Setting Up the Windows XP PPTP and L2TP/IPSec client

 

The Windows XP VPN client is a major advance in terms of the flexibility and ease of configuration over the Windows 9x and Windows NT 4.0 VPN clients. You create the Windows XP VPN client connection with an easy to use Wizard. The connection (often referred to as a “connectoid”) can be modified to support a customized configuration on your ISA Server firewall/VPN server.

 

This ISA Server 2000 VPN Deployment Kit document covers the following actions you need to perform before you can connect a Windows XP computer to the ISA Server firewall/VPN Server using PPTP or L2TP/IPSec:

 

  • Obtaining a computer certificate from a Microsoft Certificate Authority or configuring a pre-shared key on the client and ISA Server firewall/VPN server
  • Creating the VPN connectoid
  • Customizing the VPN connectoid

 

Obtaining a Computer Certificate to support L2TP/IPSec Connections

 

You must obtain a computer certificate before you can create an L2TP/IPSec connection with the ISA Server firewall/VPN server. In the example discussed in this ISA Server 2000 VPN Deployment Kit document, we have created a standalone Certificate Authority on our internal network using the Windows Server 2003 Certificate Server.

 

*       Note:
You can obtain computer certificates from both standalone and enterprise Microsoft Certificate Authorities. Please see ISA Server Deployment Kit documents Installing and Configuring a Windows Server 2003 Standalone Certification Authority and Installing and Configuring a Windows Server 2003 Enterprise Certification Authority for information on how to install and configure standalone and enterprise Microsoft Certificate Servers. Please see ISA Server 2000 VPN Deployment Kit documents Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA and Installing and Configuring a Windows Server 2003 Enterprise Certification Authority on how to obtain certificates via Web enrollment sites for standalone and enterprise Microsoft Certificate Servers. Certificates can also be obtained from the MMC certificates standalone snap-in and via domain-based autoenrollment. Please see ISA Server 2000 VPN Deployment Kit document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List for information on how to assign machine certificates using domain-based autoenrollment.

 

Perform the following steps to obtain a certificate from the Windows Server 2003 standalone Certificate Authority via the Web enrollment site:

 

*       Note:
In this example we assume the VPN client computer is located on the internal network. You can obtain computer certificates when the VPN client is located on an external network if the Microsoft Certificate Server Web enrollment site is published using ISA Server Web or Server Publishing Rules. Please see ISA Server 2000 VPN Deployment Kit Document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List for information on how to publish a Microsoft Certificate Server Web enrollment site.

 

1.       On the Windows XP computer, open Internet Explorer 6.0 and type in the URL http://<ip_address>/certsrv or http://fqdn/certsrv. Where <ip_address> and <fqdn> represent the IP address and Fully Qualified Domain Name of the standalone Microsoft Certificate Server.

2.       On the Microsoft Certificate Services Welcome page (figure 1), click the Request a certificate link.

 

Figure 1 (Fig110)

 

3.       On the Request a Certificate page (figure 2), click the advanced certificate request link.

 

Figure 2 (Fig111)

 

4.       On the Advanced Certificate Request page (figure 3), click the Create and submit a request to this CA link.

 

Figure 3 (Fig112)

 

5.       Put a checkmark in the Always trust content from Microsoft Corporation checkbox and then click Yes in the Security Warning dialog box (figure 4) that asks if you want to install and run Microsoft Certificate Enrollment Control. Repeat the procedure if the dialog box appears again.

 

Figure 4 (Fig113)

 

6.       Fill out the information fields in the Advanced Certificate Request page (figure 5). In the Type of Certificate Needed drop down list box, select the IPSec Certificate entry. Put a checkmark in the Store certificate in the local computer certificate store checkbox (figure 6). Click the Submit button at the bottom of the page.

 

Figure 5 (Fig114)

 

Figure 6 (Fig115)

 

7.       Click Yes in the Potential Script Violation dialog box (figure 7) warning you that the Web site is requesting a certificate on your behalf.

 

Figure 7 (Fig116)

 

8.       Click the Home link on the Certificate Pending page. Approve the certificate request at the standalone Certificate Authority before proceeding. In this example we will approve the certificate request before proceeding with the client certificate request process.

