L2TP over IPSec VPNs
L2TP over IPSec VPNs enable a business to transport data over the Internet, while still maintaining a high level of security to protect data. You can use this type of secure connection for small or remote office clients that need access to the corporate network. You can also use L2TP over IPSec VPNs for routers at remote sites by using the local ISP and creating a demand-dial connection into corporate headquarters.
When you are deciding where and how to design L2TP over IPSec connections, remember that the Internet access point or DMZ of the network is where the VPN server will reside. The VPN server is responsible for enforcing user access policy decisions that might be configured on the user account in the Windows 2000 domain controller, in remote access policy and dial-up user profiles on the VPN server, or in the IAS.
L2TP creates the necessary IPSec security policy to secure tunnel traffic. You do not need to assign or activate your own IPSec policy on either computer. If the computer already has an IPSec policy active, the L2TP will simply add a security rule to protect L2TP tunnel traffic to the existing policy.
L2TP Deployment Considerations
For an L2TP over IPSec connection to occur, you need to install computer certificates on the VPN client and VPN server computers. After a client requests a VPN connection, VPN access is granted through the combination of the dial-up properties on the user account and remote access policies. In Windows NT 4.0, the administrator only needed to select Grant dial-in permission to user on the dial-up properties in User Manager or User Manager for Domains to allow remote access use.
In Windows 2000, the administrator can permit or deny remote access to the corporate network using remote access policies on the VPN server and in IAS, allowing you to better define security settings. With remote access policies, a connection is accepted only if its settings match at least one of the remote access policies. If it does not match, the connection is denied.
For deployment of large remote access VPNs, you can use the Connection Manager and the Connection Manager Administration Kit to provide a custom dialer with preconfigured VPN connections to all remote access clients across your organization. These tools produce a one-click dial-up and VPN connection for users, combining what would normally be two or three steps into one.
Following are a few situations where you can use L2TP:
Persistent Connection Router-to-Router VPN A router-to-router VPN is typically used to connect remote offices when both routers are connected to the Internet through permanent WAN links such as T1, T3 Frame-Relay, and cable modems In this type of configuration, you only need to configure a single demand-dial interface at each router. Permanent connections can be initiated and left in a connected state 24 hours a day. Figure 7.2 depicts a router-to-router VPN.
Figure 7.2 Router-to-Router VPN
On-demand Router-to-Router VPN When a permanent WAN link is not possible or practical because of location or cost, you can configure an on-demand router-to-router VPN connection. This requires you to permanently connect the answering router to the Internet. The calling router connects to the Internet by using a dial-up link such as an analog phone line or ISDN. Then, you only need to configure a single demand-dial interface at the answering router.
VPN Security with IPSec
IPSec needs to be deployed on the VPN server that is located in the corporate DMZ. The design that is shown in Figure 7.3 shows the VPN server being combined with a multiprotocol remote access server. This combination is an effective way to keep the remote access part of the network together for easier manageability and security. Also, when a client dials in to the corporate network using VPN with IPSec, the client determines the type of IPSec security policy to use and the remote access server in which IPSec is installed. Then, it automatically sets up the tunnel, as defined by the client.
Figure 7.3 Routing and Remote Access Client Connection Through an L2TP/IPSec Tunnel
In this example, the VPN server has three interfaces, one is in the DMZ, the second interface is in the internal network connected to a router, and the third is a remote access interface. The interface that is the least secure is the interface in the DMZ. The DMZ is an area where, as stated earlier, the Internet egresses into the internal, private network, and needs to contain all of the servers that have a presence on the Internet.
The Windows 2000 implementation of IPSec is based on industry standards in development by the Internet Engineering Task Force IPSec working group.
Data encryption allows businesses to use the Internet as a secure, cost-effective way of getting information from a remote site or user to the corporate infrastructure. This strategy is cost effective because you use the already existing medium of the Internet. The security comes from IPSec.
On the Internet, L2TP puts the data into a tunnel, and IPSec provides security for the tunnel itself to keep the data safe, but what about the exposed interface itself?
You can protect the Internet-exposed interface on the VPN server from hackers in the following ways:
When you initially set up the VPN server, ensure that there is not a routing protocol on the interface that is in the DMZ. Instead, the interface needs to point into the private corporate network through a set of summarized static routes.
Have a routing protocol running on the interface that is on the private network.
Use Routing and Remote Access filters (not IPSec filtering) on the Internet interface to set input and output permit filters for L2TP, which uses User Datagram Protocol (UDP) port "Any" and destination port 1701. Also set routing and remote access input and output permit filters for the Internet key exchange (IKE) protocol, which uses UDP source port "Any" and destination port 500, prohibiting everything but L2TP over IPSec traffic. Then, configure packet filtering in the remote access policy profile for user groups, permitting or denying certain types of IP traffic. To make this easier for the user, these filters are configured when you use the Routing and Remote Access setup wizard. No configuration by the user is required.
For L2TP over IPSec connections, the IPSec security negotiation (IKE) uses certificate-based authentication for the computers themselves. L2TP performs user authentication by using either a domain\userid and password, or by using a smart card, certificate, or token card with the Extensible Authentication Protocol (EAP). For more information about overriding this default behavior and using preshared key authentication, see "Virtual Private Networking" in the Microsoft Windows 2000 Server Internetworking Guide.
IPSec requires that you establish the trust relationship using certificates issued to each computer. For example, a salesperson from domain.com has regular sales transactions with reskit.com. In order to expedite the process of ordering, the salesperson dials in on a weekly basis to download the product order form from the Reskit supply department.
To ensure that all of the transactions are secure from competitors of domain.com, the salesperson dials in to reskit.com through an ISP using an L2TP over IPSec VPN. Both the remote client and the VPN server need to have a certificate issued to them, and to be able to trust each other's certificate. The salesperson's computer needs to have a computer certificate installed to negotiate a trust relationship with the reskit.com VPN server. Typically, the salesperson's computer received a certificate from a Windows 2000 certificate server when the computer was joined to domain.com. The computer received a Group Policy setting containing instructions for enrolling in the domain.com certificate server, called a certificate auto-enrollment policy. The public key infrastructure (PKI) certificate policy also specified that the client can trust the certificate server that issued the VPN server a certificate, probably the reskit.com certificate server. The VPN server is configured to trust the domain.com certificate server, so it will accept certificates that the client provides.
After the IPSec security association for L2TP is made, the salesperson's remote access policy is checked. This is a property that enables remote access for the user account in the domain. You can control user access in more detail by using Internet Authentication Service (IAS), a server that communicates access policy using the Remote Access Dial-In User Service (RADIUS) protocol.
You can also use IPSec to ensure that only certain computers with the proper certificates and credentials can connect to other computers. Windows 2000 user IDs and groups specified in access control lists (ACLs) control who can access specific shares.
You can also use IPSec inside a corporate network to encrypt data from client to client, or from client to server.
For more information about IPSec, see "Internet Protocol Security" in the TCP/IP Core Networking Guide .