Configuring Gateway to Gateway L2TP/IPSec VPNs Part 1: Configuring the Infrastructure

Configuring a gateway to gateway VPN is easy using ISA Server. The reason why it’s so easy is that the Local and Remote VPN Wizards make the setup a virtual no-brainer. Well, it’s a no-brainer when you’re configuring PPTP VPN gateways. But if you’re in the market for a high security L2TP/IPSec gateway to gateway VPN, you probably have either been trying to avoid it like the plague or you are pulling your hair out trying to figure out how to make it work!

Indeed, the certificate infrastructure configuration is a major barrier to entry for those considering L2TP/IPSec VPNs. The reason for this is that’s its virtually impossible to get the straight dope on how to install the certificates! Even the highly acclaimed VPN book by Fortenberry fails to make it clear how to install machine certificates using the Web interface for machines that are not domain members. He focuses on using the Web interface to get a user certificate for PPP EAP/TLS authentication. Forget about this! We’ll handle EAP/TLS at another time. What we want to do right now is to get a L2TP/IPSec link configured and working.

Attention:
 

The real trick in making the certificate services infrastructure work is the ability to assign certificates to non-domain member computers. As you’ll see, assigning certificates to domain members is a snap. Its getting the non-domain members a certificate that can give you a headache.

In this lab we’ll put together a five computer VMware network that includes two VPN servers, a domain controller, a stand-alone root CA and a server on the remote network. In the first part of the article, we’ll get the infrastructure put together; install the servers, configure the certificate servers, and install certificates on the Local network. In the second part of the article we’ll install ISA Server, configure the gateway to gateway VPN, and install the certificates on the remote VPN server and remote file server.

Procedures in this lab include:

By the end of this two part lab, you’ll be the ISA/VPN L2TP/IPSec gateway to gateway Wizard!

The Lab Network

The graphic below shows the lab network:

Service and IP configuration settings on each machine:

CLIENTDC:

Services:

WINS

DNS

–Accepts dynamic updates

–Configured manually, not via Active Directory Wizard

Active Directory

Domain name: internal.net

[IMAGE PROVIDED with LAB on DVD]

IP Configuration:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : CLIENTDC

Primary DNS Suffix . . . . . . . : internal.net

DNS Suffix Search List. . . . . . : internal.net

Ethernet adapter Local Area Connection:

IP Address. . . . . . . . . . . . : 10.0.0.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.0.1

DNS Servers . . . . . . . . . . . : 10.0.0.2

Primary WINS Server . . . . . . . : 10.0.0.2

Installation Notes:

Install Windows 2000 Advanced Server into the VM. Use the default settings except add the WINS and DNS server services and configure the IP settings manually. Create the DNS zone, internal.net before running DCPROMO. Make sure you create both forward and reverse lookup zones (reverse lookup zone for network ID 10.0.0./24).

CERTSRV:

Services:

No additional network services on installation

IP Configuration:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : CERTSRV

Primary DNS Suffix . . . . . . . : internal.net

DNS Suffix Search List. . . . . . : internal.net

Ethernet adapter Local Area Connection:

IP Address. . . . . . . . . . . . : 10.0.0.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.0.1

DNS Servers . . . . . . . . . . . : 10.0.0.2

Primary WINS Server . . . . . . . : 10.0.0.2

Installation Notes:

Install Windows 2000 Advanced Server into the VM using the default settings except for the manual configuration of the IP settings. Join the machine to the internal.net domain.

INTERNAL VPN:

Services:

No additional network services on installation

IP Configuration:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : INTERNALVPN

Primary DNS Suffix . . . . . . . : internal.net

DNS Suffix Search List. . . . . . : internal.net

Ethernet adapter Local Area Connection (internal adapter):

IP Address. . . . . . . . . . . . : 10.0.0.1

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 10.0.0.2

Primary WINS Server . . . . . . . : 10.0.0.2

Ethernet adapter Local Area Connection 2 (external adapter):

IP Address. . . . . . . . . . . . : 192.168.1.125

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . :

Installation Notes:

This machine is dual homed. Use default settings during the Windows 2000 Advanced Server setup in the VM, except for the manual configuration of IP addressing and joining the domain.

EXTERNAL VPN:

Services:

No additional network services on installation

IP Configuration:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : EXTERNALVPN

Primary DNS Suffix . . . . . . . :

DNS Suffix Search List. . . . . . :

Ethernet adapter Local Area Connection (internal adapter):

IP Address. . . . . . . . . . . . : 172.16.0.1

Subnet Mask . . . . . . . . . . . : 255.240.0.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 172.16.0.2

Primary WINS Server . . . . . . . : 172.16.0.2

Ethernet adapter Local Area Connection 2 (external adapter):

IP Address. . . . . . . . . . . . : 192.168.1.126

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . :

Installation Notes:

This machine is dual homed. Use default settings during the Windows 2000 Advanced Server setup in the VM, except for the manual configuration of IP addressing and joining the domain.

