Secure legacy operating systems with Microsoft's L2TP/IPSec VPN client

Microsoft's new L2TP/IPSec VPN client lets you increase security in legacy operating systems without spending any money. Brien Posey explains how to install and configure the new VPN client in Windows 98, ME, and NT 4.0.

Few would dispute that Microsoft’s Windows 2000 and Windows XP operating systems are more secure than Windows 98, Windows ME, or Windows NT 4.0. Part of the reason for this greater security is that Microsoft was more focused on the subject when creating these products than it was with earlier versions of Windows. However, another reason is that some of the security technologies used in Windows 2000 and XP simply didn’t exist when Windows 98 and NT were developed.

A good example of this new security technology is the L2TP/IPSec VPN client. While older operating systems such as Windows 98 do support VPN use, they typically perform VPN access using PPTP (Point-to-Point Tunneling Protocol). PPTP is an older protocol that’s much less secure than the newer L2TP (Layer Two Tunneling Protocol). Fortunately, those who are still using legacy operating systems have an option: Microsoft has created the L2TP/IPSec client, a new VPN client that allows you to use L2TP in conjunction with IPSec in Windows 98, ME, and NT 4.0.

Operating system requirements
Although the L2TP/IPSec client is designed to support older operating systems, these legacy operating systems must still meet some minimum requirements before the new VPN client will work. The actual components that must be installed will vary depending on your operating system.

Windows NT 4.0
The first requirement for Windows NT 4.0 is that the system must be running Windows NT Workstation 4.0. The VPN client won’t work on Windows NT Server 4.0. The workstation must also have RAS (Remote Access Server) support installed. RAS must be configured to use PPTP. Prior to the VPN client installation, you must upgrade the workstation to Service Pack 6A, and it must be running Internet Explorer 5.01 or later.

Windows 98
There are different versions of Windows 98 floating around, but I’m happy to say that the new VPN client is compatible with all of them. The only real requirements for installing the new VPN client on a Windows 98 system are that the system must be running Internet Explorer 5.01 or later, and the Dial-Up Networking Version 1.4 upgrade must be installed.

Windows ME
Windows ME is a newer operating system than Windows NT 4.0 or 98, and therefore it has fewer initial requirements. To take advantage of the new secure client, Windows ME must be running the Virtual Private Networking Communications component, and Internet Explorer 5.5 or later must be installed.

Installing the L2TP/IPSec client
The first step in the installation process is to download the L2TP/IPSec client. After downloading this 3.8 MB file, you can run the executable file to begin the extraction process. The file extraction process is fairly typical. After the file extraction process completes, Windows will launch the Microsoft IPSec VPN Configuration Utility. You can also access this configuration utility later on through the Microsoft IPSec VPN menu option on the Start | Programs menu.

The Microsoft IPSec VPN Configuration utility is essentially nothing more than a dialog box that allows you to configure the new VPN client’s authentication method. By default, the client is configured to automatically select a certificate for use in IPSec authentication. While the default setting will work in most situations, there are other options.

Other certificate options
Another certificate configuration option is to use a specific certificate for IPSec authentication. To use a specific certificate, you simply select the Use A Specific Certificate For IPSec Authentication radio button, and then use the Select A Certificate button to tell the configuration utility which certificate to use. You can also use a preshared key for IPSec authentication. In environments in which a preshared key is used, you must select the radio button that corresponds to the preshared key option, and then type or paste the preshared key into the space provided.

As you can see in Figure A, the Microsoft IPSec VPN Configuration utility also contains a check box that you can use to enable IPSec logging. IPSec logging is a great method for confirming that IPSec encryption is actually working.

Figure A
The Microsoft IPSec VPN Configuration Utility lets you select the IPSec authentication method and enable or disable IPSec logging.

Configuring a new connection in Windows NT 4.0
If you’re running Windows NT Workstation 4.0, you can manually create a VPN connection by choosing the Programs | Accessories | Dial-up Networking commands from the Start menu. Verify that Dial-up Networking is configured to use the wizard for new phone book entries, and then click New.

At this point, name the new phone book entry, type a name for the new connection, and then click Next. On the next screen, clear any check boxes selected in the Server pane and click Next. Then you’ll select the communications adapter to be used. In a Windows NT environment, the new VPN client will appear on the list as RASL2TPM (VPNx). Select this entry and click Next to continue. The wizard will then ask for the connection information. Enter the IP address for the VPN host server and click Next. Click Finish to complete the configuration process.

Configuring a connection in Windows 98 and ME
Windows 98 and ME use similar procedures to establish a new VPN connection using the L2TP/IPSec. Begin by choosing the Programs | Accessories | Communications | Dial-up Networking commands from the Start menu. Next, double-click the Make A New Connection icon. When prompted, enter a name for the new connection. Next, you’ll be prompted to select a communications device. Notice that the Microsoft L2TP/IPSec VPN Adapter 1 has been added to the list of communications devices. Select this device and click Next. You’ll then be prompted to enter the DNS name or IP address of the server that’s acting as a VPN server. Finally, click the Finish button to complete the configuration process.

The client’s future
Although the new VPN client will work with any VPN server that supports IPSec and L2TP, it’s really intended to work with Windows 2000-based VPN Servers. But with Windows .NET right around the corner, you may be wondering what to expect should you attempt to attach to a Windows .NET VPN Server.

The L2TP/IPSec client is fully compatible with Windows .NET. In fact, Windows .NET includes something called NAT traversal extensions for IPSec. This allows IPSec packets to flow through a NAT-based firewall. The only real stipulation to using IPSec NAT traversal is that both the client and the server must have the necessary IPSec extensions. Fortunately, the new VPN client contains all of the necessary extensions to support NAT traversal, should you ever decide to implement it.

Editor's Picks

Free Newsletters, In your Inbox