up Networking from the Log On dialog box when you start the computer. This will prevent you from logging into the domain using the VPN connection and will prevent you from being able to automatically send domain credentials to servers on the internal network when accessing shared resources.

 

In this example we’ll select the Only for myself option and click Next.

 

Figure 34 (Fig108)

 

  1. On the Completing the Network Connection Wizard page (figure 35), type in a name for the connectoid in the Type the name you want to use for this connection text box. Put a checkmark in the Add a shortcut to my desktop checkbox if you want a shortcut on the desktop. Click Finish.

 

Figure 35 (Fig109)

 

  1. The connectoid is now ready to be used to connect to the Honu firewall VPN server. Just enter the user name and password and click Connect.

 

Customizing the VPN Dial-up Connectiod’s Properties

 

Let’s now look at some of the common or interesting configuration options for the connectoid:

 

  1. In the Connection dialog box (figure 36), click the Properties button.

 

Figure 36 (Fig162)

 

  1. The first tab you’ll see in the Properties of the connection is the General tab (figure 37). You can change the IP address or FQDN that the VPN client connects to by changing the value in the Host name or IP address of destination text box.

 

Figure 37 (Fig163)

 

  1. Click on the Options tab (figure 38). If your VPN clients have frequent or periodic problems with connection reliability, you may want to configure them to redial automatically if the connection is dropped.

 

Put a checkmark in the Redial if line is dropped checkbox. Then enter the number of times you want the client to redial after the dropped connection in the Redial attempts text box. You may want to reduce the time between redial attempts so a smaller value, such as 5 seconds, in the Time between redial attempts drop-down list box.

 

If you want to stay connected until you manually log off, leave the Idle time before hanging up value as never; otherwise, click the drop-down list box and select the among of idle time you want to pass before the connection to the VPN server is dropped.

 

Figure 38 (Fig164)

 

  1. Click on the Security tab (figure 39). The default Security options selection is set for Typical. This works for most VPN client/server connections. You can view what these “typical” settings are by selecting the Advanced option and clicking the Settings button; the default values in the Advanced Security Settings dialog box are those that are in effect when you select the Typical option.

 

Figure 39 (Fig165)

 

  1. Select the Advanced (custom settings) option and then click the Settings button. In the Advanced Security Settings dialog box (figure 40) you can see that Microsoft CHAP (MS-CHAP) and Microsoft CHAP Version 2 (MS-CHAPv2) are user authentication protocols selected by default. You can remove the checkmark from the Microsoft CHAP (MS-CHAP) checkbox because the ISA Server firewall/VPN server fully supports version 2. All Windows VPN clients now support MS-CHAPv2 so you only need to support MS-CHAP if you have third party VPN clients that need to connect to the ISA Server firewall/VPN server.

 

Figure 40 (Fig166)

 

  1. Click on the Networking tab (figure 41). The default setting in the Type of VPN server I am calling drop down list box is Automatic. The Automatic setting allows the VPN client to first negotiate an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server.

 

If the L2TP/IPSec negotiation fails, then the client tries to connect using PPTP. You can force the client to use either PPTP or L2TP/IPSec by selecting the appropriate protocol in the list.

 

A helpful troubleshooting tip is that if you have problems getting a VPN client to connect using L2TP/IPSec after you’ve configured the ISA Server firewall/VPN server to support L2TP/IPSec connections, try forcing the client to use L2TP/IPSec by selecting the Layer-2 Tunneling Protocol (L2TP) option from this list.

 

Figure 41 (Fig167)

 

  1. Select the Internet Protocol (TCP/IP) entry in the Components checked are used by this connection list on the Networking tab (figure 41) and click the Properties button.

 

In the Advanced TCP/IP Properties dialog box (figure 42), click the Advanced button. On the General tab in the Advanced TCP/IP Settings note the Use default gateway on remote network checkbox (figure 42). This option is checked by default and it should remain that way.