EXTERNALSRV:

Services:

All IIS Services

DNS

–Accepts dynamic updates

WINS

IP Configuration:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : EXTERNALSRV

Primary DNS Suffix . . . . . . . :

DNS Suffix Search List. . . . . . :

Ethernet adapter Local Area Connection:

IP Address. . . . . . . . . . . . : 172.16.0.2

Subnet Mask . . . . . . . . . . . : 255.240.0.0

Default Gateway . . . . . . . . . : 172.16.0.1

DNS Servers . . . . . . . . . . . : 172.16.0.2

Primary WINS Server . . . . . . . : 172.16.0.2

Installation Notes:

Install Windows 2000 Advanced Server into the VM using the default settings except for the manual configuration of the IP settings.

The order of installation should be (from first to last):

CLIENTDC

CERTSRV

INTERNALVPN

EXTERNALVPN

EXTERNALSRV

Installing Certificate Server on the Domain Controller

To test how to obtain a machine certificate from an Active Directory integrated Enterprise Root Certificate Server, we’ll install Certificate Server on our domain controller, ISACLIENTDC.

Perform the following steps to install Certificate Server on the domain controller:

1. Click Start, point to Settings and then click on Control Panel.
   
2. Open the Add/Remove Programs applet.
   
3. Click the Add/Remove Windows Components button on the left side of the Add/Remove Programs applet.

4. In the Windows Components Wizard dialog box, place a checkmark in the Certificate Services checkbox. You will get a warning dialog box telling you that you cannot rename the computer or remove or join a domain. Fine. Click Yes, then click Next.

5. If the machine is a Terminal Server (and it is in this lab), you’ll see the Terminal Services Setup dialog box. Select the Remote administration mode and click Next.

6. On the Certification Authority Type page, select the Enterprise root CA option. This option required Active Directory. This is correct option because we want to be able to use the Certificates MMC and/or autoenrollment to install a machine certificate on our ISA/VPN servers. Click Next.

7. On the CA Identifying Information page, fill in all the fields as seen in the figure below. In reality, the only field that’s required is the CA name field. The other’s are optional but it’s a good idea to fill them all in so that you can easily identify the source and purpose of the Certificate Server. Click Next.

8. On the Data Storage Location page, accept the defaults for where you want to put the Certificate database and Certificate Database Log. You have the option to Store configuration information in a shared folder, but this is not required unless you want other CAs in your organization to use this information. Click Next.

9. You will get a warning dialog box informing you that IIS must be stopped before proceeding. Click OK.

10. You will be asked for the Windows 2000 CD ROM. Put the Windows 2000 CD ROM into the drive and click OK.
    
11. When the Wizard is complete, click Finish.

The Certificate Server is now installed and can assign machine (computer) certificates. Now let’s see how to configure Group Policy to autoenroll machines that are members of the domain.

Configuring Autoenrollment using Group Policy

Perform the following steps to configure domain Group Policy to autoenroll domain members so that they automatically receive a machine certificate:

1. Click Start, point to Programs and point to Administrative Tools. Click on Active Directory Users and Computers.
   
2. In the Active Directory Users and Computers console, right click on your domain and click Properties.
   
3. On the domain Properties dialog box, click on the Group Policy tab.
   
4. On the Group Policy tab, click on the Default Domain Policy and click Edit.
   
5. Expand the Computer Configuration node, then expand the Windows Settings node, then expand the Security Settings node, and finally expand the Public Key Policies node.
   
6. Right click on the Automatic Certificate Request Settings node, point to New and click on Automatic Certificate Request.

7. The Welcome to the Automatic Certificate Request Setup Wizard begins. Click Next.

8. On the Certificate Template page, select the Computer certificate template and click Next.

9. On the Certificate Authority page, accept the default and click Next.

10. On the Completing the Automatic Certificate Request Setup page, click Finish.

After you complete the Wizard, the Certificate Server will automatically assign machine certificates to all machines in the domain. The machines will obtain a certificate during the next policy refresh, or when you restart the computer. If you don’t want to wait for the policy refresh or restart the computer, you can use the secedit utility to force a policy refresh. Just issue the following command at the command prompt:

secedit /refreshpolicy machine_policy /enforce

Confirming Installation of the Machine Certificate

You want to make sure that all the domain members have a machine certificate before you continue with configuring the VPN. Make sure that you’ve restarted the machine or used the secedit command, and then perform the following steps to view the certificate.

