Administrator's Guide to Microsoft L2TP/IPSec VPN Client
The Microsoft L2TP/IPSec VPN Client is a free Web download that allows computers running Windows 98 (all versions), Windows Millennium Edition, and Windows NT Workstation 4.0 to use Layer Two Tunneling Protocol (L2TP) connections with Internet Protocol Security (IPSec). The combination of L2TP and IPSec, known as L2TP/IPSec, is a highly secure technology for making remote access virtual private network (VPN) connections across public networks such as the Internet. Microsoft L2TP/IPSec VPN Client also provides support for IPSec Network Address Translator (NAT) traversal. This article provides an overview of L2TP/IPSec VPN connections and includes instructions about how to deploy and troubleshoot Microsoft L2TP/IPSec VPN Client..
On This Page
Introduction Microsoft L2TP/IPSec VPN Client Overview Deploying Microsoft L2TP/IPSec VPN Client Troubleshooting Related Links
Introduction
Both Microsoft Windows 2000 and Windows XP support the Layer Two Tunneling Protocol (L2TP) with Internet Protocol Security (IPSec) virtual private network (VPN) connection technology. The combination of L2TP and IPSec, known as L2TP/IPSec, is an alternative to the Point-to-Point Tunneling Protocol (PPTP), supported by all current Microsoft 32 and 64-bit operating systems with the latest updates.
L2TP/IPSec and PPTP are similar in the following ways:
They provide a logical transport mechanism to send PPP frames.
They provide tunneling or encapsulation so that PPP frames based on any protocol can be sent across an IP network.
They rely on the PPP connection process to perform user authentication, typically using a user name and password, and protocol configuration.
L2TP/IPSec and PPTP are different in the following ways:
With PPTP, data encryption begins after the PPP connection process (and, therefore, PPP authentication) is completed. With L2TP/IPSec, data encryption begins before the PPP connection process, so that the user authentication process is encrypted.
PPTP connections use MPPE, which uses the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm and 40, 56, or 128-bit encryption keys. L2TP/IPSec connections use the Data Encryption Standard (DES) algorithm, which uses either a 56-bit key for DES or three 56-bit keys for Triple DES (3DES). Block ciphers encrypt data in discrete blocks (64-bit blocks, in the case of DES). Microsoft L2TP/IPSec VPN Client supports only DES encryption.
PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP/IPSec connections require two levels of authentication. To create the IPSec security associations (SAs) to protect the L2TP-encapsulated data, an L2TP/IPSec client must perform a computer-level authentication with a certificate or a pre-shared key. After the IPSec SAs are successfully created, the L2TP portion of the connection performs the same user-level authentication as PPTP.
Advantages of L2TP/IPSec
The following are the advantages of using L2TP/IPSec:
IPSec provides per-packet data origin authentication (proof that the data was sent by the authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (prevention from interpreting captured packets without the encryption key). By contrast, PPTP provides only per-packet data confidentiality.
L2TP/IPSec connections require stronger authentication by requiring two levels of authentication: a computer-level authentication using certificates or pre-shared keys for the IPSec session and a user-level authentication using a PPP authentication protocol for the L2TP tunnel.
PPP frames exchanged during user-level authentication are never sent in an unencrypted form because the PPP connection process for L2TP/IPSec occurs after the IPSec SAs are established. The PPP authentication exchange for some types of PPP authentication protocols, if captured as plaintext, can be used to perform offline dictionary attacks and determine user passwords. By encrypting the PPP authentication exchange, offline dictionary attacks are only possible after the encrypted packets have been successfully decrypted.
Historically, one of the problems with L2TP/IPSec is that IPSec peers cannot be placed behind a network address translator (NAT) because Internet Key Exchange (IKE), the protocol used to negotiate SAs, and IPSec-protected traffic are not NAT-translatable. However, a new set of Internet drafts describe IPSec NAT traversal, in which IKE messages and processing are modified and IPSec-protected packets are encapsulated as User Datagram Protocol (UDP) messages. This allows L2TP/IPSec connections to be created for client and server computers that support IPSec NAT traversal that are located behind one or multiple NATs.
Microsoft L2TP/IPSec VPN Client supports IPSec NAT traversal as described in the Internet drafts titled "UDP Encapsulation of IPSec Packets" (draft-ietf-ipsec-udp-encaps-02.txt) and "Negotiation of NAT-Traversal in the IKE" (draft-ietf-ipsec-nat-t-ike-02.txt). Support for IPSec NAT traversal is planned for the Windows Server 2003 family and for many third-party VPN servers. No configuration for IPSec NAT traversal is required. Microsoft L2TP/IPSec VPN Client automatically determines whether there are any NATs in the path and whether the VPN server is capable of doing IPSec NAT traversal. If both of these conditions are true, Microsoft L2TP/IPSec VPN Client automatically uses IPSec NAT traversal.
Until the release of Microsoft L2TP/IPSec VPN Client, L2TP/IPSec could only be used with Windows XP and Windows 2000 VPN clients because only those clients support the L2TP protocol and IPSec. With the release of Microsoft L2TP/IPSec VPN Client, computers running Windows 98 (all versions), Windows Millennium Edition, and Windows NT Workstation 4.0 can now create L2TP/IPSec remote access connections.
Note: Microsoft L2TP/IPSec VPN Client is not supported for computers running Windows 95 (all versions). For information about support and availability guidelines for home and business users of Windows 95, see the Microsoft Windows 95 web site. |
Note: Router-to-router L2TP/IPSec connections are only possible with either a computer running a member of the Windows 2000 Server family and the Routing and Remote Access service or a third party VPN router that supports L2TP/IPSec connections. Microsoft L2TP/IPSec VPN Client does not enable the Windows NT 4.0 Server Routing and Remote Access Service (RRAS) to make or receive L2TP/IPSec router-to-router connections. |
Microsoft L2TP/IPSec VPN Client Overview
The Microsoft L2TP/IPSec VPN Client is downloadable, distributable client software available at https://download.microsoft.com/download/win98/Install/1.0/W9XNT4Me/EN-US/msl2tp.exe.
The Microsoft L2TP/IPSec VPN Client allows users to make L2TP/IPSec connections from computers running the following:
Windows 98 (all versions) with Microsoft Internet Explorer 5.01 (or later) and the Dial-up Networking version 1.4 Upgrade (or later).
Windows Millennium Edition with the Virtual Private Networking communications component and Microsoft Internet Explorer 5.5 (or later).
Windows NT Workstation 4.0 with Remote Access Service (RAS), the Point-to-Point Tunneling Protocol, Service Pack 6, and Microsoft Internet Explorer 5.01 (or later).
Microsoft L2TP/IPSec VPN Client will install on computers with these configurations. A computer with one of these configurations is known as a Microsoft L2TP/IPSec VPN Client-compatible computer.
L2TP/IPSec connections can be made with a VPN server running a member of the Windows 2000 Server family or any other VPN server that supports L2TP/IPSec connections.
Important Although Microsoft L2TP/IPSec VPN Client requires that Internet Explorer 5.01 or later be installed on the computer, the user does not have to make it the default browser. |
Microsoft L2TP/IPSec VPN Client supports the use of either certificates or pre-shared keys for IPSec authentication.
Microsoft L2TP/IPSec VPN Client and certificates
A certificate is a digitally signed statement using public key cryptography technology that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. A certificate is issued by a certification authority (CA). Public key cryptography uses public and private key pairs to encrypt or digitally sign messages. For more information about public key cryptography and the Windows 2000 public key infrastructure (PKI), see the Windows 2000 Security Service Web site.
When certificates are used for IPSec authentication, each node on the connection validates the other node's certificate. For example, two nodes (Node A and Node B) exchange each other's certificate. Node A validates Node B's certificate and Node B validates Node A's certificate. When Node A receives Node B's certificate, it validates it by checking the following:
Node A must trust the issuer of Node B's certificate.
This means that Node A must have a copy of the certificate for the issuer of Node B's certificate installed locally. For example, if CA1 issued Node A's certificate and CA2 issued Node B's certificate, then in order to validate Node B's certificate, Node A must have the certificate for CA2 installed.
Otherwise, certification authentication fails. Similarly, in order to validate Node A's certificate, Node B must have the certificate for CA1 installed.
Certificate infrastructures can be configured in hierarchies with the root CA at the top and intermediate CAs at levels below the top. If the issuing CA for a certificate is an intermediate CA, then the node performing validation must trust the issuing CA, all the other intermediate CAs between the issuing CA and the root CA, and the root CA. This is known as validating a certificate chain. If any one of the certificates of the CAs in the chain from the issuing CA to the root CA is missing on the validating node, certificate authentication fails.
In the simplest case, a single root CA issues certificates to all entities requiring authentication. For our example, certificates for both Node A and Node B are issued by CA1 (a root CA). When the certificates for Node A and Node B are installed, a copy of the certificate for CA1 is also installed. When Node A and Node B authenticate using certificates, each node trusts the issuer of the other node.
Each certificate in the chain must have a valid digital signature.
Each certificate in the chain, except for the root CA certificate, was digitally signed by the issuing CA. This digital signature is verified for each certificate by obtaining the public key from the issuing CA certificate and mathematically validating the digital signature.
Node B's certificate must not be expired.
When certificates are issued, they are issued with a range of valid dates, after which they are considered expired.
Node B's certificate must not have been revoked.
Issued certificates can be revoked at any time. The issuing CA maintains a list of certificates have been revoked and published an up-to-date certificate revocation list (CRL). Node A checks the CRL to ensure that Node B's certificate has not been revoked.
Note that certificate revocation validation only works as well as the CRL publishing and distribution system. If the published CRL is not updated often, a certificate that has been revoked can still be used because the published CRL that the node is checking is out of date.
For L2TP/IPSec connections, the client does not check certificate revocation. If the VPN server is running a member of the Windows 2000 Server family, certificate revocation checking is not done by default. To enable certificate revocation checking, set the HKEY_LOCAL_MACHINE\System \CurrentControlSet\Services\PolicyAgent\Oakley\StrongCrlCheck registry value (REG_DWORD type) to:
1 to fail the certificate validation if the CRL distribution point explicitly returns that the certificate has been revoked. This is the standard type of CRL checking. If the CRL distribution point is not available on the network or if it returns that it did not issue the certificate, the certificate is assumed to be valid.
