Deploying L2TP-based Remote Access

Deploying L2TP-based remote access VPN connections using Windows 2000 consists of the following:

  • Deploy certificate infrastructure

  • Deploy Internet infrastructure

  • Deploy AAA infrastructure

  • Deploy VPN servers

  • Deploy intranet infrastructure

  • Deploy VPN clients

On This Page

Deploying Certificate Infrastructure Deploying Internet Infrastructure Deploying AAA Infrastructure Deploying VPN Servers Deploying Internet Infrastructure Deploying VPN Clients

Deploying Certificate Infrastructure

For L2TP-based VPN connections, a certificate infrastructure is required to issue computer certificates needed to negotiate authentication for IPSec. Additionally, a certificate infrastructure is also needed when you are using either smart cards or user certificates and EAP-TLS for user authentication. You must install a computer certificate on all VPN clients and VPN servers. If you are using EAP-TLS for user authentication, you must install a user certificate on all VPN clients and, if the authenticating server is a RADIUS server, a computer certificate on the RADIUS server.

For information about deploying a certificate infrastructure, see Appendix E, "Deploying a Certificate Infrastructure."

Deploying computer certificates To install a computer certificate, a CA must be present to issue certificates. Once the CA is configured, you can install a computer certificate in the following ways:

  1. By configuring the automatic allocation of computer certificates to computers in a Windows 2000 domain. This method allows a single point of configuration for the entire domain. All members of the domain automatically request the computer certificate through a group policy setting. To immediately obtain a computer certificate for the VPN or IAS server that is a member of the domain for which auto-enrollment is configured, restart the computer or type secedit /refreshpolicy machine_policy from a command prompt. To immediately obtain a computer certificate for a computer running Windows XP that is a member of the domain for which auto-enrollment is configured, restart the computer or type gpupdate /target:computer from a command prompt. To configure a Windows 2000 domain for automatic enrollment of computer certificates, see the topic titled "Configure automatic certificate allocation from an enterprise CA" in Windows 2000 Server Help.

  2. By using the Certificates snap-in to request a computer certificate. If you are using a Windows 2000 enterprise CA as an issuing CA, each computer can separately request a computer certificate from the issuing CA using the Certificates snap-in. For more information, see the topics titled "Manage certificates for a computer" and "Request a certificate" in Windows 2000 Server Help.

  3. By using the Certificates snap-in to import a computer certificate. If you have a certificate file that contains the computer certificate, you can import the computer certificate using the Certificates snap-in. For more information about importing a certificate using the Certificates snap-in, see the topic titled “Import a certificate” in Windows 2000 Server Help.

  4. By executing a CAPICOM script that requests a computer certificate. In this method, each computer that needs a computer certificate must execute a CAPICOM script that requests a computer certificate from the issuing CA. CAPICOM is a COM client, supporting Automation, that performs cryptographic functions (the CryptoAPI) using Microsoft ActiveX and COM objects. CAPICOM can be used via Visual Basic, Visual Basic Scripting Edition, and C++. For more information about CAPICOM, see CAPICOM.

Deploying smart cards For information about deploying smart cards in Windows 2000, see the topic titled "Checklist: Deploying smart cards for logging on to Windows" in Windows 2000 Server Help.

Deploying user certificates To install a user certificate, an issuing CA must be present to issue certificates. Once the issuing CA is configured, you can install a user certificate in the following ways:

  1. By using a Web browser to request a user certificate. The issuing CA must support Web enrollment of certificates. For example, if you are using a Windows 2000 enterprise CA as an issuing CA and the CA computer is also running Internet Information Services (IIS), you can use Web enrollment to request a user certificate. For more information about requesting a user certificate, see the topic titled Submit a user certificate request via the Web in Windows 2000 Server Help.

  2. By using the Certificates snap-in to request a user certificate. If you are using a Windows 2000 enterprise CA as an issuing CA, you can request a user certificate from the Certificates snap-in. For more information about requesting a user certificate using the Certificates snap-in, see the topic titled Request a certificate in Windows 2000 Server Help.

  3. By importing a user certificate using the Certificates snap-in. If you have a certificate file that contains a user certificate, import the user certificate from the Certificates snap-in. For more information about requesting a user certificate using the Certificates snap-in, see the topic titled Import a certificate in Windows 2000 Server Help.

  4. By executing a CAPICOM script that requests a user certificate. In this method, each user must execute a CAPICOM script that requests a user certificate from the issuing CA.

Deploying Internet Infrastructure

Deploying the Internet infrastructure for remote access VPN connections consists of the following:

  • Place VPN servers in perimeter network or on the Internet.

  • Install Windows 2000 Server on VPN servers and configure Internet interfaces.

  • Add address records to Internet DNS.

Placing VPN servers in perimeter network or on the Internet Decide where to place the VPN servers in relation to your Internet firewall. In the most common configuration, the VPN servers are placed behind the firewall on the perimeter network between your intranet and the Internet. If so, configure packet filters on the firewall to allow L2TP/IPSec traffic to and from the IP address of the VPN servers' perimeter network interfaces. For more information, see Appendix A.