1. Click Start and click the Run command.
   
2. In the Run dialog box, type mmc in the Open text box and click OK.
   
3. Click the Console menu and then click the Add/Remove Snap-in command.
   
4. In the Add/Remove Snap-in dialog box, click the Add button.
   
5. In the Add Stand-alone Snap-in dialog box, select Certificates and click Add.

6. On the This snap-in will always manage certificates for page box, select the Computer account option and click Next.

7. In the Select the computer you want this Snap-in to manage page, select the Local computer option and click Finish.

8. Click Close in the Add Standalone Snap-in dialog box.
   
9. Click OK in the Add/Remove Snap-in dialog box.
   
10. In the console, expand the Certificates (Local Computer) node and then expand the Personal node. Click on the Certificates node. Double click on the certificate in the right pane to view the certificate (this is a certificate that was assigned to the CERTSRV computer). Close the Certificate dialog box to return to the Certificates mmc.

Using the MMC Console to Request a Certificate

Since we’re in the Certificates mmc right now, let’s see how you can request a certificate from an Enterprise Root CA using the mmc. You can use this method if you don’t want to, or can’t, use the autoenrollment Group Policy. Be aware that the machine making the request must be a member of the same domain as the Enterprise Root Certificate Server. You cannot use this method if the requesting machine is not in the same domain.

1. In the Certificates mmc console, right click on the certificate that was obtained via autoenrollment and click Delete.
   
2. You will see a dialog box warning you that you will not be able to decrypt data using this certificate (if you remove it). Click Yes.

3. The certificate should now be removed. Right click on the Certificates node in the left pane of the console, point to All Tasks and click on Request New Certificate.

4. The Welcome to the Certificate Request Wizard page appears. Click Next.
   
5. On the Certificate Template page, select the Computer certificate (should be the only one you see) and click Next.
   
6. On the Certificate Friendly Name and Description page, you can type something like machine cert for the Friendly name and click Next.

7. Review the settings on the Completing the Certificate Request Wizard page and click Finish. Click OK in the dialog box that informs you that the request was successful.
   
8. Close the Certificates mmc. In the dialog box that if you want to save the console settings, click Yes.
   
9. Save the console on the desktop with the name Certificates.

Installing a Stand-alone Root CA

In this section we’ll install a standalone root CA on the CERTSRV computer. The reason for the standalone root CA is that we need to install a certificate on the remote ISA/VPN server. We might also want a certificate so that the remote file server can use IPSec through the L2TP/IPSec tunnel (VPN IPSec pass-through). We will need to use the Web interface to obtain a certificate for the remote ISA/VPN server because the remote ISA/VPN server is not a member of the domain. The remote ISA/VPN server in this lab is configured as a standalone server that is a member of a workgroup.

Note that it is not required that the remote ISA/VPN server be a standalone server that is a member of a workgroup and obtain a machine certificate later. We could easily make the remote ISA/VPN server a member of the same domain as our domain controller (CLIENTDC). However, we would have to install the remote ISA/VPN server when it was connected to the local network. Then we would make the machine a member of the domain. After making the machine a member of the domain, we could take advantage of autoenrollment, or use the Certificates mmc. Then we leave the machine as a member of the same domain, or remove the machine from the domain and move it to the remote site. The certificate will see be in place even if the machine is removed from the domain.

On the CERTSRV machine, perform the following steps to install the standalone root CA Certificate Server:

1. Click Start, point to Settings and then click on Control Panel.
   
2. Open the Add/Remove Programs applet.
   
3. Click the Add/Remove Windows Components button on the left side of the Add/Remove Programs applet.
   
4. In the Windows Components Wizard dialog box, place a checkmark in the Certificate Services checkbox. You will get a warning dialog box telling you that you cannot rename the computer or remove or join a domain. Fine. Click Yes, then click Next.
   
5. If the machine is a Terminal Server (and it is in this lab), you’ll see the Terminal Services Setup dialog box. Select the Remote administration mode and click Next.
   
6. On the Certification Authority Type page, select the Stand-alone root CA option. This type of CA does not require Active Directory. Click Next.

7. Enter the identifying information on the CA Identifying Information page. The only required field is the CA name, but you should include the rest of the information to make it easier to figure out what the CA is for. Click Next.

8. On the Data Storage Location accept the defaults in this lab. You do not need to create a shared folder for storage configuration (I do this out of habit, but it is not required for this lab). Click Next. Click OK in the dialog box that informs you that IIS must be stopped.

9. Insert the CD ROM into the drive when asked. Click Finish when the installation is complete. Close Close to close the Add/Remove Programs dialog box.

