Configuring a gateway to gateway VPN is easy using ISA Server. The reason why it’s so easy is that the Local and Remote VPN Wizards make the setup a virtual no-brainer. Well, it’s a no-brainer when you’re configuring PPTP VPN gateways. But if you’re in the market for a high security L2TP/IPSec gateway to gateway VPN, you probably have either been trying to avoid it like the plague or you are pulling your hair out trying to figure out how to make it work! Indeed, the certificate infrastructure configuration is a major barrier to entry for those considering L2TP/IPSec VPNs. The reason for this is that’s its virtually impossible to get the straight dope on how to install the certificates! Even the highly acclaimed VPN book by Fortenberry fails to make it clear how to install machine certificates using the Web interface for machines that are not domain members. He focuses on using the Web interface to get a user certificate for PPP EAP/TLS authentication. Forget about this! We’ll handle EAP/TLS at another time. What we want to do right now is to get a L2TP/IPSec link configured and working. Attention: | |
The real trick in making the certificate services infrastructure work is the ability to assign certificates to non-domain member computers. As you’ll see, assigning certificates to domain members is a snap. Its getting the non-domain members a certificate that can give you a headache. In this lab we’ll put together a five computer VMware network that includes two VPN servers, a domain controller, a stand-alone root CA and a server on the remote network. In the first part of the article, we’ll get the infrastructure put together; install the servers, configure the certificate servers, and install certificates on the Local network. In the second part of the article we’ll install ISA Server, configure the gateway to gateway VPN, and install the certificates on the remote VPN server and remote file server. Procedures in this lab include: By the end of this two part lab, you’ll be the ISA/VPN L2TP/IPSec gateway to gateway Wizard! The Lab Network The graphic below shows the lab network: Service and IP configuration settings on each machine: CLIENTDC: Services: WINS DNS –Accepts dynamic updates –Configured manually, not via Active Directory Wizard Active Directory Domain name: internal.net [IMAGE PROVIDED with LAB on DVD] IP Configuration: Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : CLIENTDC Primary DNS Suffix . . . . . . . : internal.net DNS Suffix Search List. . . . . . : internal.net Ethernet adapter Local Area Connection: IP Address. . . . . . . . . . . . : 10.0.0.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.0.1 DNS Servers . . . . . . . . . . . : 10.0.0.2 Primary WINS Server . . . . . . . : 10.0.0.2 Installation Notes: Install Windows 2000 Advanced Server into the VM. Use the default settings except add the WINS and DNS server services and configure the IP settings manually. Create the DNS zone, internal.net before running DCPROMO. Make sure you create both forward and reverse lookup zones (reverse lookup zone for network ID 10.0.0./24).
CERTSRV: Services: No additional network services on installation IP Configuration: Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : CERTSRV Primary DNS Suffix . . . . . . . : internal.net DNS Suffix Search List. . . . . . : internal.net Ethernet adapter Local Area Connection: IP Address. . . . . . . . . . . . : 10.0.0.3 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.0.1 DNS Servers . . . . . . . . . . . : 10.0.0.2 Primary WINS Server . . . . . . . : 10.0.0.2 Installation Notes: Install Windows 2000 Advanced Server into the VM using the default settings except for the manual configuration of the IP settings. Join the machine to the internal.net domain.
INTERNAL VPN: Services: No additional network services on installation IP Configuration: Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : INTERNALVPN Primary DNS Suffix . . . . . . . : internal.net DNS Suffix Search List. . . . . . : internal.net Ethernet adapter Local Area Connection (internal adapter): IP Address. . . . . . . . . . . . : 10.0.0.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 10.0.0.2 Primary WINS Server . . . . . . . : 10.0.0.2 Ethernet adapter Local Area Connection 2 (external adapter): IP Address. . . . . . . . . . . . : 192.168.1.125 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : Installation Notes: This machine is dual homed. Use default settings during the Windows 2000 Advanced Server setup in the VM, except for the manual configuration of IP addressing and joining the domain.
EXTERNAL VPN: Services: No additional network services on installation IP Configuration: Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : EXTERNALVPN Primary DNS Suffix . . . . . . . : DNS Suffix Search List. . . . . . : Ethernet adapter Local Area Connection (internal adapter): IP Address. . . . . . . . . . . . : 172.16.0.1 Subnet Mask . . . . . . . . . . . : 255.240.0.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 172.16.0.2 Primary WINS Server . . . . . . . : 172.16.0.2 Ethernet adapter Local Area Connection 2 (external adapter): IP Address. . . . . . . . . . . . : 192.168.1.126 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : Installation Notes: This machine is dual homed. Use default settings during the Windows 2000 Advanced Server setup in the VM, except for the manual configuration of IP addressing and joining the domain.
EXTERNALSRV: Services: All IIS Services DNS –Accepts dynamic updates WINS IP Configuration: Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : EXTERNALSRV Primary DNS Suffix . . . . . . . : DNS Suffix Search List. . . . . . : Ethernet adapter Local Area Connection: IP Address. . . . . . . . . . . . : 172.16.0.2 Subnet Mask . . . . . . . . . . . : 255.240.0.0 Default Gateway . . . . . . . . . : 172.16.0.1 DNS Servers . . . . . . . . . . . : 172.16.0.2 Primary WINS Server . . . . . . . : 172.16.0.2 Installation Notes: Install Windows 2000 Advanced Server into the VM using the default settings except for the manual configuration of the IP settings.
