• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Creating VPN enviroment with L2TP protocol, Win2003

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Creating VPN enviroment with L2TP protocol, Win2003 Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Creating VPN enviroment with L2TP protocol, Win2003 - 29.Sep.2008 11:58:32 AM   
yannara

 

Posts: 12
Joined: 29.Sep.2008
Status: offline
Hello.

For a long time, I've been trying to make the VPN connection work in 2003 domain (windows). Connection using PPTP works, but often GRE connection is forbitten from the user's netowork, and I had to move to using L2TP protocol.

I tried different scennario with IAS, CA, and Remote and Routing Access. There were auto certificate enrollment, special VPN auto-enroll certificate. None of this works. Usually I get connection error because of the security error. 789 and 792 errors are very common.

So, I think I need to start all over again, with the baces;

1. Do I even need the Certification Authority, or can I just use pre-shared password for VPN? The idea is, that domain users could connect using their login name and password, same authorization information as they login locally with their computers

2. Is there any complite and simple step-by-step instructions to launch VPN service? I've seen lot of different instructions and I'm confused now

This is test/study enviroment. At least, I want to do that users could connect using L2TP inside LAN, so there is direct connection to the servers, without any firewall and NAT. I don't have lot of machines, just 2, DC running IAS and RAS server running now only Remote And Routing Service. What I need to do?
Post #: 1
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Sep.2008 1:58:37 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Are the users on the LAN or are they "outside"?

PPTP = Can be used for Site-to-Site VPN or Remote Access VPN.  Already encapsulated/encrypted but not to the level that L2TP is

L2TP = Can be used for Site-to-Site VPN or Remote Access VPN. Can either use a Certificate or can use a Pre-shared Key.  This has nothing to do with user authentication,...it is only to establish the point to point link.

IPsec = Meant for Site-to-Site VPNs only when one of the VPN Devices is not ISA Server



_____________________________

Phillip Windell

(in reply to yannara)
Post #: 2
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Sep.2008 2:12:23 PM   
yannara

 

Posts: 12
Joined: 29.Sep.2008
Status: offline
quote:

ORIGINAL: pwindell
Are the users on the LAN or are they "outside"?


Inside LAN for a start, first step would be to make the L2TP connection work. Then I will create firewall rules.

quote:

ORIGINAL: pwindell
L2TP = Can be used for Site-to-Site VPN or Remote Access VPN. Can either use a Certificate or can use a Pre-shared Key.  This has nothing to do with user authentication,...it is only to establish the point to point link.


Great, where exactly I can define the pre-shared key for a server-site?

(in reply to pwindell)
Post #: 3
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Sep.2008 2:31:33 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

Inside LAN for a start, first step would be to make the L2TP connection work. Then I will create firewall rules.


This is not something that can be "for a start".  This is two entirely different and unrelated things when comparing internal users -vs- external users.

Users on the LAN operating as Firewall Clients or Web Proxy Clients can never establish their own outbound VPN connection.  Web Proxy Clients follow the CERN Compliant Web Proxy Standard and only work with HTTP, HTTPS, read-only FTP, and Gopher.  The Firewall Clients follow the Winsock Proxy technology and only work with TCP & UDP  (not ICMP, GRE, etc)

Only SecureNAT Clients can establish outbound VPN connections.

quote:

Great, where exactly I can define the pre-shared key for a server-site?


That is easy and is right in the Site-to-Site VPN Connection Wizard's steps along the way. The real question is the whole envronmental situation around which you build the Site-to-Site VPN to start with.  It all has to be thought out  and planned out.

_____________________________

Phillip Windell

(in reply to yannara)
Post #: 4
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Sep.2008 4:01:01 PM   
yannara

 

Posts: 12
Joined: 29.Sep.2008
Status: offline
quote:

ORIGINAL: pwindell
This is not something that can be "for a start".  This is two entirely different and unrelated things when comparing internal users -vs- external users.

Users on the LAN operating as Firewall Clients or Web Proxy Clients can never establish their own outbound VPN connection.  Web Proxy Clients follow the CERN Compliant Web Proxy Standard and only work with HTTP, HTTPS, read-only FTP, and Gopher.  The Firewall Clients follow the Winsock Proxy technology and only work with TCP & UDP  (not ICMP, GRE, etc)

Only SecureNAT Clients can establish outbound VPN connections.