Obtaining a Certificate from the Standalone Root using the Web Interface

The INTERNALVPN, EXTERNALVPN and EXTERNALSRV computers are all going to need a certificate from the standalone root CA. We won’t be able to obtain a certificate for the EXTERNALVPN and EXTERNALSRV computers until we have the gateway to gateway VPN configured. But we can install the certificate on the INTERNALVPN computer now.

1. On the INTERNALVPN machine, open up the browser.
   
2. On the Welcome to the Internet Connection Wizard page, select the last option as seen in the figure.

3. On the Setting up your Internet connection page, select the I connect through a local area network (LAN) option and click Next.

4. On the Local area network Internet configuration page, remove the checkmark from the Automatic discovery checkbox. Click Next.

5. On the Set UP Your Internet Mail Account page, select No and click Next.
   
6. On the Completing the Internet Connection Wizard page, click Finish.
   
7. In the Address bar of Internet Explorer type http://certsrv/certsrv and press [ENTER].
   
8. On the Welcome page, select the Request a certificate option and click Next.

9. On the Advanced Request page, select the Advanced request option and click Next.

10. On the Advanced Certificate Requests page, select the Submit a certificate request to this CA using a form and click Next.

11. On the Advanced Certificate Request page, fill in the identifying information as seen in the figure. For the Intended Purpose select the Client Authentication Certificate option. Set the Key Size to 512, select the Mark keys as exportable and Use local machine store options. Click Submit. Click OK in the Creating a new RSA exchange key! dialog box.

NOTE:

When testing these configurations, I had a hell of time getting things to work when I set the strong private key protection option. I don’t know why this is the case, because it certainly sounds like a good thing J . If any of you know what the deal is with this setting, send me a note at [email protected]. Also, I only tested with 512 bit key sizes. I assume that it would work as well (with perhaps a performance hit) with 1024 bit key size. If you configure with 1024 bit key sizes and it works, let me know about that too!

12. The Certificate Pending page informs you that your request must be approved. Click the Home link in the upper right side of the page.
    
13. Go to the CERTSRV machine. Click Start, point to Programs and then point to Administrative Tools. Click on the Certificate Authority entry.
    
14. In the Certificate Authority console, click on the Pending Requests node in the left pane of the console. Right click on the certificate request in the right pane of the console and point to All Tasks. Click on Issue.

15. Return to the browser on the INTERNALVPN machine. On the Welcome page, select the Check on a pending certificate option and click Next.
    
16. On the Check On A Pending Certificate Request page, select the certificate and click Next.

17. On the Certificate Issued page, click on the Install this certificate link.

18. After receiving the Certificate Installed page, close the browser.

19. Now, repeat steps 7 through 18, but this time obtain a Server Certificate instead of the client certificate.
    
20. After you have obtained both the client and server certificate, open the Certificates console and confirm that both certificates were installed in the Local Computer certificate store.

Notes on Certificate Installation

Do you need both a client and server certificate? We’ll test later to see if only the client certificate is required, only the server certificate is required, or if both are required. Since both routers are acting in the role of client and server, you would figure that you need both the client and server certificates. However, here’s a snippet from a Microsoft Whitepaper on configuring gateway to gateway VPNs:

“For a third-party CA, see the documentation for the CA software for instructions about how to create a certificate with the Server Authentication certificate purpose (OID “1.3.6.1.5.5.7.3.1”) and export it so that it can be imported using the Certificate Manager snap-in by an administrator on the answering router. Additionally, the root CA certificate, the certificate of the issuing CA, and the certificates of any intermediate CAs must be exported and imported on the calling router.”

The white paper didn’t give any specific advice regarding the type of certificate that needed to be installed on the Windows 2000 VPN gateway. But if I’m reading this correctly, it seems to say that a certificate with OID 1.3.6.1.5.5.7.3.1 should be all we need. If this is true, then we only need a server certificate and not the client certificate. Again, we never want to believe what we read, so we’ll test these theories out in the second part of this article.

I will tell you that is definitely the case when you configure the VPN server to act as a VPN server only (and is not configured as a VPN gateway). All you need with this setup is a server certificate on the VPN server and a client certificate on the VPN client. Both these certificate types can be obtained via the Web interface from a stand-alone root certificate server.

In the second part of this article, we’ll install ISA Server, configure the gateway-to-gateway VPN using the Local and Remote VPN Wizards, tweak the VPN settings in the RRAS console, establish a PPTP connection between the networks so we can get the certificates installed on the remote computers, and then test the L2TP/IPSec gateway-to-gateway VPN. See ya next week! -Tom.