 

For information on how to approve a certificate request from a standalone Microsoft Certificate Server, please refer to ISA Server 2000 VPN Deployment Kit document Installing and Configuring a Windows Server 2003 Standalone Certification Authority. 

 

On the Welcome page (figure 8), click the View the status of a pending certificate request link.

 

Figure 8 (Fig117)

 

9.       On the View the Status of a Pending Certificate Request page (figure 9), click the link representing the pending certificate request. In this example the link says IPSec Certificate (Tuesday May 13 2003 10:47:12 PM).

 

Figure 9 (Fig118)

 

10.   Click the Install this certificate link on the Certificate Issued page (figure 10).

 

Figure 10 (Fig119)

 

11.   Click Yes in the Potential Scripting Violation dialog box (figure 11) informing you a certificate will be added to your computer and that you should trust the Web enrollment site.

 

Figure 11 (Fig120)

 

12.   Close the browser after the certificate is installed and you see the Certificate installed page (figure 12).

 

Figure 12 (Fig121)

 

An IPSec certificate has been added to the machine’s certificate store. However, we won’t be able to use this certificate to create an L2TP/IPSec connection until after we add the standalone Root CA’s self-signed certificate to the Trusted Root Certification Authorities certificate list.

 

Perform the following steps to add the standalone root CA’s self signed-certificate to the Trusted Root Certification Authorities list:

 

1.       Click Start and click the Run command. Type mmc in the Open text box and click OK.

2.       In the Console1 window, click the File menu and then click the Add/Remove Snap-in command (figure 13).

 

Figure 13 (Fig122)

 

3.       In the Add/Remove Snap-in dialog box (figure 14), click the Add button.

 

Figure 14 (Fig123)

 

4.       In the Add Standalone Snap-in dialog box (figure 15), select the Certificates snap-in from the list of Available Standalone Snap-ins list. Click Add.

 

Figure 15 (Fig124)

 

5.       In the Certificates snap-in page (figure 16), select the Computer account option and click Next.

 

Figure 16 (Fig125)

 

6.       On the Select Computer page (figure 17), select Local computer and click Finish.

 

Figure 17 (Fig126)

 

7.       Click the Close button in the Add Standalone Snap-in dialog box, then click OK in the Add/Remove Snap-in dialog box.

8.       Expand the Certificates (Local Computer) node in the left pane of the console, then expand the Certificates (Local Computer)\Personal node. Click on the Certificates (Local Computer)\Personal\Certificates node. You should see the computer certificate in the right pane of the console (figure 18).

 

Figure 18 (Fig129)

 

9.       Double click on the certificate in the right pane of the console. Click on the Certification Path tab in the Certificate dialog box. Note the Red “X” on the <NAME> of the CA on the top of the certificate hierarchy (figure 19).

 

This indicates the CA Root certificate isn’t in this machine’s Trusted Root Certification Authorities certificate store. There are a number of ways we can import the standalone Root CA’s certificate into the VPN client’s machine Trusted Root Certification Authorities certificate store. In this example, we’ll export the standalone Root CA certificate from here and then import it into the Trusted Root Certification Authorities\Certificates node.

 

Figure 19 (Fig130)

 

10.   Click on the entry on top of the hierarchy and then click on the View Certificate button. Another Certificate dialog box opens, but this time it’s for the standalone Root CA’s certificate. Click on the Copy to File button (figure 20).

 

Figure 20 (Fig131)

 

11.   The Welcome to the Certificate Export Wizard page appears (figure 21). Click Next.

 

Figure 21 (Fig132)

 

12.   On the Export File Format page (figure 22), select the Crytographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option. Put a checkmark in the Include all certificates in the certification path if possible checkbox. Click Next.

 

Figure 22 (Fig133)

 

13.   On the File to Export page (figure 23), type in a path and file name for the exported certificate. Click Next.

 

Figure 23 (Fig134)

 

14.   Click Finish in the Completing the Certificate Export Wizard page (figure 24).

 

Figure 24 (Fig135)

 

15.   Click OK in the Certificate Export Wizard dialog box (figure 25) informing you The export was successful.

 

Figure 25 (Fig136)

 

16.   Close both of the Certificate dialog boxes.

17.   Now that the stand-alone Root CA certificate has been exported and saved to disk, you can import this certificate into the Trusted Root Certification Authorities\Certificates certificate store on the local machine. Right click on the Trusted Root Certification Authorities\Certificates node in the left pane of the console, point to All Tasks and click on the Import command (figure 26).

 

Figure 26 (Fig137)

 

18.   Click Next on the Welcome to the Certificate Import Wizard page (figure 27).

 

Figure 27 (Fig138)

 

19.   On the File to Import page of the Certificate Import Wizard (figure 28), use the Browse button to locate the stand-alone CA certificate you exported earlier. Find the certificate and then click Next.

 

Figure 28 (Fig139)

 

20.   On the Certificate Store page (figure 29), select the Place all certificates in the following store option. The Certificate store text box should say Trusted Root Certificate Authorities; this is entered for you automatically. Click Next.

 

Figure 29 (Fig140)

 

21.   Click Finish on the Completing the Certificate Import Wizard page (figure 30).

 

Figure 30 (Fig141)

 

22.   Click OK in the Certificate Import Wizard dialog box (figure 31) informing you The import was successful.

 

Figure 31 (Fig142)

 

 

Creating the Windows XP VPN Connectoid

 

Now that the Windows XP VPN client has a certificate, it can negotiate both L2TP/IPSec and PPTP VPN connections. The default behavior of the Windows XP VPN client is to first try L2TP/IPSec and if that doesn’t work, try to connect using PPTP.

 

Perform the following steps to create the Windows XP VPN Dial-up connectoid:

 

1.       Right click on My Network Places either on the desktop or on the Start menu then click the Properties command.

2.       Double click on the New Connection Wizard icon in the Network and Dial-up Connections dialog box.

3.       If this is the first time you have configured a Dial-up connection, you will be presented with the Location Information dialog box. Enter an area code in the What area code (or city code) are you in now text box. Click OK after entering your area code.

4.       There are no dialing rules required for the VPN link. You may want to configure Phone and Modem Options later, but this is not required for the VPN connectoid. Click OK in the Phone and Modem Options dialog box.

5.       Click Next on the Welcome to the Network Connection Wizard page (figure 32).

 

Figure 32 (Fig169)

 

6.       Select the Connect to the network at my workplace option on the Network Connection Type page (figure 33). Click Next.

 

Figure 33 (Fig170)

 

7.       On the Network Connection page (figure 34), select the Virtual Private Network connection option. Click Next.

 

Figure 34 (Fig171)

 

8.       On the Connection Name page (figure 35), type in a name that will be assigned to the VPN connectoid in the Company Name text box.

 

Figure 35 (Fig173)

 

9.       On the Public Network page (figure 36), select the Do not dial the initial connection option. This is only required if a dial-up connection must be made before the VPN link can be established.

 

Figure 36 (Fig174)

 

10.   On the VPN Server Selection page (figure 37), type in the Fully Qualified Domain Name or IP address of the external interface of the ISA Server firewall VPN server in the Host name or IP address text box. In this example we do not have a FQDN that resolves to the external IP address on the ISA Server firewall VPN server, so we’ll enter the IP address. Click Next.

 

*       Note:
You can use a Fully Qualified Domain Name (FQDN) to connect to the ISA Server firewall/VPN server. This name must be entered into a public DNS server, and it must resolve to the primary IP address bound to the external interface of the ISA Server firewall/VPN server. The primary IP address is the IP on the top of the list of addresses bound to the external adapter

 

Figure 37 (Fig175)

 

11.   Click Finish on the Completing the New Connection Wizard page (figure 38).

 

Figure 38 (Fig177)

 

 

Customizing the Windows XP VPN Connectoid

 

Let’s now look at some of the common options for the connectoid:

 

1.       In the Connection dialog box, click the Properties button (figure 39).

 

Figure 39 (Fig178)

 

2.       The first tab you’ll see in the Properties of the connection is the General tab. You can change the IP address or FQDN the VPN client connects to by changing the value in the Host name or IP address of destination text box. (figure 40)

 

Figure 40 (Fig179)

 

3.       Click on the Options tab (figure 41). If the VPN clients experience connection reliability problems, you may want to configure them to redial automatically when a connection is dropped. Put a checkmark in the Redial if line is dropped checkbox. Enter the number of times you want the client to redial after the dropped connection in the Redial attempts text box.