 

The Use default gateway on remote network option forces the VPN client to use the VPN interface as its default gateway and prevents “split tunneling”. Split tunneling allows the VPN client to directly access the Internet and the private network (via the VPN interface) simultaneously. This is a very high security risk and should not be allowed. All Internet access should be through the ISA Server firewall/VPN server when the VPN client is connected to the private network.

 

Figure 42 (Fig168)

 

 

Install the Windows 2000 L2TP/IPSec VPN Client if the VPN Client is Behind a NAT Server

 

Up to this point we have assumed the L2TP/IPSec VPN client was directly connected to the Internet and that the L2TP/IPSec client had a public IP address. In some cases the Windows 2000 L2TP/IPSec VPN client computer will be located behind a NAT device. The NAT device can be a simple SOHO NAT Router or an advanced NAT-based firewall such as ISA Server 2000.

 

You must download and install the L2TP/IPSec NAT-T Update for Windows XP and Windows 2000. The updated VPN client software is located at http://support.microsoft.com/default.aspx?SCID=KB;EN-US;818043#4 and it is Microsoft Knowledge Base Article 818043. Use the Windows Catalog to locate the file. Perform the following steps to locate and download the L2TP/IPSec NAT-T update setup file:

 

  1. Open Internet Explorer, click the Tools menu and click Windows Update.
  2. In the left pane of the Windows Update Web page, locate the Windows Update Catalog link and click on it.
  3. On the Welcome to Windows Update Catalog page (figure 43), click the Find updates for Microsoft Windows operating systems.

 

Figure 43 (Fig223)

 

  1. On the Microsoft Windows page (figure 44), select Windows 2000 SP3 in the Operating Systems list. Click the down arrow button next to Advanced search options. In the Contains these words text box, type 818043. Click the Search button.

 

Figure 44 (Fig224)

 

  1. Click the Recommend Updates (1) link on the Your search returned 1 results page (figure 45).

 

Figure 45 (Fig225)

 

  1. The 818043: Recommended Update for Windows 2000 entry will appear in the Recommended Updates (1) list (figure 46). Scroll down to the bottom of the description of the update and click the Add button. Now click on the green arrow to the left of where it says Go to Download Basket.

 

Figure 46 (Fig226)

 

  1. On the Download Basket page (figure 47), type in a path on the local hard disk where the updated will be downloaded. Click the Download Now button after typing in the path.

 

Figure 47 (Fig227)

 

  1. A Microsoft Windows Update – Web Page Dialog box appears and asks you to accept the license agreement. Click the Accept button.
  2. The file is downloaded to the location you indicated. When the download is complete, the Download History page shows the exact location of the file. Make a note of the exact location of the file and open the Run command from the Start menu.
  3. Click the Browse button on the Run dialog box. Navigate to the location of the file and click on the Q818043_W2K_SP5_x86_EN.EXE application so that it appears in the File name textbox (figure 48). Click the Open button. Click OK in the Run dialog box to install the update.

 

Figure 48 (Fig228)

 

  1. In the Choose Directory For Extracted Files dialog box, type a path for the extracted files and click OK.
  2. Click Next on the Welcome to the Windows 2000 Q818043 Setup Wizard page.
  3. Read the License Agreement on the License Agreement page and then select the I Agree option. Click Next.
  4. Click Finish on the Completing the Windows 2000 Q818043 Setup Wizard page. The computer will restart automatically.

 

The Windows 2000 VPN client is now able to create L2TP/IPSec connections while behind a NAT device or NAT-based firewall. The only requirements are that the UDP 500 and UDP 4500 are allowed outbound. Details on how to configure ISA Server 2000 to allow outbound L2TP/IPSec connections, as well as instructions on how to allow Windows Server 2003 to accept these L2TP/IPSec connections, can be found in the ISA Server VPN Deployment Kit document Configuring the ISA Server Firewall/VPN Server to Support L2TP/IPSec NAT Traversal Client Connections and Configuring the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections.