Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Move from PPTP to IPSEC/L2TP - Multisite Configuration
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Move from PPTP to IPSEC/L2TP - Multisite Configuration - 24.Apr.2008 7:52:56 AM
|
|
|
waynewhittle
Posts: 96
Joined: 21.Apr.2004
From: Cardiff
Status: offline
|
This is linked to a simlar problem I reported a while back regarding client IPSEC/L2TP connections. When a client connects from a machine that is not a member of the domain how do you get a machine certificate onto his laptop ? Our CA is installed on Windows 2003 Standard Edition. I've heard you can configure L2TP/IPSEC Offline Request for this purpose but you require Windows Server 2003 Enterprise Edition. Is this true ?
|
|
|
|
|
RE: Move from PPTP to IPSEC/L2TP - Multisite Configuration - 24.Apr.2008 2:39:07 PM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Stanley,
Not really.
I think you are talking about this kb:
http://support.microsoft.com/kb/555281
However, you can use the web enrollment process to get a certificate for machine authentication for the branch ISAs. You can request a admin/user certificate and install it in the local computer store on the branch machines. And yes, the CA certificate must be installed in the Trusted Root CAs store *in* the local computer store on the branch machines.
You can create the L2TP/IPsec site-to-site VPN connections using pre-shared keys first in order to requests the certificates.
So no worries.
You can check Tom's books, you will find out more about how to request a certificate for machine authentication for L2TP/IPsec VPN site-to-site connections.
Maybe you can google about it a little bit too.
I suppose you terminate the VPN connections on the BE ISA on the main office, which is a domain member, thus you do not have to worry here about CA certificate(you are using an Enterprise CA, so the CA cert is installed automatically on the domain member machines).
If the FE ISA is doing NAT, watch for the NAT-T reg hack when the VPN server is behind a NAT device(it seems to apply with Win 2003 for L2TP/IPsec VPN site-to-site connections).
Regards!
|
|
|
|
|
RE: Move from PPTP to IPSEC/L2TP - Multisite Configuration - 25.Apr.2008 11:13:01 AM
|
|
|
waynewhittle
Posts: 96
Joined: 21.Apr.2004
From: Cardiff
Status: offline
|
Hi justmee,
Actually I am having problems with this. Just to simplify things lets narrow it down to 2 sites - the branch office and the main office. Here's what I've done:
1. Installed a Router (Offline Request) certificate on the ISA calling router at the branch office via web enrolment from our Enterprise CA at the main office. The name of the certificate is same name as the demand dial interface AD account that will be used by the calling router (The calling router is a stand alone ISA).
2. Exported the Root CA certificate to a file and imported this CA certificate into the Trusted Root Certification Authorities node on the calling ISA VPN router.
3. Assigned a machine certificate to the answering ISA router.
4. Exported the ISA calling router's certificate to the domain and mapped it to the DD interface account used by the ISA calling router to initiate the VPN connection to the main office ISA.
5. The main office is a FE-BE ISA configuration. The FE ISA is NAT yes and I have also used the registry hack you mentioned. I have the relevant publishing rules on the FE ISA which allow L2TP (UDP 1701), IPSEC NAT-T (UDP 4500) and IKE (UDP 500).
I'm not sure what I'm missing here but I just cannot get it to work at all. When I try and connect from the branch office I get an error:
"The Interface is Disconnected" to which I click OK then I get
"The following error occured: The system cannot find the file specified"
..and that's it no connection..
I'm not sure how to go about troubleshooting this as the certificates all appear to be ok and in the right place and the rules to facilitate L2TP/IPSEC are fairly straight forward...
< Message edited by waynewhittle -- 25.Apr.2008 11:14:28 AM >
|
|
|
|
|
RE: Move from PPTP to IPSEC/L2TP - Multisite Configuration - 25.Apr.2008 11:42:59 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Stanley,
First try with pre-shared keys to see if you manage to get the VPN tunnel up.
It will help rule out first any certificates issues.
Do not test from ISA itself. Use the ping command from a host behind the calling ISA and ping a host behind the answering ISA.
You can use Wireshark or Netmon(which you like most) to see if you get any IKE or IPsec packets.
If it works:
At the main office:
- use the mmc to get for ISA a computer certificate since ISA is a domain member. If you have troubles read this:
http://blogs.isaserver.org/pouseele/2007/10/12/certificate-enrollment-requires-a-custom-protocol/
At the branch office:
- use the existing VPN tunnel(L2TP/IPsec with preshared keys) and use the web enrollement(use IE) to request a certificate for machine authentication(use the administrator template). Install it in the local computer store. The CA certificate *must* be installed in the Trusted Root CAs store in the *local computer store*. You do not need to worry about the name from the certificate now. If you plan to use certificates for the user level of authentication, you will have to do so.
Then switch to the authentication methods with certificates.
On the FE ISA you need to allow only IPSEC NAT-T (UDP 4500) and IKE (UDP 500).
J
< Message edited by justmee -- 25.Apr.2008 11:44:44 AM >
|
|
|
|
|
RE: Move from PPTP to IPSEC/L2TP - Multisite Configuration - 25.Apr.2008 12:02:06 PM
|
|
|
waynewhittle
Posts: 96
Joined: 21.Apr.2004
From: Cardiff
Status: offline
|
Thanks again!
Could you please confirm the following regarding the ISA 2004 configuration of the DD interface on the calling ISA router:
Connection Tab: - populated with the main office IP and DD credentials.
Protocol: - Change this to L2TP/IPSEC and use a pre-shared key.
Authentication:- was MS-CHAP v2 (for existing PPTP). Do I just leave this as is ?
Also since I have an preconfigured active PPTP connection between these offices the answering ISA router is also a calling router to the branch office with corresponding Connection, Protocol and Authentication settings. For the purposes of the L2TP/IPSEC testing with the pre-shared key do I need to uncheck the 'Local Site can Initiate Connections to the Remote Site' on the answering ISA Server and ensure that the Protocol and Authentication settings are as per the Calling ISA router ?
Thanks in advance for your help regarding this. I a determined to get to the bottom of it!
|
|
|
|
|
RE: Move from PPTP to IPSEC/L2TP - Multisite Configuration - 25.Apr.2008 1:08:01 PM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Yes, you can make the change from PPTP to L2TP/IPsec easily from ISA's gui.
Configure first the pre-shared key. Note that this pre-shared key will be used by VPN clients too and other L2TP/IPsec site-to-site connections. This is not good in practice, but pre-shared keys are very useful for testing.
Then right click the site-to-site connection and make the change.
And the apply the changes.
You do not need to touch the RRAS console, unless, for example on Main ISA (domain member) you may verify that the "Register this connection's address in DNS" checkbox is unchecked.
Regarding the 'Local Site can Initiate Connections to the Remote Site' on the answering ISA Server you can do whatever you want. If for this test you plan that only one side to intiate the VPN tunnel you may uncheck it. If so, you will need to bring the new VPN tunnel up from a host(use the ping command) behind the calling ISA.
J
< Message edited by justmee -- 25.Apr.2008 1:09:44 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
