Windows: IPSec/L2TP Client

From ReceptiveIT
Jump to: navigation, search

Windows 2000 and XP have in-built IPSec support, but it is fairly complex to set up. Luckily, there is a mechanism to set up a secure VPN that is easy to set up on the client PC.


Setting up

Import the x509 digital certificate

1. Click on Start, then select Run, then type mmc and click OK

Windows-x509-1.jpg

2. Click on File, then select Add/Remove Snap-in

Windows-x509-2.jpg

3. Click on Add

Windows-x509-3.jpg

4. Select Certificates and click Add

Windows-x509-4.jpg

5. Select Computer account and click Next

Windows-x509-5.jpg

6. Select Local computer and click Finish. Click Close and then OK

Windows-x509-6.jpg

7. Expand Certificates (Local Computer), then expand Personal

Windows-x509-7.jpg

8. Right click on Certificates, then select All Tasks, then select Import

Windows-x509-8.jpg

9. Click on Next

Windows-x509-9.jpg

10. Click on Browse

Windows-x509-10.jpg

11. Change the drop down Files of type: to Personal Information Exchange (*.pfx;*.p12), select your digital certificate, then click Open

Windows-x509-11.jpg

12. Click Next

Windows-x509-12.jpg

13. Enter your certificate password in the Password field:

Windows-x509-13.jpg

14. Leave the selection of Place all certificates in the following store, leave the Certificate store as Personal and Click Next

Windows-x509-14.jpg

15. Click Finish

Windows-x509-15.jpg

16. You should see a window that says The import was successful. Click OK

Windows-x509-16.jpg

17. Click and hold the Certificate Authority certificate, located under Personal \ Certificates, and drag it to Trusted Root Certification Authorities \ Certificates

File:Windows-x509-17.jpg

18. Click on File, then click on Exit. If you are prompted to save console settings, click on No

File:Windows-x509-18.jpg

Add a L2TP VPN

1. Click on Start, then select Programs then Accessories

L2tpclient-1.jpg

2. Select Communications then New Connection Wizard

L2tpclient-2.jpg

3. In the New Connection Wizard, click Next

L2tpclient-3.jpg

4. Select Connect to the Network at my workplace and click Next

L2tpclient-4.jpg

5. Select Virtual Private Network connection and click Next

L2tpclient-5.jpg

6. Enter Work VPN into the Company Name field and click Next

L2tpclient-6.jpg

7. Enter the fully qualified hostname of the VPN concentrator into the Host name or IP address field and click Next

L2tpclient-7.jpg

8. Click on the checkbox next to Add a shortcut to this connection to my desktop and click Finish

L2tpclient-8.jpg

9. Click on Start, then select Connect To then Show all connections

L2tpclient-9.jpg

10. Right click on Work VPN, then select Properties

L2tpclient-10.jpg

11. Select Networking from the top tabs

L2tpclient-11.jpg

12. Drop down Type of VPN, select L2TP IPSec VPN and click OK

L2tpclient-12.jpg

13. Double click on the shortcut to Work VPN

L2tpclient-13.jpg

14. Enter your username into the User name field, enter your password into the Password field. You can check Save this user name and password for convenience. Click Connect.

L2tpclient-14.jpg


Troubleshooting

IPSec IKE Logging

To debug IKE on Windows, start regedit, move to

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

and create a new key, "Oakley". Then, inside Oakley, create a new DWORD, "EnableLogging". Set this to 1. Windows will then log Oakley debug messages to \WINNT\Debug\Oakley.log. Now that's what I call obvious!

Windows Specific Notes

If the certificate you created and imported into Windows expires after the CA certificate, Windows will not use the certificate. You may receive an error in the event log stating IKE failed to find valid machine certificate.

Stop the IPSec service

net stop policyagent

Start the IPSec service

net start policyagent

Disable Internet Key Exchange (IKE) certificate revocation list (CRL) checking

By default, in Windows 2000 CRLs are not checked during IKE certificate authentication. In Windows XP and the Windows Server 2003 family, CRLs are checked during IKE certificate authentication, but a fully successful check is not required for the certificate to be accepted. In some cases, failures during CRL processing might cause IKE to not accept the certificate. Or, the delay required for CRL checking might delay IKE negotiation enough to cause the connection attempt to time-out. To determine whether certificate authentication will be successful without CRL checking, you can disable IKE CRL checking. To do this, type the following at the command prompt:

netsh ipsec dynamic set config strongcrlcheck 0

Enabling the IKE tracing log in Windows 2000 and Windows XP

In Windows 2000 and Windows XP, you must enable IKE tracing by modifying the registry. For the changes to take effect, you must also stop and restart the IPSec service:

To enable the IKE tracing log in Windows XP and Windows 2000, do the following:

Set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging DWORD registry setting to a value of 1.

The Oakley key does not exist by default and must be created.

Enabling and disabling the IKE tracing log in the Windows Server 2003 family

In the Windows Server 2003 family, you can enable or disable the IKE tracing log dynamically while the IPSec service is running by doing the following:

To enable the IKE tracing log, type the following at the command prompt:

netsh ipsec dynamic set config ikelogging 1

This command creates the IKE tracing log file if it does not exist. If the file does exist, it appends logging information to the existing file.


To disable the IKE tracing log, type the following at the command prompt:

netsh ipsec dynamic set config ikelogging 0

View IPSec Status

Windows 2000

netdiag /test:ipsec /v /debug

Windows XP

ipseccmd show all

Windows 2003 Server

netsh ipsec dynamic show all