Configuring Gateway to Gateway L2TP/IPSec VPNs Part 2: Creating the Gateways

In part 1 of this series on how to configure an L2TP/IPSec gateway to gateway VPN solution, we examined how to configure the certificate infrastructure and assign machine certificates on the local network. This week, we’ll complete our gateway to gateway VPN configuration.

In this article, we’ll cover the following steps:

After completing this series on creating a gateway to gateway L2TP/IPSec VPN, you won’t have an excuse for running PPTP gateways any longer! Let’s get to it.

Installing ISA Server on the Gateways

Let’s install ISA Server on INTERNALVPN and EXTERNALVPN computers. The setup doesn’t require anything special. As always make sure you configure the LAT correctly!

Perform the following steps on both the INTERNALVPN and EXTERNALVPN machines:

1. Put in the ISA Server CD and wait for the autorun to start, or click on the ISAAutorun.exe program on the ISA Server CD.
   
2. Click on Install ISA Server.
   
3. On the Welcome page, click Continue.
   
4. Enter your CD Key and click OK.
   
5. Click OK on the Product ID page.
   
6. Click I Agree on the license agreement page.
   
7. Click Full Installation on the installation type page.
   
8. Click Yes on the “I can’t find the ISA Server schema objects in the Active Directory page”.
   
9. Select Integrated mode and click Continue on the ISA Server mode page.
   
10. Click OK on the “I’m going to stop IIS” page.
    
11. Click Set and then click OK on the cache size and location page.
    
12. Click the Construct button on the LAT configuration page.
    
13. Configure the LAT to use the addresses ranges as determined by the routing table. Uncheck the Add the following private ranges checkbox. Place a checkmark in the Add address ranges based on the Windows 2000 Routing table checkbox. Select the internal adapter for each machine, as seen in the figures below. Click OK.

INTERNALVPN

EXTERNALVPN

14. Click OK on the Setup Message dialog box informing you that the LAT was constructed.
    
15. Click OK on the LAT construction page.
    
16. Click OK in the Launch ISA Management Tool dialog box.
    
17. Click OK to confirm that ISA Server was setup successfully.
    
18. The ISA Management console opens. Quick! Change the view to Advanced so that you can actually get some work done
    
19. Restart both of the servers.

Running the Local and Remote VPN Wizards

One of the greatest features of ISA Server is the VPN Wizard. In fact, there are three VPN Wizards. They allow you to automatically enable:

The VPN Wizards make otherwise complex configurations done in the RRAS console easy. All you need to do is go through the steps presented by the Wizard, answer the questions right, and you’re good to go. If you have a complex VPN network, such as mesh or hub VPN network configuration, no problem! Just run the Wizard again and it’ll work.

NOTE: WHAT DOES LOCAL AND REMOTE MEAN?

The Local and Remote terminology isn’t immediately obvious. The LOCAL VPN is the server that receives calls from REMOTE VPN servers. The default setting in the Wizard is to allow remote VPN Servers to initiate a demand-dial link to the LOCAL VPN server, but not the other way around. However, you do have the option to allow both the LOCAL and REMOTE VPN servers to initiate demand-dial links to each other. In most corporate networks this isn’t required because there aren’t too many business critical app’s or files located at the remote sites. However, in this lab we’ll go over how to create the bidirectional demand-dial interface just so you know how the configuration works.

Let’s get our hands dirty with the LOCAL and REMOTE VPN Wizards.

Let’s start with the LOCAL VPN Wizard by performing the following on the INTERNALVPN computer:

1. Open the ISA Management console
   
2. Expand your server name and right click on the Network Configuration node. Click the Set Up Local ISA VPN Server.

3. Click Next on the Welcome to the Local ISA Server VPN Configuration Wizard page.
   
4. Click Yes to allow the Wizard to start RRAS.

5. Enter names for the local and remote networks as seen in the figure below. Click Next.

6. You will receive an error message informing you that the name is too long. Note the error dialog box does not tell you how long your name came be! There is no documentation of the error anywhere but in my book . Click OK.
   
7. Rename the local and remote networks as seen in the figure below. The short name for the local network should be INTVPN and the short name for the external network should be EXTVPN. Click Next.

8. On the ISA Virtual Private Network (VPN) Protocol page, select the Use L2TP/IPSec, if available. Otherwise, use PPTP option and click Next.

9. On the Two-way Communication page, put a checkmark in the Both the local and remote ISA VPN computers can initiate communication checkbox and fill in the text boxes as seen in the figure below. In the Type the fully qualified domain name or IP address of the remote VPN computer text box, type 192.168.1.126. In the Type the remote VPN computer name or the remote domain name: text box type EXTERNALVPN. Click Next.

10. On the Remote Virtual Private Network (VPN) Network page, click the Add button. Enter the IP addresses as seen in the figure below. In the From text box type 172.16.0.0 and in the To text box type 172.31.255.255. These are the IP addresses that you want to fire off the demand-dial VPN connection the Wizard will create. Click OK. Then click Next.