I might be wrong... but why outbound VPN? And why proxy? See, when I test VPN connection inside LAN, I change clint-side configuration. In LAN, client connects directly using local IP. From outside, it uses external IP adress of my network and there routing is important.

(in reply to pwindell)
Post #: 5
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Sep.2008 4:05:05 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
We are just going in circles.
I still do not know exactly what it is you are trying to do.  I need the specifics,..the "facts & figures".  Tossing theory around isn't going to get us anywhere.


_____________________________

Phillip Windell

(in reply to yannara)
Post #: 6
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 30.Sep.2008 12:53:51 AM   
yannara

 

Posts: 12
Joined: 29.Sep.2008
Status: offline
Thank you for trying to help this dump head 

I have ADSL modem, routhed. All machines are behind NAT, IP pool is 10.0.0.x. DC and RAS are also behind the same network. VPN connection using PPTP works fine inside and outside lan, I just change the adress of VPN server in the connectin profile if I move the client place. You get this, right?

Now, when I want to connect my network with VPN, I want to use L2TP instead of PPTP, because in some guest networks GRE packets aren't allowed, and this makes PPTP unuseful.

Earlier I managed to create L2TP connection internaly, on one client machine, because certificate autoenrollment worked suddently. But other machines couldn't get the proper certificate, I guess. After this, I changed my configuration enterly. Now I have DC running IAS (original version which comes with Win2003), and RAS server running only Remote and Routhing Access tool.

Perfect figure would be, that L2TP would work without CA, and as I understand your text, this is possible?

And additionaly, I've seen also in some other enviroments, that clients are connecting VPN with Cisco VPN Client, entering the domain login name and password. Is this possible without any Cisco router?

< Message edited by yannara -- 30.Sep.2008 12:59:03 AM >

(in reply to pwindell)
Post #: 7
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 30.Sep.2008 9:10:23 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

Perfect figure would be, that L2TP would work without CA, and as I understand your text, this is possible?


Yes. You use a pre-shared key,...basically it is just a "password" in a practical sense.  You configure that when you configure the dialup connection.

quote:

And additionaly, I've seen also in some other enviroments, that clients are connecting VPN with Cisco VPN Client, entering the domain login name and password. Is this possible without any Cisco router?


No. You aren't running a Cisco VPN.


_____________________________

Phillip Windell

(in reply to yannara)
Post #: 8
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 30.Sep.2008 10:33:25 AM   
yannara

 

Posts: 12
Joined: 29.Sep.2008
Status: offline
I believe, now I'm on the right track, right?

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/intwork/inbe_vpn_qaax.mspx?mfr=true

(in reply to pwindell)
Post #: 9
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 30.Sep.2008 11:36:15 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Yea, I think that looks alright.

_____________________________

Phillip Windell

(in reply to yannara)
Post #: 10
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Jan.2009 5:59:04 AM   
yannara

 

Posts: 12
Joined: 29.Sep.2008
Status: offline
Hello again. Now I came back to this same issue, I still haven't result this. My target is to make VPN connection based on L2TP protocol work to the VPN server in the Windows2003 domain network. I get error message 789 - security nogatiation failed or timeout.

I've been studying this instructions http://support.microsoft.com/kb/240262/ but I don't understand, which one should be destination and which one is source server? Same server can't be destination and source (12. and 13. instructions).

What I've done for now, is to configure Remote and Routhing Access to LAN & Dial, DHCP scope for VPN users is defined. In Remote Access Policy is defined separate VPN group, which's users would be able to connect trhrou VPN.

Now I need to setup the IPSec policy, I've already defined the pre-shared key, but it seems not to be enough.

Problem is, that I have only one server at the time, it runs all services. In a future I'm planning to virtualize my whole enviroment and create connection server, but not not.

PPTP connections work fine, but they are limited in corporate networkd because of GRE pack restrictions.

(in reply to pwindell)
Post #: 11
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Jan.2009 10:45:20 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You'll have to see if someone else can help with the L2TP.  I only use PPTP and have no desire to do otherwise.  It looks like with L2TP the ISA requires a Certificate and doesn't allow a Pre-shared,...but then maybe it does,..heck I have no idea.  I don't even know where you go to deal with the Cert or the Key

_____________________________

Phillip Windell

(in reply to yannara)
Post #: 12
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Jan.2009 10:51:47 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Ok, it will use a pre-shared key.

