Windows: IPSec/L2TP Client

From ReceptiveIT
Jump to: navigation, search

Windows 2000 and XP have in-built IPSec support, but it is fairly complex to set up. Luckily, there is a mechanism to set up a secure VPN that is easy to set up on the client PC.

Setting up

Import the x509 digital certificate

1. Click on Start, then select Run, then type mmc and click OK


2. Click on File, then select Add/Remove Snap-in


3. Click on Add


4. Select Certificates and click Add


5. Select Computer account and click Next


6. Select Local computer and click Finish. Click Close and then OK


7. Expand Certificates (Local Computer), then expand Personal


8. Right click on Certificates, then select All Tasks, then select Import


9. Click on Next


10. Click on Browse


11. Change the drop down Files of type: to Personal Information Exchange (*.pfx;*.p12), select your digital certificate, then click Open


12. Click Next


13. Enter your certificate password in the Password field:


14. Leave the selection of Place all certificates in the following store, leave the Certificate store as Personal and Click Next


15. Click Finish


16. You should see a window that says The import was successful. Click OK


17. Click and hold the Certificate Authority certificate, located under Personal \ Certificates, and drag it to Trusted Root Certification Authorities \ Certificates


18. Click on File, then click on Exit. If you are prompted to save console settings, click on No


Add a L2TP VPN

1. Click on Start, then select Programs then Accessories


2. Select Communications then New Connection Wizard


3. In the New Connection Wizard, click Next


4. Select Connect to the Network at my workplace and click Next


5. Select Virtual Private Network connection and click Next


6. Enter Work VPN into the Company Name field and click Next


7. Enter the fully qualified hostname of the VPN concentrator into the Host name or IP address field and click Next


8. Click on the checkbox next to Add a shortcut to this connection to my desktop and click Finish


9. Click on Start, then select Connect To then Show all connections


10. Right click on Work VPN, then select Properties


11. Select Networking from the top tabs


12. Drop down Type of VPN, select L2TP IPSec VPN and click OK


13. Double click on the shortcut to Work VPN


14. Enter your username into the User name field, enter your password into the Password field. You can check Save this user name and password for convenience. Click Connect.



IPSec IKE Logging

To debug IKE on Windows, start regedit, move to


and create a new key, "Oakley". Then, inside Oakley, create a new DWORD, "EnableLogging". Set this to 1. Windows will then log Oakley debug messages to \WINNT\Debug\Oakley.log. Now that's what I call obvious!

Windows Specific Notes

If the certificate you created and imported into Windows expires after the CA certificate, Windows will not use the certificate. You may receive an error in the event log stating IKE failed to find valid machine certificate.

Stop the IPSec service

net stop policyagent

Start the IPSec service

net start policyagent

Disable Internet Key Exchange (IKE) certificate revocation list (CRL) checking

By default, in Windows 2000 CRLs are not checked during IKE certificate authentication. In Windows XP and the Windows Server 2003 family, CRLs are checked during IKE certificate authentication, but a fully successful check is not required for the certificate to be accepted. In some cases, failures during CRL processing might cause IKE to not accept the certificate. Or, the delay required for CRL checking might delay IKE negotiation enough to cause the connection attempt to time-out. To determine whether certificate authentication will be successful without CRL checking, you can disable IKE CRL checking. To do this, type the following at the command prompt:

netsh ipsec dynamic set config strongcrlcheck 0

Enabling the IKE tracing log in Windows 2000 and Windows XP

In Windows 2000 and Windows XP, you must enable IKE tracing by modifying the registry. For the changes to take effect, you must also stop and restart the IPSec service:

To enable the IKE tracing log in Windows XP and Windows 2000, do the following:

Set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging DWORD registry setting to a value of 1.

The Oakley key does not exist by default and must be created.

Enabling and disabling the IKE tracing log in the Windows Server 2003 family

In the Windows Server 2003 family, you can enable or disable the IKE tracing log dynamically while the IPSec service is running by doing the following:

To enable the IKE tracing log, type the following at the command prompt:

netsh ipsec dynamic set config ikelogging 1

This command creates the IKE tracing log file if it does not exist. If the file does exist, it appends logging information to the existing file.

To disable the IKE tracing log, type the following at the command prompt:

netsh ipsec dynamic set config ikelogging 0

View IPSec Status

Windows 2000

netdiag /test:ipsec /v /debug

Windows XP

ipseccmd show all

Windows 2003 Server

netsh ipsec dynamic show all