2 to fail the certification validation on any CRL check error. This is the strongest type of certificate validation. The CRL distribution point must be reachable on the network, the publisher of the CRL must have issued the certificate, and the certificate must not be revoked.
To activate the new StrongCrlCheck setting after modifying its value, stop the Routing and Remote Access service, stop the IPSec Policy Agent, start the IPSec Policy Agent, and then start the Routing and Remote Access service.
Advantages and disadvantages of certificates
The following are advantages of using certificates for authentication:
You no longer have to maintain a set of passwords for entities that need to be authenticated using certificates. For L2TP/IPSec connections, the entity being authenticated using the certificate is a computer. Passwords still need to be maintained for the user authentication portion of the L2TP/IPSec connection.
CAs issues certificates only to trusted entities. For example, when you use the Windows 2000 Certificate Services and try to obtain a certificate through Web enrollment, you must have a valid set of Windows 2000 domain credentials.
Because each certificate is signed by its issuer, new certificates are difficult to create and existing certificates are difficult to duplicate (without obtaining a copy). This makes it difficult for a malicious user to impersonate a certificate holder.
The disadvantage to using certificates for authentication is that you must deploy a PKI to issue certificates to users. The Windows 2000 Server family includes a CA with the Certificate Services Windows component installed from Control Panel-Add/Remove Programs. If you want the CA computer to issue certificates through Web enrollment, you must also install Internet Information Services (IIS).
Obtaining certificates
A Microsoft L2TP/IPSec VPN Client-compatible computer can obtain certificates for certificate authentication of L2TP/IPSec VPN connections in the following ways:
Use Internet Explorer to import the certificate of a certificate file that you distribute to users
You can either distribute individual certificate files to users or include a single certificate file on the CD-ROM you distribute to all your users. The use of a single certificate for a group of users is known as a group certificate. A group certificate is the least secure deployment of certificates, because anyone who obtains the CD-ROM could use the certificate to successfully authenticate the IPSec portion of the connection. This does not mean they can gain access to your network. A user with an unauthorized certificate must still present valid user credentials to connect and gain access to your network.
To import a certificate file in Internet Explorer, run Internet Explorer and click Tools, then Internet Options. From the Internet Options dialog box, click the Content tab, and then click Certificates. In the Certificates dialog box, click Import, and then follow the directions in the Certificate Import Wizard.
Use Internet Explorer and Web enrollment to request a certificate from a CA.
If you are using a CA that supports Web enrollment of certificates, use Internet Explorer to request a certificate from the CA. For a CA running Microsoft Windows 2000, Certificate Services, and IIS, use the address http://ComputerName/certsrv where ComputerName is the name of the CA computer. You might be prompted for Windows domain credentials. Type the set of credentials for the appropriate user name for this certificate, click OK, and then follow the directions on the Web pages to request a user certificate from the CA. If you are not prompted for Windows domain credentials, then the user name recorded in the certificate is based on the currently logged on credentials (unless there is a separate connection to CA computer using a different set of credentials.
After certificates are installed, your users can view the installed user certificates from the Certificates dialog box in Internet Explorer (click Tools, then click Internet Options, then click the Content tab, and then click Certificates). Your users can view both user and computer certificates from the Microsoft IPSec VPN Certificate Selection dialog box (from the Microsoft IPSec VPN Configuration utility, click Select Certificate). With the Microsoft IPSec VPN Configuration utility, you can configure Microsoft L2TP/IPSec VPN Client to automatically select an installed certificate (the default setting) or you can select a specific certificate from the Microsoft IPSec VPN Certificate Selection dialog box. Unlike L2TP/IPSec for Windows 2000 and Windows XP, Microsoft L2TP/IPSec VPN Client uses user certificates for IPSec authentication, rather than computer certificates.
Certificates on the VPN server
The VPN server must also have the appropriate certificates installed. The certificate installed on the VPN server must be from a CA that the VPN clients trust. Additionally, the VPN server must trust the CA that issued the certificates of the VPN clients. In the most general case, the VPN server must have a valid certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA up to a root CA that the VPN client trusts. Additionally, each VPN client must have a valid certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA up to a root CA that the VPN server trust.
If your VPN server is a computer running a member of the Windows 2000 Server family, certificates for IPSec authentication of L2TP connections can be installed using any of the following:
Request a certificate for the Local Computer store using the Certificates snap-in.
Use Web enrollment advanced options to request a certificate for the machine store.
Configure the Windows 2000 domain system container for which the VPN server computer is a member for automatic enrollment of Computer certificates.
In all of these cases, a certificate is installed in the Local Computer\Personal store, which can be viewed from the Certificates snap-in. For more information, see the topic titled "Machine certificates for L2TP over IPSec VPN connections" in Windows 2000 Server online Help.
Microsoft L2TP/IPSec VPN Client and pre-shared keys
A pre-shared key is a sequence of characters used to authenticate the IPSec portion of the L2TP/IPSec connection. Both the VPN client and VPN server must be configured to use the same case-sensitive string of characters in order for successful IPSec authentication.
Microsoft L2TP/IPSec VPN Client can be configured to use pre-shared key authentication with a keyboard character-based pre-shared key using the Microsoft IPSec VPN Configuration Utility.