The VPN section of the ISA MMC--->Tasks Tab in the far right window--->"Select Authentication Methods"--->Authentication Tab--->look all the way at the bottom.

Just use the built in Help that is already in the ISA MMC,...that's how I found it.  Stay away from reading material that is not written in the ISA context.



_____________________________

Phillip Windell

(in reply to pwindell)
Post #: 13
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Jan.2009 2:49:30 PM   
yannara

 

Posts: 12
Joined: 29.Sep.2008
Status: offline
quote:

ISA MMC

Do you mean some page on this site, or...? I don't have ISA installed on my server. Could you paste me a link? Thanks.

(in reply to pwindell)
Post #: 14
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Jan.2009 3:25:00 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
ISA MMC = "ISA Microsoft Management Console"?
You can't do anything without ISA installed.

Everything is done from with the ISA MMC,...nothing is done outside of it concerning this.

So you have to have ISA installed.

If you have a fairly strong workstation,..load VirtualPC onto the workstation, then create two virtual machines in it. One with Server 2003 as a DC and one "2-nic" Server 2003 and load ISA on it.  You can experiment with these to at least get familar with the ISA MMC and how things are done in ISA.

I don't want to get bogged down trying to teach someone how to use VirtualPC,..you just need to download a copy of it and get used to using it. It is an invaluable tool for experimenting in Labs.    If you are familiar with, and have, VMware then use it, but I don't know anything about VMware other than how to spell it.

_____________________________

Phillip Windell

(in reply to yannara)
Post #: 15
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Jan.2009 4:26:53 PM   
yannara

 

Posts: 12
Joined: 29.Sep.2008
Status: offline
quote:

ORIGINAL: pwindell

So you have to have ISA installed.


Thank you for the support! I promise I will to get to know ISA. Is it free for Windows2003 users? So is this situation I've tried tp get working all this time, been impossible with this tools?

(in reply to pwindell)
Post #: 16
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 29.Jan.2009 5:58:40 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
VirtualPC and VirtualServer are both free.

VirtualPC gives the best "user experience" but I don't think it runs on the Server OS.  It is the most efficient on XP rather than Vista,...the less memory & CPU the OS eats up the more is available for the VMs in VirtualPC.

ISA obviously is not free.  If you do not already own it, you might still be able to download a "trial" ISA2006 or maybe a ".vhd" Demo copy.




_____________________________

Phillip Windell

(in reply to yannara)
Post #: 17
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 30.Jan.2009 12:06:35 AM   
yannara

 

Posts: 12
Joined: 29.Sep.2008
Status: offline
I have experience with VMWare, and I'm planning to virtualize the whole AD enviroment, to create multiple servers and devide the services to different hosts, but it is another story.

The payment of ISA is a problem, because this is only home&test enviroment. Maybe I still should start the CA enterprise, when I will run many servers...

(in reply to pwindell)
Post #: 18
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 30.Jan.2009 9:22:22 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Get an MSDN Subscription,...you'll get access to "real" versions of all MS's products for use in testing & labs. You just can't use them in production.  It is probably about the cost of one copy of ISA except that you get all of their products with it.

A VM of a Domain is fine in a Lab.  In production at least one DC needs to be a physical machine,..or maybe a compromise on that would be to run it as a VM on a different parent host.


_____________________________

Phillip Windell

(in reply to yannara)
Post #: 19
RE: Creating VPN enviroment with L2TP protocol, Win2003 - 30.Jan.2009 10:19:24 AM   
yannara

 

Posts: 12
Joined: 29.Sep.2008
Status: offline
I got a hint from one MSCE guy, that L2TP connection with pre-shared key is possible to create only with RRAS,

http://technet.microsoft.com/fi-fi/library/cc780187(en-us).aspx

The Windows Server 2003 Routing and Remote Access service supports the configuration of a preshared key for IPSec authentication of L2TP/IPSec connections.
 
So, lets study again some material

(in reply to pwindell)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Creating VPN enviroment with L2TP protocol, Win2003 Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts