L2TP (Layer two Transport Protocol) is the preferred method to secure data
over a VPN. The other alternative, PPTP (Point to Point Tunnelling
Protocol) is less secure and slower. For instance, only L2TP will allow
IPSec data encryption.
To make a L2TP VPN connection between a client and server. This turned out to be one of my most difficult configuration tasks in the
whole of Windows 2003, it took two of us three days to get it to work. (We
did have other jobs during the three days.)
The goal here is to get a default VPN working over the LAN.
At the Server
The first stage was easy, configuring RAS on the Windows Server 2003.
Right click the server object, and select the third radio button Virtual Private
Network (VPN) and NAT. Then selected the Network connection, configuring a
DHCP scope.
Trap One
The default Remote Access Policy Denies anyone logging in. Easy change
the radio button to = Grant remote access.
Trap Two
Check the test user who will dial-in. Properties, Dial-in (tab) set to:
Allow access or Control access through group policy. If necessary Raise
Domain Level to Windows 2000 native. or Windows Server 2003 native.
At the client
Network connections New Connection
Trap Three
Select 'Do not dial an initial connection' - Remember this is a LAN
experiment
You should now have succeeded in connecting using a VPN over your LAN, the
proof will be a new computer icon low in the navigation area (Systray).
Network security is complex. As an MCT trainer, I can thoroughly recommend
TrainSignal because they
provide practical hands on training. In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example
Network Security or go for
a combination of modules.
See more about Network Security training here
Note we were using Windows Active Directory CA, if you are using a Stand
Alone certificate server the procedure is slightly different.
Trap Four
Do use a client on a different machine. Whilst you can normally test
RAS clients on the server, it does not work for L2TP
Instructions
From the client request a certificate from the server
http://serverIP/certsrv (not certSVR).
Select Advanced Request, Submit a certificate request to this CA using a
form
Select Administrator (User is the default). Leave all the other
settings as default.
Scroll down and press - Submit
Install this certificate screen should appear.
Now try to connect using a L2TP VPN. At the client Network Connections,
select the VPN, Properties, Networking, Type of VPN and change Automatic to
L2TP.
▫
Troubleshooting
Restart the RRAS service rather than rebooting the server.