 

You may want to reduce the time between redial attempts so a smaller value, such as 5 seconds, in the Time between redial attempts drop-down list box. If you want to stay connected until you manually log off, leave the Idle time before hanging up value as never; otherwise, click the drop-down list box and select the idle time you want to pass before the connection to the VPN server is dropped.

 

Figure 41 (Fig180)

 

4.       Click on the Security tab (figure 42). The default Security options selection is set for Typical, and this works for most VPN connections. You can view what these “typical” settings are by selecting the Advanced option and clicking the Settings button; the default values in the Advanced Security Settings dialog box are those in place when you select the Typical option.

 

Figure 42 (Fig181)

 

5.       You can configure the Windows Server XP VPN client to use a pre-shared key instead of a certificate when making L2TP/IPSec VPN connections by clicking on the IPSec Settings button and typing the pre-shared key into the Key text box on the IPSec Settings dialog box (figure 43).

 

The same pre-shared key must be configured on both the ISA Server firewall/VPN server and the VPN client. A Windows Server 2003 ISA Server firewall/VPN server support pre-shared keys. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for information on how to configure Windows Server 2003 based ISA Server firewall/VPN server to support pre-shared keys for L2TP/IPSec connections.

 

Figure 43 (Fig182)

 

6.       Select the Advanced option and then click the Settings button. In the Advanced Security Settings dialog box (figure 44) you can see the Microsoft CHAP (MS-CHAP) and Microsoft CHAP Version 2 (MS-CHAPv2) user authentication protocols are selected by default. You can remove the checkmark from the Microsoft CHAP (MS-CHAP) checkbox because all Microsoft VPN clients and the ISA Server/firewall VPN server fully support MS-CHAP version 2.

 

Figure 44 (Fig183)

 

7.       Click on the Networking tab (figure 45). The default setting in the Type of VPN server I am calling drop down list box is Automatic.

 

The Automatic setting allows the VPN client to first negotiate an L2TP/IPSec VPN connection with the ISA Server firewall/VPN server. If the L2TP/IPSec negotiation fails, then the client tries to connect using PPTP. You can force the client to use either PPTP or L2TP/IPSec by selecting the appropriate protocol in the list.

 

A helpful troubleshooting tip is that if you have difficulty getting a VPN client to connect using L2TP/IPSec after configuring the ISA Server firewall/VPN server to support L2TP/IPSec connections, try forcing the client to use L2TP/IPSec by selecting the Layer-2 Tunneling Protocol (L2TP) option from the list. Sometimes the VPN client “remembers” the previous VPN protocol it used with a particular VPN server and will preferentially use that protocol on subsequent connections. Forcing L2TP/IPSec forces the VPN client to use L2TP/IPSec, even if the client had previously connected to the ISA Server firewall/VPN server using PPTP.

 

Figure 45 (Fig184)

 

8.       Select the Internet Protocol (TCP/IP) entry in the Components checked are used by this connection list on the Networking tab and click the Properties button (figure 46).

 

In the Advanced TCP/IP Properties dialog box, click the Advanced button. Note the Use default gateway on remote network checkbox on the General tab in the Advanced TCP/IP Settings dialog box. This option is checked by default and it should remain that way. This forces the VPN client to use the VPN interface as its default gateway and prevents something known as “split tunneling”.

 

Split tunneling allows the VPN client to directly access the Internet and the private network at the same time. Split tunneling represents a very high security risk configuration and should not be allowed unless you have a compelling reason to allow it. The ISA Server firewall/VPN server should mediate all Internet access when the VPN client connects to the private network.

 

*      Note:
Please refer to ISA Server 2000 VPN Deployment Kit document Forcing Firewall Policy on VPN Clients for information on how to configure the VPN client to use the ISA Server as its Web Proxy and Firewall for Internet access.

 

Figure 46 (Fig185)

 

9.       Click OK in the Advanced TCP/IP Settings dialog box and then click OK in the TCP/IP Properties dialog box.

 

The Windows XP VPN connectoid is now ready to use.