Setting Up the Windows XP PPTP and L2TP/IPSec client

Setting Up the Windows Server 2003 PPTP and L2TP/IPSec client

The Windows 2003 VPN client represents a major advance in terms of the flexibility and ease of configuration over the Windows 9x and Windows NT 4.0 VPN clients. You create the Windows Server 2003 VPN client connection with an easy to use Wizard. The VPN Dial-up Networking connection (sometimes referred to as a “connectoid”) can be modified to support a customized ISA Server firewall/VPN server configuration.

The ISA Server 2000 VPN Deployment Kit document discusses the following procedures that you need to perform before you connect a Windows Server 2003 computer to the ISA Server firewall/VPN Server using PPTP or L2TP/IPSec:

Obtain a computer certificate from a Microsoft Certificate Server or configure a pre-shared key on the Windows Server 2003 VPN client and ISA Server firewall/VPN server
Create the VPN connectoid
Customize the VPN connectoid

Obtaining a Computer Certificate to support L2TP/IPSec Connections

You must obtain a computer certificate before you can create an L2TP/IPSec connection with the ISA Server firewall/VPN server. In the following example we have created a standalone Certificate Authority on our internal network using the Windows Server 2003 Certificate Server.

Note:
You can obtain computer certificates from both standalone and enterprise Microsoft Certificate Authorities. Please see ISA Server Deployment Kit documents Installing and Configuring a Windows Server 2003 Standalone Certification Authority and Installing and Configuring a Windows Server 2003 Enterprise Certification Authority for information on how to install and configure standalone and enterprise Microsoft Certificate Servers. Please see ISA Server 2000 VPN Deployment Kit documents Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA and Installing and Configuring a Windows Server 2003 Enterprise Certification Authority on how to obtain certificates via Web enrollment sites for standalone and enterprise Microsoft Certificate Servers. Certificates can also be obtained from the MMC certificates standalone snap-in and via domain-based autoenrollment. Please see ISA Server 2000 VPN Deployment Kit document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List for information on how to assign machine certificates using domain-based autoenrollment.

Perform the following steps to obtain a certificate from the Windows Server 2003 standalone Certificate Authority via the Web enrollment site:

Note:
In this example we assume the VPN client computer is located on the internal network. You can obtain computer certificates when the VPN client is located on an external network if the Microsoft Certificate Server Web enrollment site is published using ISA Server Web or Server Publishing Rules. Please see ISA Server 2000 VPN Deployment Kit Document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List for information on how to publish a Microsoft Certificate Server Web enrollment site.

1. On the Windows Server 2003 computer, open Internet Explorer 6.0 and type in the URL http://<ip_address>/certsrv or http://fqdn/certsrv. Where <ip_address> and <fqdn> represent the IP address and Fully Qualified Domain Name of the standalone Microsoft Certificate Server.

Figure 1 (fig109)

2. An Internet Explorer dialog box appears (figure 2) informing you that the Web site is blocked. This is a powerful security feature included with Internet Explorer in Windows Server 2003. You need trust the Certificate Server, so click the Add button.

Figure 2 (Fig110)

3. On the Trusted sites page, click the Add button to add the Certificate Server to your list of trusted Web sites. Click the Close button on the Trusted sites dialog box after adding the site to the list.

Figure 3 (Fig111)

4. On the Microsoft Certificate Services Welcome page (figure 4), click the request a certificate link.

Figure 4 (Fig 108)

5. On the Microsoft Certificate Services Request a Certificate page (figure 5), click on the advanced certificate request link.

Figure 5 (fig 107)

6. On the Advanced Certificate Request page (figure 6), click the Create and submit a request to this CA link.

Figure 6 (Fig112)

7. Fill out the information fields in the Advanced Certificate Request page (figure 7). In the Type of Certificate Needed drop down list box, select the IPSec Certificate entry. Put a checkmark in the Store certificate in the local computer certificate store checkbox (figure 8). Click the Submit button at the bottom of the page.

Figure 7 (Fig114)

Figure 8 (Fig115)

8. Click Yes in the Potential Script Violation dialog box (figure 9) warning you that the Web site is requesting a certificate on your behalf.

Figure 9 (Fig116)

9. Click the Home link on the Certificate Pending page (figure 10). Make sure you approve the certificate request at the Certificate Server before proceeding. In this example we will approve the certificate request before proceeding with the client certificate request process.

For information on how to approve a certificate request from a standalone Microsoft Certificate Server, please refer to ISA Server 2000 VPN Deployment Kit document Installing and Configuring a Windows Server 2003 Standalone Certification Authority.

On the Welcome page (figure 11), click the View the status of a pending certificate request link.

Figure 10 (Fig117)

Figure 11 (fig105)

10. On the View the Status of a Pending Certificate Request page (figure 12), click the link representing the pending certificate request. In this example the link says IPSec Certificate (Saturday June 7 2003 12:52:42 PM).

Figure 12 (Fig118)

11. Click the Install this certificate link on the Certificate Issued page (figure 13).

Figure 13 (Fig119)

12. Click Yes in the Potential Scripting Violation dialog box (figure 14) informing you a certificate will be added to your computer and that you should trust the Web enrollment site.

Figure 14 (Fig120)

13. Close the browser after the certificate is installed and you see the Certificate installed page (figure 15).

Figure 15 (Fig121)

An IPSec certificate has been added to the machine’s certificate store. However, we won’t be able to use this certificate to create an L2TP/IPSec connection until after we add the standalone Root CA’s self-signed certificate to the Trusted Root Certification Authorities certificate list.

Perform the following steps to add the standalone root CA’s self signed-certificate to the Trusted Root Certification Authorities list:

1. Click Start and click the Run command. Type mmc in the Open text box and click OK.

2. In the Console1 window, click the File menu and then click the Add/Remove Snap-in command (figure 16).

Figure 16 (Fig122)

3. In the Add/Remove Snap-in dialog box (figure 17), click the Add button.

Figure 17 (Fig123)

4. In the Add Standalone Snap-in dialog box (figure 18), select the Certificates snap-in from the list of Available Standalone Snap-ins list. Click Add.

Figure 18 (Fig124)

5. In the Certificates snap-in page (figure 19), select the Computer account option and click Next.

Figure 19 (Fig125)

6. On the Select Computer page (figure 20), select Local computer and click Finish.

Figure 20 (Fig126)

7. Click the Close button in the Add Standalone Snap-in dialog box, then click OK in the Add/Remove Snap-in dialog box.

8. Expand the Certificates (Local Computer) node in the left pane of the console, then expand the Certificates (Local Computer)\Personal node. Click on the Certificates (Local Computer)\Personal\Certificates node. You should see the computer certificate in the right pane of the console (figure 21).

Figure 21 (Fig129)

9. Double click on the certificate in the right pane of the console. Click on the Certification Path tab in the Certificate dialog box. Note the Red “X” on the WIN2003DC entry in the certificate hierarchy (figure 22). This indicates the CA Root certificate isn’t in this machine’s Trusted Root Certification Authorities certificate store.

There are a number of ways we can import the standalone Root CA’s certificate into the VPN client’s machine Trusted Root Certification Authorities certificate store. In this example, we’ll export the standalone Root CA certificate from here and then import it into the Trusted Root Certification Authorities\Certificates node.

Figure 22 (Fig130)

10. Click on the <NAME> at the top of the hierarchy and then click on the View Certificate button. Another Certificate dialog box opens, but this time it’s for the standalone Root CA’s certificate. Click on the Copy to File button (figure 23).

Figure 23 (Fig131)

11. The Welcome to the Certificate Export Wizard page appears (figure 24). Click Next.

Figure 24 (Fig132)

12. On the Export File Format page (figure 25), select the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option. Put a checkmark in the Include all certificates in the certification path if possible checkbox. Click Next.

