The Cable Guy - May 2002

Microsoft L2TP/IPSec VPN Client Overview

By The Cable Guy

Microsoft L2TP/IPSec VPN Client allows users to make Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec) connections from computers running the following operating systems:

• Windows 98 (all versions) with Microsoft Internet Explorer 5.01 (or later) and the Dial-Up Networking version 1.4 upgrade (or later)
• Windows Millennium Edition with the Virtual Private Networking communications component and Microsoft Internet Explorer 5.5 (or later)
• Windows NT Workstation 4.0 with Remote Access Service (RAS), the Point-to-Point Tunneling Protocol, Service Pack 6 (or later), and Microsoft Internet Explorer 5.01 (or later)

Microsoft L2TP/IPSec VPN Client installs on computers with these configurations and supports the use of either certificates or pre-shared keys for IPSec main mode authentication.

L2TP/IPSec connections are made with a virtual private network (VPN) server running a member of the Windows 2000 Server family or any other VPN server that supports L2TP/IPSec connections.

Note Microsoft L2TP/IPSec VPN Client is not supported for computers running Windows 95 (all versions). For information about support and availability guidelines for Windows 95 (both home and business users), see the Microsoft Windows 95 Web site.

Changes to Network Configuration

For computers running Windows 98 (all versions) and Windows Millennium Edition, the installation of Microsoft L2TP/IPSec VPN Client makes the following configuration changes:

• The addition of Microsoft L2TP/IPSec VPN Adapter to the list of installed adapters, as viewed from Network in Control Panel.
• The addition of Microsoft L2TP/IPSec VPN Adapter 1 to the list of available devices for a dial-up network connection.

For computers running Windows NT Workstation 4.0, the installation of Microsoft L2TP/IPSec VPN Client makes the following configuration changes:

• The addition of RASL2TPM to the list of devices for remote access, as viewed from the Remote Access Setup dialog box.
• The addition of RASL2TPM (VPNx**)** to the list of available devices for a phonebook entry in Dial-up Networking.

Configuring Microsoft L2TP/IPSec VPN Client

To manually configure Microsoft L2TP/IPSec VPN Client, do the following:

1. Click Start, point to Programs, point to Microsoft IPSec VPN, and then click Microsoft IPSec VPN Configuration.
2. From the Microsoft IPSec VPN Configuration Utility dialog box, select the appropriate options for your L2TP/IPSec deployment.
3. Click OK.

The Microsoft IPSec VPN Configuration Utility allows you to configure the following:

• Whether to automatically select a certificate for IPSec authentication (selected by default).
• Whether to use a specific certificate for IPSec authentication. You can use an additional Microsoft IPSec VPN Certificate Selection dialog box to see all of the certificates installed on the computer, to view details for each certificate, and to select an individual certificate.
• Whether to use a pre-shared key for both IPSec authentication and the pre-shared key text.
• Whether or not to log the details of the IPSec security establishment process (enabled by default).

The following figure shows the Microsoft IPSec VPN Configuration Utility and the default configuration of Microsoft L2TP/IPSec VPN Client.

Obtaining Certificates

A computer with Microsoft L2TP/IPSec VPN Client can obtain certificates for certificate-based authentication of L2TP/IPSec VPN connections in the following ways:

• Use Internet Explorer to import a certificate file.

  Certificate files can be created and distributed individually for each user. Alternately, a single certificate file can be distributed to all users. The use of a single certificate for a group of users is known as a group certificate, which is the least secure certificate deployment, because anyone who obtains the certificate file could use it to successfully authenticate the IPSec portion of the connection. This does not mean that they can gain access to your network. A user with an unauthorized certificate must still present a valid user name and password to connect to and access your network.

  To import a certificate file in Internet Explorer, start Internet Explorer, click Tools, and then click Internet Options. In Internet Options, click the Content tab, and then click Certificates. In Certificates, click Import, and then follow the directions in the Certificate Import Wizard.

• Use Internet Explorer and Web enrollment to request a certificate from a certification authority (CA).

  If you are using a CA that supports Web enrollment for certificates, use Internet Explorer to request a certificate from the CA. For a CA running Microsoft Windows 2000 and Certificate Services, use the address https://ComputerName/certsrv where ComputerName is the name of the CA computer. You might be prompted for Windows domain credentials. Type the set of credentials for the appropriate user name for this certificate, click OK, and then follow the directions on the Web pages to request a user certificate from the CA. If you are not prompted for Windows domain credentials, then the user name recorded in the certificate is based on the credentials with which you are currently logged on (unless there is a separate connection to the CA computer through a different set of credentials).

After certificates are installed, you can view them in Internet Explorer in the Certificates dialog box (click Tools, click Internet Options, click the Content tab, and then click Certificates).

You can also view them in the Microsoft IPSec VPN Certificate Selection dialog box (from the Microsoft IPSec VPN Configuration utility, click Select Certificate). With the Microsoft IPSec VPN Configuration utility, you can configure Microsoft L2TP/IPSec VPN Client to automatically select an installed certificate (the default setting) or you can select a specific certificate in Microsoft IPSec VPN Certificate Selection.