The order of installation should be (from first to last): CLIENTDC CERTSRV INTERNALVPN EXTERNALVPN EXTERNALSRV
Installing Certificate Server on the Domain Controller To test how to obtain a machine certificate from an Active Directory integrated Enterprise Root Certificate Server, we’ll install Certificate Server on our domain controller, ISACLIENTDC. Perform the following steps to install Certificate Server on the domain controller:
The Certificate Server is now installed and can assign machine (computer) certificates. Now let’s see how to configure Group Policy to autoenroll machines that are members of the domain. Configuring Autoenrollment using Group Policy Perform the following steps to configure domain Group Policy to autoenroll domain members so that they automatically receive a machine certificate:
After you complete the Wizard, the Certificate Server will automatically assign machine certificates to all machines in the domain. The machines will obtain a certificate during the next policy refresh, or when you restart the computer. If you don’t want to wait for the policy refresh or restart the computer, you can use the secedit utility to force a policy refresh. Just issue the following command at the command prompt: secedit /refreshpolicy machine_policy /enforce Confirming Installation of the Machine Certificate You want to make sure that all the domain members have a machine certificate before you continue with configuring the VPN. Make sure that you’ve restarted the machine or used the secedit command, and then perform the following steps to view the certificate.
Using the MMC Console to Request a Certificate Since we’re in the Certificates mmc right now, let’s see how you can request a certificate from an Enterprise Root CA using the mmc. You can use this method if you don’t want to, or can’t, use the autoenrollment Group Policy. Be aware that the machine making the request must be a member of the same domain as the Enterprise Root Certificate Server. You cannot use this method if the requesting machine is not in the same domain.
Installing a Stand-alone Root CA In this section we’ll install a standalone root CA on the CERTSRV computer. The reason for the standalone root CA is that we need to install a certificate on the remote ISA/VPN server. We might also want a certificate so that the remote file server can use IPSec through the L2TP/IPSec tunnel (VPN IPSec pass-through). We will need to use the Web interface to obtain a certificate for the remote ISA/VPN server because the remote ISA/VPN server is not a member of the domain. The remote ISA/VPN server in this lab is configured as a standalone server that is a member of a workgroup. Note that it is not required that the remote ISA/VPN server be a standalone server that is a member of a workgroup and obtain a machine certificate later. We could easily make the remote ISA/VPN server a member of the same domain as our domain controller (CLIENTDC). However, we would have to install the remote ISA/VPN server when it was connected to the local network. Then we would make the machine a member of the domain. After making the machine a member of the domain, we could take advantage of autoenrollment, or use the Certificates mmc. Then we leave the machine as a member of the same domain, or remove the machine from the domain and move it to the remote site. The certificate will see be in place even if the machine is removed from the domain. On the CERTSRV machine, perform the following steps to install the standalone root CA Certificate Server:
Obtaining a Certificate from the Standalone Root using the Web Interface The INTERNALVPN, EXTERNALVPN and EXTERNALSRV computers are all going to need a certificate from the standalone root CA. We won’t be able to obtain a certificate for the EXTERNALVPN and EXTERNALSRV computers until we have the gateway to gateway VPN configured. But we can install the certificate on the INTERNALVPN computer now.
NOTE: When testing these configurations, I had a hell of time getting things to work when I set the strong private key protection option. I don’t know why this is the case, because it certainly sounds like a good thing J . If any of you know what the deal is with this setting, send me a note at [email protected]. Also, I only tested with 512 bit key sizes. I assume that it would work as well (with perhaps a performance hit) with 1024 bit key size. If you configure with 1024 bit key sizes and it works, let me know about that too!
Notes on Certificate Installation Do you need both a client and server certificate? We’ll test later to see if only the client certificate is required, only the server certificate is required, or if both are required. Since both routers are acting in the role of client and server, you would figure that you need both the client and server certificates. However, here’s a snippet from a Microsoft Whitepaper on configuring gateway to gateway VPNs: “For a third-party CA, see the documentation for the CA software for instructions about how to create a certificate with the Server Authentication certificate purpose (OID “1.3.6.1.5.5.7.3.1”) and export it so that it can be imported using the Certificate Manager snap-in by an administrator on the answering router. Additionally, the root CA certificate, the certificate of the issuing CA, and the certificates of any intermediate CAs must be exported and imported on the calling router.” The white paper didn’t give any specific advice regarding the type of certificate that needed to be installed on the Windows 2000 VPN gateway. But if I’m reading this correctly, it seems to say that a certificate with OID 1.3.6.1.5.5.7.3.1 should be all we need. If this is true, then we only need a server certificate and not the client certificate. Again, we never want to believe what we read, so we’ll test these theories out in the second part of this article. I will tell you that is definitely the case when you configure the VPN server to act as a VPN server only (and is not configured as a VPN gateway). All you need with this setup is a server certificate on the VPN server and a client certificate on the VPN client. Both these certificate types can be obtained via the Web interface from a stand-alone root certificate server. In the second part of this article, we’ll install ISA Server, configure the gateway-to-gateway VPN using the Local and Remote VPN Wizards, tweak the VPN settings in the RRAS console, establish a PPTP connection between the networks so we can get the certificates installed on the remote computers, and then test the L2TP/IPSec gateway-to-gateway VPN. See ya next week! -Tom. |