Figure 25 (Fig133)

13. On the File to Export page (figure 26), type in a path and file name for the exported certificate. Click Next.

Figure 26 (Fig134)

14. Click Finish in the Completing the Certificate Export Wizard page (figure 27).

Figure 27 (Fig135)

15. Click OK in the Certificate Export Wizard dialog box (figure 28) that informs you The export was successful.

Figure 28 (Fig136)

16. Close both of the Certificate dialog boxes.

17. Now that the stand-alone Root CA certificate has been exported and saved to disk, you can import this certificate into the Trusted Root Certification Authorities\Certificates local machine certificate store. Right click on the Trusted Root Certification Authorities\Certificates node in the left pane of the console, point to All Tasks and click on the Import command (figure 29).

Figure 29 (Fig137)

18. Click Next on the Welcome to the Certificate Import Wizard page (figure 30).

Figure 30 (Fig138)

19. On the File to Import page of the Certificate Import Wizard (figure 31), use the Browse button to easily locate the stand-alone CA certificate you exported earlier. Find the certificate and then click Next.

Figure 31 (Fig139)

20. On the Certificate Store page (figure 32), select the Place all certificates in the following store option. The Certificate store text box should say Trusted Root Certificate Authorities; this is entered for you automatically. Click Next.

Figure 32 (Fig140)

21. Click Finish on the Completing the Certificate Import Wizard page (figure 33).

Figure 33 (Fig141)

22. Click OK in the Certificate Import Wizard dialog box (figure 34) informing you The import was successful.

Figure 34 (Fig142)

Creating the Windows Server 2003 VPN Connectoid

Now that the Windows 2003 VPN client has a certificate, it can negotiate both L2TP/IPSec and PPTP VPN connections. The default behavior of the Windows Server 2003 VPN client is to first try L2TP/IPSec and if that doesn’t work, try to connect using PPTP.

Perform the following steps to create the Windows Server 2003 VPN Dial-up connectoid:

1. Right click on My Network Places either on the desktop or in the Start menu then click the Properties command.

2. Double click on the New Connection Wizard icon in the Network and Dial-up Connections dialog box.

3. Click Next on the Welcome to the Network Connection Wizard page (figure 35).

Figure 35 (Fig169)

4. Select the Connect to the network at my workplace option on the Network Connection Type page (figure 36). Click Next.

Figure 36 (Fig170)

5. On the Network Connection page (figure 37), select the Virtual Private Network connection option. Click Next.

Figure 37 (Fig171)

6. On the Connection Name page (figure 38), type in a name that will be assigned to the VPN connectoid in the Company Name text box.

Figure 38 (Fig173)

7. On the VPN Server Selection page (figure 39), type in the Fully Qualified Domain Name or IP address of the external interface of the ISA Server firewall VPN server in the Host name or IP address text box. In this example we do not have a FQDN that resolves to the external IP address on the ISA Server firewall VPN server, so we’ll enter the IP address. Click Next.

Note:
You can use a Fully Qualified Domain Name (FQDN) to connect to the ISA Server firewall/VPN server. This name must be entered into a public DNS server, and it must resolve to the primary IP address bound to the external interface of the ISA Server firewall/VPN server. The primary IP address is the IP on the top of the list of addresses bound to the external adapter.

Figure 39 (Fig175)

8. On the Connection Availability page (figure 40), select the My use only option. Click Next.

Figure 40 (Fig176)

9. Click Finish on the Completing the New Connection Wizard page (figure 41).

Figure 41 (Fig177)

Customizing the VPN Connectoid

Let’s now look at some of the common options for the connectoid:

1. In the Connection dialog box, click the Properties button (figure 42).

Figure 42 (Fig178)

2. The first tab you’ll see in the Properties of the connection is the General tab. You can change the IP address or FQDN the VPN client connects to by changing the value in the Host name or IP address of destination text box. (figure 43)

Figure 43 (Fig179)

3. Click on the Options tab (figure 44). If the VPN clients experience connection reliability problems, you may want to configure them to redial automatically when a connection is dropped. Put a checkmark in the Redial if line is dropped checkbox. Enter the number of times you want the client to redial after the dropped connection in the Redial attempts text box.