Keep in mind that the pre-shared key is not used to encrypt the data sent over the L2TP/IPSec connection nor is it used in place of the PPP user authentication process that validates the user's user name and password. The user attempting the connection must still send a set of credentials that can be validated and authorized before the L2TP/IPSec connection is allowed.
You can also configure a server running a member of the Windows 2000 Server family and the Routing and Remote Access service to authenticate L2TP/IPSec connections to use a pre-shared key. Follow the procedure described in Microsoft Knowledge Base article "How to Configure a L2TP/IPSec Connection Using a Pre-shared Key."
Advantages and disadvantages of pre-shared keys
The advantage to pre-shared key authentication is that it does not require investment in a PKI, which is necessary for using certificates for L2TP/IPSec authentication. Pre-shared keys are easy to configure on a remote access client.
The following are disadvantages to using pre-shared key authentication:
A computer running Windows 2000 Server can configure only one pre-shared key for all L2TP/IPSec connections that require a pre-shared key for authentication. Therefore, all users using Microsoft L2TP/IPSec VPN Client that connect to the Windows 2000 VPN server using pre-shared key authentication must configure the same pre-shared key.
The pre-shared key can be either typed or pasted into the Microsoft IPSec VPN Configuration Utility. If the pre-shared key is typed, there exists the probability of configuration error by the user.
If the pre-shared key on a VPN server is changed, a client using a pre-shared key will be unable to connect to that server until the pre-shared key on the client is changed.
A pre-shared key is a sequence of characters whose secrecy depends on the method of distribution and its strength. For example, if pre-shared keys are distributed to users through email (not recommended), then anyone receiving, intercepting, or reading the email has access to the pre-shared key. A strong pre-shared key contains a random sequence of upper and lower case letters, numbers, and punctuation. A short, easy-to-guess pre-shared key is susceptible to an online dictionary attack. If the pre-shared key is compromised, an attacker can successfully authenticate the IPSec portion of the connection. However, they must still present a valid set of credentials for the PPP portion of the connection. In contrast, it is very difficult to compromise a certificate.
Unlike certificates, the origin, history, and valid lifetime of a pre-shared key cannot be determined.
For these reasons, the use of pre-shared keys to authenticate L2TP/IPSec connections is considered a relatively weak authentication method. If you want a long term, strong authentication method, you should use a PKI and certificates.
Considerations when choosing a pre-shared key
The pre-shared key for Microsoft L2TP/IPSec VPN Client can be any string of any combination of keyboard characters from 8 to 255 characters long. When you choose a pre-shared key, consider the fact that users may have to type the pre-shared key manually. A key that is long and complex enough to provide adequate security might be difficult for the majority of your users to type accurately. If the pre-shared key configured for Microsoft L2TP/IPSec VPN Client is not exactly the same as the pre-shared key configured on the VPN server, IPSec authentication will fail.
The Microsoft IPSec VPN Configuration Utility allows you to paste a character string for the pre-shared key. If the pre-shared key is pasted from text that you send to your users, the pre-shared key can be long and complex provided it is correctly pasted into the Microsoft IPSec VPN Configuration Utility dialog box.
Deploying Microsoft L2TP/IPSec VPN Client
Deploying Microsoft L2TP/IPSec VPN Client consists of the following steps:
Create a distribution mechanism to distribute Microsoft L2TP/IPSec VPN Client and other required software to your users.
Install the required operating system components, required software, and Microsoft L2TP/IPSec VPN Client on each VPN client computer.
If you are using certificate authentication, install the appropriate certificates on each VPN client computer. Additionally, you must install the appropriate certificates on your VPN server. For information about obtaining and installing certificates, see the "Microsoft L2TP/IPSec VPN Client and certificates" section in this paper.
If you are using pre-shared key authentication, configure Microsoft L2TP/IPSec VPN Client on each VPN client computer with the Microsoft IPSec VPN Configuration Utility to use a specific pre-shared key.
Create a new connection on each VPN client computer that uses the Microsoft L2TP/IPSec VPN Adapter device.
Distributing Microsoft L2TP/IPSec VPN Client
Microsoft L2TP/IPSec VPN Client requires that other software, such as the Dial-Up Networking version 1.4 Upgrade, be installed on the user's computer.
The Microsoft L2TP/IPSec VPN Client is downloadable, distributable client software available at https://download.microsoft.com/download/win98/Install/1.0/W9XNT4Me/EN-US/msl2tp.exe.
You can direct your users to the Microsoft Web site and let them download any required software. However, instructing your users to find and download the required software can introduce the following problems:
Inexperienced users might download the incorrect software.
It might take hours for users with slow connections to the Internet to download just one software package.
Internet traffic or problems with data lines might interrupt a software package download.
Therefore, it is recommended that you, as the network administrator, create a distribution mechanism that simplifies the installation of Microsoft L2TP/IPSec VPN Client and its required software. You can distribute Microsoft L2TP/IPSec VPN Client to your users in the following ways:
Create a CD-ROM that contains the installation executable (Msl2tp.exe) and information file (Readme.txt). This method has the advantage that you can include other required software on the same CD-ROM, such as the Microsoft Dial-Up Networking version 1.4 Upgrade. You can also include special installation instructions, if desired. Your users will not have to download large files over a slow connection to the Internet.