11. On the Local Virtual Private Network (VPN) Network page, make sure that the external IP address is select in the drop-down list box. (this should appear by default) Confirm that the IP addresses ranges for the local network are included in the list of IP addresses. Click Next.

12. On the ISA VPN Computer Configuration File page, enter a name for the file that contains the configuration information you’ll take to the remote computer. Enter a password and confirm the password. Make sure you do *not* forget the password! Click Next.

13. On the Completing the ISA VPN Setup Wizard page, click the Details button. You will see that the following information has been added:

ISA Server Virtual Private Network (VPN) connection identification:

INTVPN_EXTVPN will be created on this router.

EXTVPN_INTVPN will be written to file.

VPN protocol type:

Use L2TP over IPSec, if available. Otherwise, use PPTP.

Destination address of the remote ISA Server computer:

192.168.1.126

Dial-out credentials used to connect to remote computer running ISA Server:

User account: EXTVPN_INTVPN.

Domain name: EXTERNALVPN.

Remote Network IP addresses range:

172.16.0.0 – 172.31.255.255.

Remote ISA computer configuration:

IP address of this machine: 192.168.1.125.

Local Network IP addresses range:

10.0.0.0 – 10.0.0.255.

10.255.255.255 – 10.255.255.255.

The configuration file created for the remote ISA Servercomputer:

a:\localremote.vpc

Dial-in credentials created:

The user account INTVPN_EXTVPN was created on this computer, with the password set to never expire.

Note:

A strong password was generated for the user account.

Changes made to the password will need to be applied to the dial-on-demand credentials of the remote computer.

14. Click Back, then click Finish.
    
15. Restart each of the computers (you don’t have to do this, but after all my years with Windows, I’m superstitious)

You are now in possession of the coveted .vpc file that you can use to configure the remote office VPN server. Let’s take that floppy disk out and visit the remote ISA/VPN Server EXTERNALVPN and run the remote VPN Wizard.

Perform the following steps at the EXTERNALVPN computer.

1. Open the ISA Management console.
   
2. Expand your server name and right click on the Network Configuration node. Click the Set Up Remote ISA VPN Server.

3. Click Next on the Welcome to the Remote ISA Server VPN Configuration Wizard page.
   
4. Click Yes to start the Routing and Remote Access Services.

5. On the ISA VPN Computer Configuration File page, type in the path and name of the file, or use the Browse button. Type in the Password you assigned to the file. Click Next.

6. Click the Details button. You will see that the following changes have been made to the computer.

Configuration read from file:

ISA Server Virtual Private Network (VPN) connection identification:

EXTVPN_INTVPN will be created on this router.

Destination address of the remote ISA Server computer:

192.168.1.125

Dial-in credentials created:

The user account INTVPN_EXTVPN was created on this computer, with the password set to never expire.

Note:

A strong password was generated for the user account.

Changes made to the password will need to be applied to the dial-on-demand credentials of the remote computer.

Dial-out credentials used to connect to remote computer running ISA Server:

User account: INTVPN_EXTVPN.

Domain name: INTERNALVPN.

VPN protocol type:

Use L2TP over IPSec, if available. Otherwise, use PPTP.

Remote network accessible subnets:

IP: 10.0.0.0, Mask: 255.255.255.0, Metric: 1

IP: 10.255.255.255, Mask: 255.255.255.255, Metric: 1

7. Click Back and then click Finish.

There’s one more thing we need to do. The Wizard automatically configures the VPN demand-dial interface. But the Wizard makes a mighty powerful assumption. That assumption is that we have a DHCP server on each network that can hand out IP addresses for the calling VPN gateway. Maybe we do, maybe we don’t. In this lab, we don’t. So we need to tweak the VPN configuration to use a static pool of IP addresses rather than DHCP.

NOTE: LAT CONFIGURATION AND FIREWALL CLIENTS

If you are going to use Firewall clients on your network you will need to configure the LAT to include the IP address ranges on all networks that are connected via the VPN interface. The reason for this is that the Firewall Client software will evaluate the request against the LAT to determine if the requests should be sent to the Firewall service or the default gateway. If the destination is on the LAT, the packet will be sent to the default gateway configured on the Firewall client computer. This means that if you are going to connect networks via a gateway to gateway VPN solution, you must configure all machines with a gateway address that routes packets for the remote VPN network through the internal interface of the ISA Server. If you have interposed routers, make sure they are programmed to support your gateway to gateway VPN configuration.

Perform the following steps on both EXTERNALVPN and INTERNALVPN:

1. Open the Routing and Remote Access console from the Administrative Tools menu.
   
2. Right click on your server name and click Properties.
   
3. Click on the IP tab. Select the Static Address Pool option and click the Add button.
   
4. Make the entries on the INTERNALVPN and EXTERNALVPN computers as seen in the figures below. You want to put in ranges that are valid on the internal directly connected network.

INTERNALVPN

EXTERNALVPN

5. Make sure the Adapter setting is configured to use the Local Area Connection for name servers. Click Apply and then click OK.

