Microsoft

Configure IT Quick: Configure certificates for an L2TP/IPSec VPN

Add security to your VPN

Much has been written on the merits of using a virtual private network (VPN) connection for remote access and how Windows 2000’s Routing and Remote Access (RRAS) service has greatly simplified the process. The main benefit of a VPN is cost savings, since it allows corporations to use a persistent Internet connection rather than a bank of modems, and calls are cheaper for users because they incur only local charges to their ISP rather than long-distance costs.

Many of us have mastered the use of PPTP connections for a VPN. However, Windows 2000 (and Windows XP) natively supports the more secure form of VPN, L2TP/IPSec. Unfortunately, little has been written about how to configure L2TP/IPSec beyond saying, “It’s more complicated.” So this three-part series will provide a step-by-step tutorial on how to get Windows 2000 Professional to make an L2TP/IPSec connection to a Windows 2000 VPN server, as well as how to customize and maintain that connection. In this installment, I'll explain how to use the Windows 2000 Certification Authority service to achieve a connection. Then, my next two articles will focus on customizing and troubleshooting L2TP/IPSec connections.

Win2K VPN and RRAS basics
For the basics on using and configuring Windows RRAS with VPN connections, see "Setting up a VPN with Windows 2000."

It all starts with the certificates
The most likely reason that L2TP/IPSec connections fail is because of problems with certificates. In its default configuration, a valid computer certificate is required on both the client and the server. There are various ways of obtaining a computer certificate for a L2TP/IPSec connection, such as using a third-party Certification Authority like VeriSign (which should provide its own instructions on this) or using Windows 2000 Active Directory automatic certificate deployment.

However, this article will describe how to use L2TP/IPSec connections by issuing your own certificates—without Active Directory—using the Windows 2000 Certification Authority service in Stand-alone mode. This allows anyone with a Windows 2000 Server to benefit from L2TP/IPSec connections regardless of whether they're running Active Directory or they have an NT 4.0 domain or even a simple Windows Workgroup.

These instructions also hold good for using just IPSec on your network, outside the VPN environment, although we won't describe the IPSec policy configuration.

Preliminary configuration steps
Make the following checks before we begin:
  • First, ensure that your Windows 2000 Professional can successfully connect to your Windows 2000 RRAS server using PPTP with TCP/IP. This will verify that the basics of RRAS are working, that associated hardware (modem, router, cable modem, etc.) is working, that the user is allowed remote access, that remote access policies aren’t preventing a successful connection, and that IP address assignment is handled correctly.
  • Second, ensure that your client’s Internet connection is not going through a network address translation (NAT) server. Microsoft’s IPSec implementation has known problems with NAT. If all your clients’ Internet connections must go through NAT (as opposed to having static IP addresses), Microsoft's L2TP/IPSec implementation is probably not for you.
  • Third, if you have a firewall between the client and server, you may need to reconfigure it to allow the L2TP/IPSec connection through. Open UDP port 500 and IP port 50. If you suspect your firewall or another intermediary device (e.g., NAT server) may be preventing your L2TP/IPSec connections from working, my next article will help. I'll describe how to eliminate Internet devices to confirm whether these are preventing the L2TP/IPSec connections from working.

Configuring the Certification Authority service
Deploying your own certificates with an in-house Certification Authority requires careful planning. For example, you need to think about the hierarchy you'll be using (root CA, subordinate and issuing servers), the certificate lifetimes and key lengths, and how you will secure this service. (Standard advice is to take the root CA offline and physically secure it until needed.) One of the best sources of information on this is Microsoft’s white paper Windows 2000 Certificate Services.

To streamline the process for the testing purposes of this tutorial, we will use only an online root CA as the issuing certificate server. Certificates will be requested and issued through the Web browser, so IIS also needs to be running on the certification server. However, these services will be on a different server from the one running RRAS, just as they should be on a production network.

On the Windows 2000 Server, you will be installing the Certification Authority service. First, double-check to make sure that the date and time are correct on the server, because certificates are based on timestamps. Then, go to the Add/Remove Windows Components and select Certificates Services. You’ll see a warning dialog box telling you that after installing this service, the computer cannot be renamed, join a domain, or be removed from one. Click Yes to continue and then click Next.

Now, you’ll be prompted to configure the Certification Authority service. The first window prompts for Certification Authority Type. Select Stand-alone Root CA (Figure A) and click Next.

Figure A
Specifying the Certification Authority Type


The next prompt will ask for CA Identifying Information, with some defaults already in place. The defaults are for your country/region, the validity time of the certificate (two years), and the expiration date/time. Fill in the other boxes with as much or little information as you desire, although you must supply a CA name. My example uses the CA Name of MyCompany Root (reminding me that this is root CA), as you can see in Figure B.

Figure B
Specifying the CA details


The next screen is for the Data Storage Location, which refers to the certificate database and log. Keep the defaults and click Next. You should now see a warning box that IIS is running on the computer and must be stopped to proceed. Stopping IIS will allow us to create the virtual directory we are going to use for deploying the certificates. Click OK, and the CA virtual directory will install (prompting for the Windows 2000 source files, so have the CD handy or have the files available locally or over a network connection). When the installation is complete, click the Finish button and then click Close. There’s no need to reboot.

You should now have Certification Authority listed as one of your Administrative Tools on this server. Load it up, and it should look like Figure C. Under the CA, you’ll see folders for Revoked Certificates, Issued Certificates, Pending Requests, and Failed Requests. At the moment, all of these should be empty. Keep this console open, because you will need it to manually issue the computer certificate requests.

Figure C
The newly installed Certification Authority service


Configuring the systems for your Certification Authority
For the computer certificate element to work, both client and server need to have a Certification Authority in common. Then, both need to have a computer certificate issued by that CA. If you are using one of the well-known third-party CAs (such as VeriSign), you won’t need to complete the additional step of retrieving the Certification Authority certificate. Windows 2000 ships with these, as you will see if you run Internet Explorer, choose Internet Options from the Tools menu, select the Content tab, click the Certificates button, and select the Trusted Root Certification Authorities tab.

You’ll need to complete the following steps on both the Windows 2000 RRAS Server and the Win2K Pro client machine. Again, before you begin, verify the correct date and time on these machines, as we did for the CA server. Note that in this tutorial, the client workstation and the RRAS server will need to connect to the CA server. The workstation could complete this step when it’s on the corporate network (if it’s a laptop) or after connecting through the VPN server using PPTP (if it’s a remote workstation).

Open Internet Explorer and go to http://<CA servername>/certsrv (where <CA servername> is the name or IP address of the CA server we just set up). In my example, this would be http://w2kca/certsrv. You should see the home page for Microsoft Certificate Services with the name you gave the CA displayed at the top, as shown in Figure D.

Figure D
Connecting to the Microsoft Certificate Services Web site


Instead of requesting a certificate immediately (the default option), select the top option, Retrieve The CA Certificate Or Certificate Revocation List, and click Next. The following page allows you to install the CA path directly from the server (possible because we are connecting to it over the network) or download the CA certificate into a file (an approach you should use when the CA server is not connected to the network, as would be the case with an offline CA). Click on the Install This CA Certification Path link, as shown in Figure E.

Figure E
Installing the CA certificate over the network


This will result in a warning message asking you to confirm that you want to add the certificate to your Root Store. You'll then see some information about the certificate, including the name you gave it, the fact that it was self-issued (because it is a root CA, there is no higher server to sign this certificate), and other information, such as the time validity, serial number, and unique thumbprint. Click Yes. The next screen should inform you that the CA certificate has been successfully installed.

Requesting the certificate
Once you've installed the CA Certificate, click Home or connect to the Certificate Web site again. This time, we’re ready to request a certificate (the default option), so make sure this option is selected and click Next.

The Choose Request Type screen will appear with the default being User Certificate Request For Web Browsing. Remember that IPSec uses computer certificates and not user certificates, so this default will not work for our L2TP/IPSec connection. Instead, select Advanced Request and click Next to display the Advanced Certificate Requests screen. Accept the default selection of Submit A Certificate Request To This CA Using A Form and click Next.

Now you'll be prompted to fill in the details of the certificate you require. The information you supply here is twofold. First, it allows the CA administrator (who must manually inspect each certificate request) to identify you and check that the information you are supplying is in accordance with acceptance policies. Second, it dictates the certificate’s specification in terms of its usage and security. Fill this in with care. You will need to specify an identifying name (e.g., RRAS Server), and the Intended Purpose must be either Server Authentication Certificate (e.g., for the RRAS server) or Client Authentication Certificate (e.g., for the VPN client). You must also select both Create New Key Set and Use Local Machine Store, as shown in Figure F.

Figure F
Requesting a computer certificate for IPSec


For a production environment, you might need to change some of the other options for security reasons (e.g., the key size), but these settings will suffice for our test connection. Click Submit, and the next screen will tell you that your certificate is pending—waiting on the administrator to issue it—and that you must retrieve it within 10 days. Happily, since you are the CA administrator, you don’t have to wait that long.

Issuing a certificate from the Certification Authority
In the Certification Authority console on your server, you should now have an entry under the Pending Requests folder, as shown in Figure G.

Figure G
The Pending Certificate request


If you scroll through the details pane so you can see all the column information, you’ll notice that this is where the administrator would check the identification details before issuing the certificate and use the e-mail address supplied if necessary to check or verify information. However, since we know this is our certificate request, we can quickly issue it by right-clicking on it in the details pane and selecting All Tasks | Issue. The entry will disappear from the Pending Requests folder and will appear under Issued Certificates.

Installing the certificate
Back on the server or workstation, click on Home or reconnect to the Certificate Web site again. This time, select Check On A Pending Certificate, and you will be prompted to select the certificate you requested. Because it’s the only one, it will be selected by default, so go ahead and click Next. The following screen will inform you that the certificate was issued. Click on Install This Certificate, as shown in Figure H. The final screen should tell you that your certificate has been successfully installed, and you can now close the browser.

Figure H
Installing the certificate


Ready to connect
That’s it. When you’ve completed these steps on both your client computer and RRAS server, they should have your CA root certificate installed and have computer certificates from this CA that allow them to use IPSec.

Because Windows 2000 automatically generates IPSec policies for L2TP/IPSec connections, you should have nothing further to do but stop and restart your RRAS service and try a VPN connection from the client machine. The defaults supplied with Windows 2000 mean that an L2TP/IPSec connection will be tried before a PPTP connection. If your RAS client connects, check the Ports listed in the RRAS console. If it lists a WAN Miniport (L2TP) VPN device as Active, you have an L2TP/IPSec connection up and running.

Final word
This tutorial has explained how to achieve an L2TP/IPSec VPN connection between a Windows 2000 RAS client and Windows 2000 RRAS server using the Windows 2000 Certification Authority service.

How can an L2TP/IPSec VPN improve your remote access?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.

 
0 comments

Editor's Picks