Configuration of a New Connection

After Microsoft L2TP/IPSec VPN Client is installed and configured, a network connection in the Dial-Up Networking folder must be created. You can do this either manually or with the Connection Manager Administration Kit (CMAK) that is provided with members of the Windows Server 2003 family. For more information about CMAK, see Help and Support Center on the server running Windows Server 2003.

Manual configuration of a new connection

To manually configure a connection in the Dial-Up Networking folder for Windows 98 (all versions) and Windows Millennium Edition, complete the following procedure:

1. Click Start, point to Programs, point to Accessories, point to Communications, and then click Dial-Up Networking.
2. Double-click Make a New Connection, and then type a name for the connection.
3. In Select a device, click Microsoft L2TP/IPSec VPN Adapter 1, and then click Next.
4. In Host Name or IP Address, type the Domain Name System (DNS) name or the IP address of the VPN server to which you want to connect, and then click Next.
5. Click Finish.

To manually configure a connection in the Dial-Up Networking folder for Windows NT Workstation 4.0, perform the following procedure:

1. Click Start, point to Programs, point to Accessories, and then click Dial-Up Networking.
2. Click New.
3. Do one of the following:
   • If Dial-Up Networking is configured to use the wizard for new phone book entries:
     • Name the new phonebook entry, type a name for the connection, and then click Next.
     • Server pane, clear any check boxes that are selected, and then click Next.
     • Select the modem or adapter this entry will use, click RASL2TPM (VPNx**)**, and then click Next.
     • Phone number, type the IP address of the VPN server to which you want to connect, and then click Next.
     • Finish.
   • If Dial-Up Networking is not configured to use the wizard for new phone book entries:
     • New Phonebook Entry dialog box, on the General tab, type the name of the phonebook entry in Entry name.
     • Phone number, type the IP address of the VPN server to which you want to connect
     • Dial using, click the RASL2TPM (VPNx**)** port.
     • OK.

Troubleshooting an L2TP/IPSec connection

An L2TP/IPSec connection is most likely to fail when negotiating IPSec security associations (SAs) or the PPP connection.

Troubleshooting the IPSec SA negotiations

IPSec SA negotiations consist of:

1. Main mode negotiation

   The creation of a main mode SA by exchanging encryption key derivation information, determining the security of future main mode packets, and authenticating the IPSec peers.

2. Quick mode negotiation

   The creation of quick mode SAs by determining the security of the data sent between the IPSec peers.

The inability to establish IPSec SAs is most likely caused by the failure of the main mode SA negotiation because of:

• Misconfigured or missing computer certificates.
• Misconfigured or missing pre-shared key.

For a computer with Microsoft L2TP/IPSec VPN Client installed, Isakmp.log is a text-based log file stored in the SystemDrive\Program Files\Microsoft IPSec VPN Client folder, which contains details of the IPSec authentication and security association negotiation whenever you attempt to make an L2TP/IPSec connection.

The Isakmp.log file is created when you select the Enable IPSec logging check box in the Microsoft IPSec VPN Configuration Utility. If the Isakmp.log file already exists when you enable IPSec logging, new log entries are added to the end of the existing file. Isakmp.log is the primary tool for troubleshooting IPSec-related connection failures on the computer with Microsoft L2TP/IPSec VPN Client installed.

Troubleshooting the PPP connection negotiation

PPP connection negotiation for L2TP connections consists of the following phases:

1. Negotiation of the PPP link through the Link Control Protocol (LCP)
2. Authentication of the user attempting to connect
3. Negotiation and configuration of LAN protocols, such as TCP/IP, using PPP network control protocols (NCPs)

For a computer with Microsoft L2TP/IPSec VPN Client installed, PPP logging is the primary troubleshooting tool used to obtain information about the PPP connection negotiation. For computers running Windows 98 (all versions) and Windows Millennium Edition, you can enable PPP logging by doing the following:

1. Click Start, point to Settings, click Control Panel, and then double-click Network.
2. On the Configuration tab, click the Dial-Up Adapter component, and then click Properties.
3. Click the Advanced tab.
4. Under Property, click Record A Log File.
5. In Value, click Yes.
6. Click OK to save changes and restart the computer when prompted.

After PPP logging is enabled, PPP connection negotiation information is written to the Ppplog.txt file, which is stored in the Windir folder.

For computers running Windows NT Workstation 4.0, you can enable PPP logging by setting the registry value HKEY_LOCAL_MACHINE
SYSTEM\CurrentControlSet\Services\RasMan\PPP\Logging to 1 or 2 (REG_DWORD type). The value of 1 enables normal PPP logging. The value of 2 enables verbose logging. When PPP logging is enabled, PPP connection negotiation information is written to the Ppp.log file, which is stored in the Systemroot\System32\Ras folder.

For More Information

For more information about Microsoft L2TP/IPSec VPN Client and L2TP/IPSec support in Windows 2000, consult the following resources:

• Microsoft L2TP/IPSec VPN Client
• Microsoft VPN Web site
• Layer Two Tunneling Protocol in Windows 2000 (Cable Guy article for August 2001)

For a list of all The Cable Guy articles, click here.