Installing Windows 2000 Server on VPN servers and configuring Internet interfaces Install Windows 2000 Server on the VPN server computer and connect it to either the Internet or to perimeter network with one network adapter and connect it to the intranet with another network adapter. Without running the Routing and Remote Access Server Setup Wizard, the VPN server computer will not forward IP packets between the Internet and the intranet. For the connection connected to the Internet or the perimeter network, configure the TCP/IP protocol with a public IP address, a subnet mask, and the default gateway of either the firewall (if the VPN server is connected to a perimeter network) or an ISP router (if the VPN server is directly connected to the Internet.) Do not configure the connection with DNS server or WINS server IP addresses.

Adding address records to Internet DNS To ensure that the name of the VPN server (for example, vpn.microsoft.com) can be resolved to its proper IP address, either add DNS address (A) records to your DNS server (if you are providing DNS name resolution for Internet users) or have your ISP add DNS address (Z) records to their DNS server(s) (if your ISP is providing DNS name resolution for Internet users). Verify that the name of the VPN server can be resolved to its public Internet IP address when connected to the Internet.

Deploying AAA Infrastructure

Deploying the AAA infrastructure for remote access VPN connections consists of the following:

  • Configure Active Directory for user accounts and groups.

  • Configure the primary IAS server on a domain controller.

  • Configure the secondary IAS server on a different domain controller.

Configuring Active Directory for user accounts and groups To configure Active Directory for user accounts and groups, do the following:

  1. Ensure that all users that are making remote access connections have a corresponding user account. This includes employees, contractors, vendors, and business partners.

  2. Set the remote access permission on user accounts to Allow access or Deny access to manage remote access by user. Or, to manage remote access by group, set the remote access permission on user accounts to Control access through Remote Access Policy.

  3. Organize remote access users into the appropriate universal and nested groups in order to take advantage of group-based remote access policies. For more information, see the topic titled "Universal, global, and domain local groups" in Windows 2000 Server Help.

Configuring the primary IAS server on a domain controller To configure the primary IAS server on a domain controller, do the following:

  1. On the domain controller, install IAS as an optional networking component. For more information, see the topic titled "Install IAS" in Windows 2000 Server Help.

  2. Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain. For more information, see the topic titled "Enable the IAS server to read user objects in Active Directory" in Windows 2000 Server Help.

  3. If the IAS server authenticates connection attempts for user accounts in other domains, verify that these domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, see the topic titled "Enable the IAS server to read user objects in Active Directory" in Windows 2000 Server Help. For more information about trust relationships, see the topic titled "Understanding domain trusts" in Windows 2000 Server Help. If the IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the IAS server computer is a member, you must configure a RADIUS proxy between the two untrusted domains.

  4. Enable file logging for accounting and authentication events. For more information, see the topic titled "Configure log file properties" in Windows 2000 Server Help.

  5. Add the VPN server(s) as RADIUS clients of the IAS server. For more information, see the topic titled "Add RADIUS clients" in Windows 2000 Server Help. For the IP address of each VPN server, use the intranet IP address assigned to the VPN server. If you are using names, use the internal name of the VPN server (this is not necessarily the same DNS name used by Internet clients). Use strong shared secrets.

  6. Create remote access policies that reflect your remote access usage scenarios. For example, to configure a remote access policy that requires PPTP-based VPN connections for members of the Employees group to use EAP-TLS authentication and 128-bit encryption, create a remote access policy with the following settings:

    Policy name: VPN connections

    Conditions:

            NAS-Port-Type matches Virtual (VPN)

            Tunnel-Type matches Layer Two Tunneling Protocol

            Windows-Groups matches Employees (example)

    Permission: Grant remote access permission

    Profile settings, Authentication tab

            Select Extensible Authentication Protocol and the Smart Card or other Certificate EAP type. Clear all other check boxes.

    Profile settings, Encryption tab:

            Select the Strongest check box, and then clear all other check boxes.

  7. If you have created new remote access policies, either delete the default remote access policy named Allow access if dial-up permission is enabled, or move it so that it is the last policy to be evaluated. For more information, see the topics titled "Delete a remote access policy" and "Change the policy evaluation order" in Windows 2000 Server Help.

Configuring the secondary IAS server on a different domain controller To configure the secondary IAS server on a different domain controller, do the following:

  1. On the other domain controller, install IAS as an optional networking component. For more information, see the topic titled "Install IAS" in Windows 2000 Server Help.

  2. Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain. For more information, see the topic titled "Enable the IAS server to read user objects in Active Directory" in Windows 2000 Server Help.

  3. If the secondary IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see the topic titled "Enable the IAS server to read user objects in Active Directory" in Windows 2000 Server Help. For more information about trust relationships, see the topic titled "Understanding domain trusts" in Windows 2000 Server Help. If the secondary IAS server authenticates connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the secondary IAS server computer is a member, you must configure a RADIUS proxy between the two untrusted domains.

  4. Copy the configuration of the primary IAS server to the secondary IAS server. For more information, see the topic titled "Copy the IAS configuration to another server" in Windows 2000 Server Help.

