|
Home > Archive > Server 2003 > July 2003 > L2tp
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Ngittins 2003-07-25, 8:26 am |
| Hello,
I'm currently configuring L2TP on my home 2000 test network, PPTP is easy, but L2TP isn't.
I have.
1 Win2000 Server running CA - Root Standalone CA.
1 Win2000 Server running RRAS, configured with VPN.
2 WinPro Clients.
I've configured and installed Server certificate on the RRAS
I've configured and installed Client certificates on the client computers.
For the certificates.
I enabled Key Exchange, size 1024, SHA-1, basically just used the defaults.
Set the RRAS ports to use L2TP, now the VPN server works fine with PPTP, but not with L2TP.
I create the VPN client, set the client up to use L2TP, connect to the VPN server and I receive a message stating that L2TP couldn't establish a connection because there wasn't a certificate to create a secure tunnel.
When you establish a connection via L2TP, the client is meant to use IPSEC by default, with out configuration, is this correct? Either way, if I set up IPSEC, I still cant get this thing to work.
Go figure, so I was wondering have you had much luck with MS L2TP.
Cheers
Nathan
thanks
Nathan | |
| jeff_j_black 2003-07-25, 10:32 am |
| I suspect that you may have needed an Enterprise Root CA, instead of a Stand Alone Root CA? | |
| jeff_j_black 2003-07-25, 10:50 am |
| From the Win2k Deployment Guide:
quote:
Automatic enrollment does not function unless at least one enterprise CA is online to process certificate requests.
----------
Remote access (dial-up or virtual private network) communications. (For virtual private networks using IPSec with L2TP, remember to set up Group Policy to permit autoenrollment for IPSec computer certificates. For detailed information about computer certificates for L2TP over IPSec VPN connections, see Windows 2000 Help.)
----------
You can specify automatic enrollment and renewal for computer certificates. When automatic enrollment is configured, the specified certificate types are issued to all computers within the scope of the public key Group Policy. Computer certificates issued by automatic enrollment are renewed from the issuing CA. Automatic enrollment does not function unless at least one enterprise CA is online to process certificate requests.
For virtual private networks (VPNs) using IPSec with L2TP, remember to set up Group Policy to permit automatic enrollment for IPSec certificates. In Table 12.2, any Rivest-Shamir-Adleman (RSA)-signed certificate issued to a computer that is stored in the computer account can be used for IPSec. For more information about certificates for L2TP over IPSec VPN connections, see Windows 2000 Server Help.
----------
Certificates are issued for computers within the scope of the Automatic Certificate Request settings of the domain's Group Policy. Administrators can also manually request certificates for local computers with the Certificate Request wizard or the Microsoft Certificate Services Web pages. Consider scheduling manual enrollment in stages to help distribute the administrative workload for computer enrollment.
----------
In some cases, Windows 2000 network security technologies are dependent on other Windows 2000 security technologies. For example, the virtual private networking Layer Two Tunneling Protocol (L2TP) uses IPSec to provide security from the remote client to the VPN server. The IPSec security negotiation requires certificates to authorize the connection. Therefore, a certification server is required with the appropriate configuration. Typically, a Windows 2000 certificate server is joined to a domain. The domain specifies Group Policy with public key infrastructure (PKI) settings for computers to auto-enroll in this certificate authority to get a computer certificate for IPSec. L2TP creates the necessary IPSec policy to ensure the L2TP traffic is secure. However, administrators might want to also secure other traffic between all servers and clients. This requires the configuration of IPSec on each client and server. Because IPSec is configured using a policy, after you create the policy in Active Directory™, you can apply it to all computers on a group or domain basis. You can deploy certificates and IPSec policy to all domain computers by centralized administration using Group Policy in Active Directory.
---------- |
|
|
|
|