You may want to reduce the time between redial attempts so a smaller value, such as 5 seconds, in the Time between redial attempts drop-down list box. If you want to stay connected until you manually log off, leave the Idle time before hanging up value as never; otherwise, click the drop-down list box and select the idle time you want to pass before the connection to the VPN server is dropped.

Figure 44 (Fig180)

4. Click on the Security tab (figure 45). The default Security options selection is set for Typical, and this works for most VPN connections. You can view what these “typical” settings are by selecting the Advanced option and clicking the Settings button; the default values in the Advanced Security Settings dialog box are those in place when you select the Typical option.

Figure 45 (Fig181)

5. You can configure the Windows Server 2003 VPN client to use a pre-shared key instead of a certificate when making L2TP/IPSec VPN connections by clicking on the IPSec Settings button and typing the pre-shared key into the Key text box on the IPSec Settings dialog box (figure 46).

The same pre-shared key must be configured on both the ISA Server firewall/VPN server and the VPN client. A Windows Server 2003 ISA Server firewall/VPN server support pre-shared keys. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for information on how to configure Windows Server 2003 based ISA Server firewall/VPN server to support pre-shared keys for L2TP/IPSec connections.

Figure 46 (Fig182)

6. Select the Advanced option and then click the Settings button. In the Advanced Security Settings dialog box (figure 47) you can see the Microsoft CHAP (MS-CHAP) and Microsoft CHAP Version 2 (MS-CHAPv2) user authentication protocols are selected by default. You can remove the checkmark from the Microsoft CHAP (MS-CHAP) checkbox because all Microsoft VPN clients and the ISA Server/firewall VPN server fully support MS-CHAP version 2.

Figure 47 (Fig183)

7. Click on the Networking tab (figure 48). The default setting in the Type of VPN server I am calling drop down list box is Automatic.

The Automatic setting allows the VPN client to first negotiate an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server. If the L2TP/IPSec negotiation fails, then the client tries to connect using PPTP. You can force the client to use either PPTP or L2TP/IPSec by selecting the appropriate protocol in the list.

A helpful troubleshooting tip is that if you have difficulty getting a VPN client to connect using L2TP/IPSec after configuring the ISA Server firewall/VPN server to support L2TP/IPSec connections, try forcing the client to use L2TP/IPSec by selecting the Layer-2 Tunneling Protocol (L2TP) option from the list. Sometimes the VPN client “remembers” the previous VPN protocol it used with a particular VPN server and will preferentially use that protocol on subsequent connections. Forcing L2TP/IPSec forces the VPN client to use L2TP/IPSec, even if the client had previously connected to the ISA Server firewall/VPN server using PPTP.

Figure 48 (Fig184)

8. Select the Internet Protocol (TCP/IP) entry in the Components checked are used by this connection list on the Networking tab and click the Properties button (figure 46).

In the Advanced TCP/IP Properties dialog box, click the Advanced button. Note the Use default gateway on remote network checkbox on the General tab in the Advanced TCP/IP Settings dialog box. This option is checked by default and it should remain that way. This forces the VPN client to use the VPN interface as its default gateway and prevents something known as “split tunneling”.

Split tunneling allows the VPN client to directly access the Internet and the private network at the same time. Split tunneling represents a very high security risk configuration and should not be allowed unless you have a compelling reason to allow it. The ISA Server firewall/VPN server should mediate all Internet access when the VPN client connects to the private network.

Note:
Please refer to ISA Server 2000 VPN Deployment Kit document Forcing Firewall Policy on VPN Clients for information on how to configure the VPN client to use the ISA Server as its Web Proxy and Firewall for Internet access.

Figure 49 (Fig185)

9. Click OK in the Advanced TCP/IP Settings dialog box and then click OK in the TCP/IP Properties dialog box.

The Windows Server 2003 VPN connectoid is now ready to use.