OK! We’re all set up now to fire up the PPTP VPN link.

Establish the PPTP VPN Link and Obtain Certificates

The configuration is now set up to support PPTP VPN connections. We won’t be able to configure an L2TP/IPSec VPN link until we obtain certificates for the EXTERNALVPN machine.

Perform the following at the CLIENTDC machine.

1. Open a command prompt window.
   
2. At the command prompt type ping -t 172.16.0.2 and press [ENTER]
   
3. The connection will take a few moments to connect, but then you should see a response.

4. Press CTRL-C to stop the pinging.

Now that we have the PPTP VPN link up, we can obtain certificates for the EXTERNALVPN and EXTERNALSVR machines. The procedures are the same as those we preformed in part 1 of this article.

Perform the following on both the EXTERNALVPN and EXTERNALSVR machines.

1. Open the browser and configure it to use a LAN connection like we did in the first part of this article.
   
2. In the address bar of Internet Explorer, type http://10.0.0.3/certsrv and click Go.

NOTE: Name Resolution

Once you have your DNS infrastructure in place and configured, you will not need to use IP addresses to connect to machines on a remote network. In this lab, we have not configured the DNS server on the INTERNALSRV machine to resolve names on the remote network. If we had configured the DNS, we could use the remote machine’s host name rather than using its IP address.

3. On the Welcome page, select Request a certificate and click Next.
   
4. On the Request Type page, select Advanced request and click Next.
   
5. On the Advanced Certificate Requests page, select the Submit a certificate request to this CA using a form and click Next.
   
6. Create the certificates requests on both machines on the remote network. The following screen shots show you how to enter the information. This is the same procedure we went through in part one of this article.

EXTERNALVPN – top half

EXTERNALVPN – middle half

EXTERNALSRV – top half

EXTERNALSRV – middle half

7. Go to the CERTSRV machine and approve the certificate requests like you did in the first part of this article.
   
8. Retrieve the certificates using the browser on the EXTERNALVPN and EXTERNALSRV computers like we did in the first part of this article.

Now everyone has a certificate. Restart both of the VPN servers. (not required)

Establish a L2TP/IPSec Link

We want to force L2TP/IPSec through the gateways. There’s no need to support PPTP, since we don’t need VPN clients to call through the VPN gateway interfaces. You can still configure the ISA/VPN servers to accept PPTP connections from VPN client callers if you wish.

Perform the following steps to force L2TP/IPSec through the VPN gateway interfaces. Do this on both the INTERNALVPN and EXTERNALVPN computers:

1. Open the Routing and Remote Access console from the Administrative Tools menu.
   
2. Expand your server name and click on the Routing Interfaces node.
   
3. Right click on the VPN demand-dial interface and click Properties.

4. In the demand-dial interface’s Properties dialog box, click on the Networking tab. Click the down-arrow for the Type of VPN server I am calling list box and select the Layer-2 Tunneling Protocol (L2TP) entry. Click OK.
   
5. After you configure both demand-dial interfaces to use L2TP/IPSec, go back to the CLIENTDC computer and reissue the ping request you did earlier. After you get ping responses, go to one of the RRAS consoles and click on the PORTS node. You’ll see that your L2TP/IPSec connection was successful!

Notes on Certificate Requirements

Certificates are required to make this whole L2TP/IPSec thing work. The question I posed in the first part of this article was what type of certificates were required. I was going to walk you through the process of testing various certificate types, but the article is getting a little long, so I decided to nix that subject. As you see from what we’ve done so far, having a server certificate on each VPN server (and any other server) seems to do the trick.

However, what I can’t tell you at this time is if this is the way you’re “supposed” to do this. Right now I’m sort of a certificates dope, but I’m working on it. Give me another month and I’ll have some definitive answers for you! I’ll make updates to this article, and probably write another one based on what I’ve learned about Microsoft certificates and PKI in general next month.

If you have some insight into this subject, I’d be glad to learn from you! Help me and other ISAserver.org members by writing to me at [email protected] and help me learn “which end eats” .

Notes on VPNs and the Default L2TP/IPSec Policy

This setup using the Wizards and Windows 2000/ISA Server on each end is easy. However, if you need to create gateway to gateway VPN setups with 3^rd party products, you might run into some challenges. Even though the protocols are open standards, implementations vary. Most often the sticking point is a difference in IPSec policies between the ISA/VPN server and the black box you’re connecting to.

Windows 2000 RRAS assigns a default IPSec policy to L2TP/IPSec connections. You cannot see this policy in the Local Security Policies or IPSec consoles. You may be able to have more success if you change the default L2TP IPSec policy to one that matches the one used in your black box. Stay tuned for a future article on this subject!

Conclusion

Configuring a L2TP/IPSec gateway to gateway VPN solution is easy using Windows 2000/ISA Server. The Wizards do most of the heavy lifting. However, you won’t be able to get it to work unless all the parties involved in creating the link have the appropriate certificates. In this article we went over the procedure required to make the gateway to gateway L2TP/IPSec configuration work.