Introduction to L2TP Certificates
L2TP (Layer two Transport Protocol) is the preferred method to secure data over a VPN. The other alternative, PPTP (Point to Point Tunnelling Protocol) is less secure and slower. For instance, only L2TP will allow IPSec data encryption.
Topics for L2TP Certificates
- L2TP Mission
- Getting to first base
- Home run – get it to work using L2TP
- The solution – Install a certificate
‡
L2TP Mission
To make a L2TP VPN connection between a client and server. This turned out to be one of my most difficult configuration tasks in the whole of Windows 2003, it took two of us three days to get it to work. (We did have other jobs during the three days.)
Getting to first base
The goal here is to get a default VPN working over the LAN.
At the Server
The first stage was easy, configuring RAS on the Windows Server 2003. right-click the server object, and select the third radio button Virtual Private Network (VPN) and NAT. Then selected the Network connection, configuring a DHCP scope.
Trap One
The default Remote Access Policy Denies anyone logging in. Easy change the radio button to = Grant remote access.
Trap Two
Check the test user who will dial-in. Properties, Dial-in (tab) set to: Allow access or Control access through group policy. If necessary Raise Domain Level to Windows 2000 native. or Windows Server 2003 native.
At the client
Network connections New Connection
Trap Three
Select ‘Do not dial an initial connection’ – Remember this is a LAN experiment
You should now have succeeded in connecting using a VPN over your LAN, the proof will be a new computer icon low in the navigation area (Systray).
Home run – Connect your VPN using L2TP
The problem is – You get error messages when you select L2TP
From the client you select the VPN, Properties, Networking, Type of VPN and change Automatic to L2TP. You get error 789, 769 or 800.
The solution is – Install a certificate
Note we were using Windows Active Directory CA, if you are using a Stand Alone certificate server the procedure is slightly different.
Trap Four
Do use a client on a different machine. Whilst you can normally test RAS clients on the server, it does not work for L2TP
Instructions
- From the client request a certificate from the server http://serverIP/certsrv (not certSVR).
- Select Advanced Request, Submit a certificate request to this CA using a form
- Select Administrator (User is the default). Leave all the other settings as default.
- Scroll down and press – Submit
- Install this certificate screen should appear.
Now try to connect using a L2TP VPN. At the client Network Connections, select the VPN, Properties, Networking, Type of VPN and change Automatic to L2TP.
Guy Recommends 3 Free Active Directory Tools
SolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
- Seeking and zapping unwanted user accounts.
- Finding inactive computers.
- Bulk-importing new users. Give this AD utility a try, it’s free!
Download your FREE Active Directory administration tools.
If you like this page then please share it with your friends
Related topics
• Accounts • Auditing • IPSec • Kerberos Tickets • Windows RIS Server
•LT2P and Certificates • Security Snap-in • Remote Shutdown