Publish the installation executable (Msl2tp.exe), information file (Readme.txt), and the other required software on an internal Web site. However, your home users must be able to connect and access this internal Web site. If your home users cannot access your internal Web site, instruct them to obtain the needed software components directly from https://download.microsoft.com/download/win98/Install/1.0/W9XNT4Me/EN-US/msl2tp.exe.
Note You cannot publish the installation executable (Msl2tp.exe), the information file (Readme.txt), or the other required software on a public Web site.
If you create a distribution CD-ROM, ensure that it contains the following:
Microsoft L2TP/IPSec VPN Client
Dial-up Networking version 1.4 Upgrade (or later)
For computers running Windows 98 (all versions), you can download the Dial-Up Networking version 1.4 Upgrade installation package
Internet Explorer 5.5 (or later)
You can use the Internet Explorer Administration Kit 5.5 to create a customized version of Internet Explorer, including a compressed installation package that can then be placed on the CD. You can download the Internet Explorer 6 from the Microsoft Internet Explorer Web site
Windows NT 4.0 Service Pack 6
For computers running Windows NT Workstation 4.0, you can download the service pack installation package from the Microsoft Windows NT Workstation Web site
Exported certificate file (optional)
If you are using certificates and have exported a group certificate that all members of a group need to import, include a copy of the exported certificate file.
Connection Manager profile (optional)
If you have created a Connection Manager profile using the Connection Manager Administration Kit (CMAK) provided with Windows Server 2003 Beta 3, include a copy of the profile.
After the CD-ROM is created, distribute copies to your users with instructions on which components to install for the operating system running on their computers. The following table summarizes the required software that must be installed prior to installing Microsoft L2TP/IPSec VPN Client:
Operating system |
Required components from the distribution CD-ROM |
Windows 98 (all versions) |
Microsoft Internet Explorer 5.5 (or later) and the Dial-up Networking version 1.4 Upgrade (or later) |
Windows Millennium Edition with the Virtual Private Networking communications component |
|
Windows NT Workstation 4.0 with the Remote Access Service (RAS) and the Point-to-Point Tunneling Protocol |
Service Pack 6 and the Microsoft Internet Explorer 5.5 (or later) |
The Virtual Private Networking component for Windows Millennium Edition must be installed using Control Panel-Add/Remove Programs, which might require the Windows Millennium Edition product CD-ROM. The Remote Access Service (RAS) and Point-to-Point Tunneling Protocol components for Windows NT Workstation 4.0 must be installed using Control Panel-Network, which might require the Windows NT Workstation 4.0 product CD-ROM and the reapplication of Windows NT 4.0 Service Pack 6.
When Microsoft L2TP/IPSec VPN Client is installed on a computer, it creates the Program Files\Microsoft IPSec VPN folder that contains Microsoft L2TP/IPSec VPN Client program files and the help file. Your users should not remove, modify, or open any of these files, with the exception of the Isakmp.log file. For more information about the Isakmp.log file, see "Troubleshooting" in this article.
Note: Instruct your users not to run the Setup.exe program that is stored in the Program Files\Microsoft IPSec VPN\Setup folder. Doing so causes a partial uninstallation of files that leaves Microsoft L2TP/IPSec Client inoperable. |
Microsoft L2TP/IPSec VPN Client setup process creates a Microsoft IPSec VPN folder in your Programs folder that is available from the Start menu. The Microsoft IPSec VPN folder contains shortcuts to the Microsoft IPSec VPN Configuration Utility and the Microsoft IPSec VPN Help file.
To uninstall Microsoft L2TP/IPSec VPN Client, instruct your users to use Control Panel-Add/Remove Programs and remove Microsoft L2TP/IPSec VPN Client program.
Conflicting software
Microsoft L2TP/IPSec VPN Client cannot function on a computer that has any of the following types of software installed:
Internet Connection Sharing (for Windows 98 Second Edition and Windows Millennium Edition)
Third-party network address translation software
Third-party VPN client software
If your users install Microsoft L2TP/IPSec VPN Client before installing software that conflicts with it, your users must perform the following:
Uninstall the conflicting software.
Uninstall Microsoft L2TP/IPSec VPN Client.
Reinstall Microsoft L2TP/IPSec VPN Client.
Upgrading the operating system
If Microsoft L2TP/IPSec VPN Client is installed and the operating system is upgraded, the new operating system might not support the proper upgrade of Microsoft L2TP/IPSec VPN Client.
If the user upgrades to Windows 2000 or Windows XP, instruct them to uninstall Microsoft L2TP/IPSec VPN Client using Control Panel-Add/Remove Programs. Then, instruct them how to manually create a connection using the Make New Connection Wizard found in the Network and Dial-up Connection folder (Windows 2000) or Network Connections folder (Windows XP), and acquire the appropriate computer certificate. The user certificates used by Microsoft L2TP/IPSec VPN Client will not work for Windows 2000 or Windows XP.
If the user upgrades from Windows 98 (all versions) to Windows Millennium Edition, instruct them to uninstall Microsoft L2TP/IPSec VPN Client using Control Panel-Add/Remove Programs. After uninstallation is complete, the user must reinstall Microsoft L2TP/IPSec VPN Client by running the installation executable (Msl2tp.exe).