Deploying VPN Servers

Deploying the VPN servers for remote access VPN connections consists of the following:

  • Configure the VPN server's connection to the intranet.

  • Run the Routing and Remote Access Server Setup Wizard.

Configuring the VPN server's connection to the intranet For each VPN server, configure the connection connected to the intranet with a manual TCP/IP configuration consisting of IP address, subnet mask, intranet DNS servers, and intranet WINS servers. Note that you must not configure the default gateway on the intranet connection to prevent default route conflicts with the default route pointing to the Internet.

Running the Routing and Remote Access Server Setup Wizard Run the Routing and Remote Access Server Setup Wizard to configure each Windows 2000 VPN server using the following steps

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.

  2. Right-click your server name, and then click Configure and Enable Routing and Remote Access.

  3. In Common Configurations, click Virtual Private Network (VPN) server and then click Next. If you want to use the VPN server computer as a network address translator (NAT), Web server, or other function, see Appendix B.

  4. In Remote Client Protocols, verify that all data protocols used by your remote access VPN clients are present. Add data protocols if necessary and then click Next

  5. In Internet Connection, click the connection that corresponds to the interface connected to the Internet or your perimeter network, and then click Next.

  6. In IP Address Assignment, click Automatic if the VPN server should use DHCP to obtain IP addresses for remote access VPN clients. Or, click From a specified range of addresses to use one or more static ranges of addresses. If any of the static address ranges is an off-subnet address range, routes must be added to the routing infrastructure in order for the VPN clients to be reachable. When IP address assignment is complete, click Next.

  7. In Managing Multiple Remote Access Servers, if you are using RADIUS for authentication and authorization, click Yes, I want to use a RADIUS server, and then click Next.

    • In RADIUS Server Selection, configure the primary (mandatory) and secondary (optional) RADIUS servers and the shared secret, and then click Next.
  8. Click Finish.

  9. Start the Routing and Remote Access service when prompted.

By default, only 128 L2TP ports are configured on the WAN Miniport (L2TP) device. If you need more L2TP ports, configure the WAN Miniport (L2TP) device from the properties of the Ports object in the Routing and Remote Access snap-in.

By default, only the MS-CHAP and MS-CHAPv2 protocols are enabled. If you are using smart cards or user certificates for authentication, select Extensible Authentication Protocol (EAP) check box from the Authentication Methods dialog box available from the Security tab on the properties of the VPN server in the Routing and Remote Access snap-in.

Deploying Internet Infrastructure

Intranet Network Infrastructure Deploying the intranet network infrastructure for remote access VPN connections consists of the following:

  • Configure routing on the VPN server

  • Verify name resolution and intranet reachability from the VPN server.

  • Configure routing for off-subnet address pools.

Configuring routing on the VPN server In order for your VPN servers to properly forward traffic to locations on the intranet, you must configure them with either static routes that summarize all the possible addresses used on the intranet or with routing protocols so that the VPN server can participate as a dynamic router and automatically add routes for intranet subnets to its routing table.

To add static routes, see the topic titled "Add a static route" in Windows 2000 Server Help. To configure the VPN server as a RIP router, see the topic titled "Configure RIP for IP". To configure the VPN server as an OSPF router, see the topics titled "OSPF design considerations" and "Configure OSPF".

Verifying name resolution and reachability from the VPN server From each VPN server, verify that the VPN server can resolve names and successfully communicate with intranet resources by using the Ping command, Internet Explorer, and making drive and printer connections to known intranet servers.

Configuring routing for off-subnet address pools If you configured any of the VPN servers with manual address pools and any of the pools are an off-subnet pool, you must ensure that the route(s) representing the off-subnet address pool(s) are present in your intranet routing infrastructure. You can ensure this by either adding static route(s) representing the off-subnet address pool(s) as static routes to the neighboring router(s) of the VPN server(s) and then using the routing protocol of your intranet to propagate the route to other routers. When you add the static route(s), you must specify that the gateway or next hop address is the intranet interface of the VPN server.

Alternately, if you are using RIP or OSPF, you can configure the VPN servers using off-subnet address pools as RIP or OSPF routers. For OSPF, you must configure the VPN server as an autonomous system boundary router (ASBR). For more information, see the topic titled "OSPF design considerations" in Windows 2000 Help.

Deploying VPN Clients

Deploying VPN clients for remote access VPN connections consists of the following:

  • Manually configure VPN clients.

  • Configure CM packages with CMAK.

Manually configuring VPN clients If you have a small number of VPN clients, you can manually configure VPN connections for each VPN client. For Windows 2000 VPN clients, use the Make New Connection Wizard to create the Internet and VPN connections and link them together so that when you connect using the VPN connection, the Internet connection is already made. For Windows XP VPN clients, use the New Connection Wizard to create the Internet and VPN connections.

Configuring CM packages with CMAK For a large number of VPN clients running different versions of Windows, you should use the CMAK to create and distribute customized Connection Manager packages for your users. For more information, see the topic titled "Before you start: Understanding Connection Manager and the Administration Kit" in Windows 2000 Server Help.