Manual configuration of Microsoft L2TP/IPSec VPN Client
After your users have installed the required software and Microsoft L2TP/IPSec VPN Client, it might need to be configured. If your deployment uses certificate authentication and only a single certificate is installed, no further configuration is required.
To manually configure Microsoft L2TP/IPSec VPN Client, instruct your users to do the following:
Click Start, point to Programs, point to Microsoft IPSec VPN, and click Microsoft IPSec VPN Configuration.
From the Microsoft IPSec VPN Configuration Utility dialog box, select the appropriate options for your L2TP/IPSec deployment.
Click OK.
The Microsoft IPSec VPN Configuration Utility allows a user to configure the following:
Whether to automatically select a certificate for IPSec authentication (selected by default).
Whether to use a specific certificate for IPSec authentication. An additional Microsoft IPSec VPN Certificate Selection dialog box allows you to see all the certificates installed on the computer, to view details of each certificate, and to select an individual certificate to use.
Whether to use a pre-shared key for IPSec authentication.
The pre-shared key text.
Whether or not to log the details of the IPSec negotiation process (not enabled by default).
The following figure shows the default configuration of Microsoft L2TP/IPSec VPN Client.
The default configuration of Microsoft L2TP/IPSec Client is to automatically select a certificate. Your users only need to use the Microsoft IPSec VPN Configuration Utility if they are specifying a particular certificate, configuring a pre-shared key, or changing the IPSec logging setting.
Configuration of a new connection
After Microsoft L2TP/IPSec VPN Client is installed and configured, a network connection in the Dial-Up Networking folder must be created. This can be done manually or by installing a Connection Manager profile created with the Connection Manager Administration Kit provided with Windows Server 2003 Beta 3.
Manual configuration of a new connection
To manually configure a connection in the Dial-Up Networking folder, instruct your users to perform the procedure described in the topic titled "To make a connection to the network" in the Microsoft IPSec VPN help. To access Microsoft IPSec VPN help, instruct your users to do the following:
- Click Start, point to Programs, point to Microsoft IPSec VPN, and click Microsoft IPSec VPN Help.
Connection Manager for Windows 2000
The Connection Manager Administration Kit (CMAK) that is provided with the Windows 2000 Server family cannot be used to create a profile that is used by Microsoft L2TP/IPSec VPN Client. The CMAK and the Connection Manager profiles that it creates are not aware of Microsoft L2TP/IPSec VPN Client. Therefore, a Connection Manager profile created with the Windows 2000 Server CMAK does not know how to configure Microsoft L2TP/IPSec VPN Client to use certificate or pre-shared key authentication and to configure a connection to use the Microsoft L2TP/IPSec VPN Adapter.
Connection Manager for Windows Server 2003 Beta 3
If you are a Windows Server 2003 beta tester, CMAK provided with the Windows Server 2003 family is aware of Microsoft L2TP/IPSec VPN Client and has the additional functionality to configure it and network connections using the Microsoft L2TP/IPSec VPN Adapter. To more easily deploy a connection that uses Microsoft L2TP/IPSec VPN Client, use the CMAK supplied with Windows Server 2003 Beta 3.
If you are using a pre-shared key for your L2TP/IPSec connections, you can include the pre-shared key in the Connection Manager profile. To include an L2TP/IPSec pre-shared key in a Connection Manager profile, do the following in the CMAK Wizard:
On the VPN Entries page, edit your VPN entries. For each entry, click the Security tab, and for vCommon security settings, click Configure. In the Security Settings dialog box, under VPN strategy, click Use L2TP/IPSec if available and select the Use a pre-shared key when using L2TP/IPSec check box.
On the Pre-shared Key page, type your pre-shared key. You can also lock the profile with a personal identification number (PIN), which your users will need to type to install the profile. This makes it less likely that an unauthorized user will gain access to the pre-shared key.
During the installation of the Connection Manager profile, Microsoft L2TP/IPSec VPN Client is automatically configured to use pre-shared key authentication and the pre-shared key contained within the profile. Users will not have to use the Microsoft L2TP/IPSec Configuration Utility to configure Microsoft L2TP/IPSec VPN Client. After the profile is installed, the pre-shared key appears in the Microsoft L2TP/IPSec Configuration Utility as a series of "*" characters.
For certificate-based authentication, you cannot include a certificate with a Connection Manager profile. Each user will have to obtain a certificate.
The resulting Connection Manager profile should be distributed along with Microsoft L2TP/IPSec VPN Client and other required software.
For more information about Connection Manager and CMAK, see Windows Server 2003 online Help.
Troubleshooting
This section contains information about troubleshooting tools and common problems.
Troubleshooting tools
The following tools can be used to troubleshoot L2TP/IPSec connections:
Isakmp.log
PPP log
Connection Manager log files (if you are using CMAK from Windows Server 2003 Beta 3 to create Connection Manager profiles)
Routing and Remote Access Service tools (if your VPN server is a computer running a member of the Windows 2000 Server family)
Isakmp.log
Isakmp.log is a text-based log file stored in the Program Files\Microsoft IPSec VPN Client folder that contains details of the IPSec authentication and security association negotiation when you attempt an L2TP/IPSec connection. Isakmp.log is the primary tool for troubleshooting IPSec-related connection failures.
The Isakmp.log file is created when you select the Enable IPSec logging check box in the Microsoft IPSec VPN Configuration Utility. If the Isakmp.log file exists when you enable IPSec logging, new log entries are added to the end of the existing file. If you leave IPSec logging enabled over a long period of time, the logging file will continue to grow. When the file size is larger than 64 kilobytes (KB), users on computers running Windows 98 (all versions) and Windows Millennium Edition will not be able to open the file using Notepad, the default program for files with a .log extension. In this case, use WordPad or your word processing program to open the file.
The following is an example of the contents of the Isakmp.log file showing a successful IPSec negotiation using a certificate for authentication:
10:26:40.340 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 1 (IP ADDR=10.0.0.2) 10:26:40.340 Microsoft IPsec VPN\L2TP/IPsec - Generic entry match with remote address 10.0.0.2. 10:26:40.340 Microsoft IPsec VPN\L2TP/IPsec - SENDING >>> ISAKMP OAK MM (SA) 10:26:40.500 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED <<< ISAKMP OAK MM (SA, VID) 10:26:40.500 Microsoft IPsec VPN\L2TP/IPsec - SENDING >>> ISAKMP OAK MM (KE, NON, VID, VID, VID, VID) 10:26:40.500 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED <<< ISAKMP OAK MM (KE, NON, CERT_REQ) 10:26:40.560 Microsoft IPsec VPN\L2TP/IPsec - Using configured machine certificate "administrator@example.microsoft.com's Microsoft Corporation. WCOAST ID". 10:26:40.610 Microsoft IPsec VPN\L2TP/IPsec - SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) 10:26:40.670 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED <<< ISAKMP OAK MM *(ID, CERT, SIG) 10:26:40.720 Microsoft IPsec VPN\L2TP/IPsec - Established IKE SA 10:26:40.720 MY COOKIE 81 7 bb cc 2d 9f b2 64 10:26:40.720 HIS COOKIE d5 90 cf af f4 2 a8 96 10:26:40.720 Microsoft IPsec VPN\L2TP/IPsec - Initiating IKE Phase 2 with Client IDs (message id: CD75047E) 10:26:40.720 Initiator = IP ADDR=10.0.0.3, prot = 17 port = 1701 10:26:40.720 Responder = IP ADDR=10.0.0.2, prot = 17 port = 1701 10:26:40.720 Microsoft IPsec VPN\L2TP/IPsec - SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) 10:26:40.720 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID) 10:26:40.720 Microsoft IPsec VPN\L2TP/IPsec - SENDING >>> ISAKMP OAK QM *(HASH) 10:26:40.720 Microsoft IPsec VPN\L2TP/IPsec - RECEIVED <<< ISAKMP OAK QM *(HASH, NOTIFY:NOTIFY_CONNECTED) 10:26:40.720 Microsoft IPsec VPN\L2TP/IPsec - Loading IPSec SA (Message ID = CD75047E OUTBOUND SPI = D9628260 INBOUND SPI = EC55D75)
The Isakmp.log file is time-stamped, but not date-stamped. To obtain an Isakmp.log file that contains only the entries recorded for a specific connection failure, disable ISAKMP logging, either delete or rename the existing Isakmp.log file, enable ISAKMP logging, and attempt the connection again.
If the computer starts and the size of the Isakmp.log file is larger than 100 KB, the file is automatically cleared.
PPP log
PPP logging is the primary troubleshooting tool used to obtain information about the PPP connection negotiation. For computers running Windows 98 (all versions) and Windows Millennium Edition, instruct your users to enable PPP logging by doing the following:
Click Start, point to Settings, click Control Panel, and then double-click Network.
On the Configuration tab, click the Dial-Up Adapter component, and then click Properties.
Click the Advanced tab.
Under Property, click Record A Log File.
In Value, click Yes.
Click OK to save changes and restart the computer when prompted.
After PPP logging is enabled, PPP connection negotiation information is written to the Ppplog.txt file, which is stored in the Windir folder.
For computers running Windows NT Workstation 4.0, instruct your users to enable PPP logging by setting the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\Logging to 1 or 2 (REG_DWORD type) and restart the computer. The value of 1 enables normal PPP logging. The value of 2 enables verbose logging. When PPP logging is enabled, PPP connection negotiation information is written to the Ppp.log file, which is stored in the Systemroot\System32\Ras folder.
Connection Manager log files
Connection Manager profiles created with CMAK provided with Windows Server 2003 Beta 3 have a new logging feature that records details of the connection process for a Connection Manager connection in a log file. This file can be useful for troubleshooting all types of connection issues. To obtain a Connection Manager log, instruct your users to do the following:
Open the Connection Manager profile that is used to connect to the network.
Click Properties, and then click the Options tab.
Select Enable Logging, and then click OK.
Attempt the connection again.
Open the Connection Manager profile that is used to connect to the network.
Click Properties, and then click the tab.
Click View Log.
To send the contents of the log file to support staff for analysis, either save the log file to a disk or copy the contents to an email message. Alternately, print or fax the log file.
The default setting for Connection Manager logging is on. To obtain a new log file that contains the details for a specific failed connection attempt, clear the Connection Manager log by clicking Clear Log, and then try the connection again.
When you turn on the Connection Manager log and Microsoft L2TP/IPSec VPN Client is installed, the Isakmp.log file is also enabled, however, you cannot view it from the Connection Manager client. The Isakmp.log file is cleared when you clear the Connection Manager log.
Routing and Remote Access Service tools
To troubleshoot the cause of IPSec negotiation failure for the Windows 2000 Routing and Remote Access service, use the following tools:
Audit logging
Audit logging is the logging of events that correspond to SA negotiation successes or failures in the Security log, which can be viewed with the Event Viewer snap-in. To enable audit logging, enable success and failure auditing for the Audit logon events audit policy for your domain system container or local computer group policy (available from Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy).
Oakley logging
Oakley logging is the logging of details about the main mode and quick mode SA negotiation process to the file SystemRoot\Debug\Oakley.log. To enable Oakley logging, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \PolicyAgent\Oakley\EnableLogging registry setting to 1 (REG_DWORD type). To activate the new EnableLogging setting after modifying its value, stop the Routing and Remote Access service, stop the IPSec Policy Agent, start the IPSec Policy Agent, and then start the Routing and Remote Access service.
For additional information about troubleshooting tools for the Routing and Remote Access service, see the topic titled "Troubleshooting tools" in the Windows 2000 Routing and Remote Access online Help.
Common problems
The following are common problems with Microsoft L2TP/IPSec VPN Client:
Connection attempt fails and an error message is displayed that indicates modem failure or another critical failure.
The problem is that IPSec authentication has failed and the user's operating system does not have an appropriate error message to display. The IPSec portion of the L2TP/IPSec connection can fail for many reasons. The VPN server name or address might be incorrect, intermittent network problems might cause IPSec negotiation packets to be dropped, or authentication might fail due to an incorrect certificate or pre-shared key.
For certificate authentication, verify that both the VPN server and VPN client are using the correct certificates and have the appropriate certificates installed to validate each other's certificates. The VPN server must have a valid certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA up to a root CA that the VPN client trusts. The VPN client must have a valid certificate installed that was issued by a CA that follows a valid certificate chain from the issuing CA up to a root CA that the VPN server trusts.
If the VPN server is a computer running a member of the Windows 2000 Server family, use the Certificates snap-in to view the certificates in the Local Computer\Personal store. Verify the issuing CA and validity dates. Verify that the appropriate root and intermediate CA certificates are also installed and are valid.
On the VPN client, verify that the appropriate user and computer certificates, and their appropriate root and intermediate CA certificates are also installed and are valid from the Internet Explorer Certificates dialog box (click Tools, then click Internet Options, then click the Content tab, and then click Certificates).
For pre-shared key authentication, retype or paste the correct pre-shared key with the Microsoft IPSec VPN Configuration Utility.
Log file is too large to open with the default text program.
Instruct the user to open the file with a program that can open files larger than 64 kilobytes, such as WordPad. This is only a problem on computers running Windows 98 (all versions) and Windows Millennium Edition.
User reports that Microsoft L2TP/IPSec VPN Client no longer works and cannot be uninstalled.
The user executed the Setup.exe program from the Program Files\Microsoft IPSec VPN folder.
Windows NT Workstation 4.0 connection does not work.
If you typed a DNS name for the VPN server in the phonebook entry for the L2TP/IPSec connection, replace it with the appropriate IP address. Windows NT Workstation 4.0 does not support the resolution of the DNS name to an IP address for VPN connections.
Microsoft L2TP/IPSec VPN Client no longer works after user upgraded the operating system.
If the user upgraded to an operating system that does not support Microsoft L2TP/IPSec VPN Client, instruct them how to manually create an L2TP/IPSec VPN connection on the new operating system.
If the user did not uninstall Microsoft L2TP/IPSec VPN Client before upgrading an operating system that does support Microsoft L2TP/IPSec VPN Client, instruct the user to uninstall Microsoft L2TP/IPSec VPN Client using Control Panel-Add/Remove Programs. After uninstallation is complete, the user must reinstall Microsoft L2TP/IPSec VPN Client.
A general troubleshooting methodology for failed connection attempts is to first determine whether the failure was based on the IPSec authentication or the PPP-based L2TP authentication. Enable both the Isakmp.log and the PPP log and try the connection again. If there is no new information in the PPP log, then the IPSec authentication might have failed. Look at the contents of the Isakmp.log file to determine the problem.
Summary
Microsoft L2TP/IPSec VPN Client is best deployed by distributing a CD-ROM containing Microsoft L2TP/IPSec VPN Client, operating system update and enhancement packages, and, optionally, certificates and Connection Manager profiles. After all the components are installed, each user might have to manually configure Microsoft L2TP/IPSec VPN Client or a new L2TP/IPSec-based VPN connection. To troubleshoot L2TP/IPSec connections with Microsoft L2TP/IPSec VPN Client, use the ISAKMP log, the PPP log, Connection Manager logging, or the troubleshooting tools of the Routing and Remote Access service.
Related Links
See the following resources for further information:
For the latest information about Windows 2000 Server, see the Windows 2000 Server Web site.