Creating L2TP over IPSec VPNs between the OfficeConnect Cable/DSL Secure Gateway and the Microsoft VPN Client 1.0 Introduction The OfficeConnect Cable/DSL Secure Gateway supports IPSec, PPTP and L2TP over IPSec for VPN connections. IPSec can be used for Gateway-to-Gateway (i.e. network-to-network) connections and remote user connections (i.e. single PC-to-network). PPTP and L2TP over IPSec are used for remote user connections only. This document will describe in detail the steps needed to configure VPNs between an OfficeConnect Cable/DSL Secure Gateway and an L2TP/IPSec VPN Client. The supported Microsoft Operating Systems are Windows NT4* Windows 98/Me* Windows 2000** Windows XP *A L2TP over IPSec integrated VPN client for Windows NT4, 98 & Me is available from Microsoft at www.microsoft.com/vpn ** Requires changes to the Windows registry. Please follow the instructions on the Microsoft website Microsoft Knowledge Base Article - 240262 http://support.microsoft.com/default.aspx?scid=kb;en-us;240262 and then refer back to this document. IMPORTANT The OfficeConnect Cable/DSL Secure Gateway does not support L2TP over IPSec tunnels initiated from behind a NAT device. If this is required, use either PPTP or IPSec as the VPN protocol. Please select the section required Configuring the OfficeConnect Secure Gateway for a remote L2TP over IPSec connection Configuring the L2TP VPN client on Windows XP Configuring the L2TP VPN client on Windows NT4 Configuring the L2TP VPN client on Windows 98/Me Configuring the L2TP VPN client on Windows 2000 Page 1 of 18
2.0 Connecting to the OfficeConnect Cable/DSL Secure Gateway using a L2TP over IPSec Client WAN IP - 60.0.32.15 Network 192.168.1.0 Secure Gateway Internet Cable or DSL modem PC running VPN client software Figure 1 PC running VPN client software and an OfficeConnect Secure Gateway connecting via the Internet 2.1 Configuring the OfficeConnect Cable/DSL Secure Gateway Figure 2 L2TP over IPSec Connections on the OfficeConnect Cable/DSL Secure Gateway 1. Select the L2TP over IPSec Server tick box. The screen will change to reflect this selection. 2. 2. If the Gateway ID has not already been specified, enter a Gateway ID such as the WAN IP address of the gateway. 3. If required enter the domain that the remote client will authenticate with 4. Enter the IPSec Shared Key that will be used for all L2TP over IPSec client authentication. 5. Encryption Level Check the level of encryption required, if both DES and 3DES are selected then the OfficeConnect Secure Gateway will accept either level. 6. Enter the First Remote IP Address and the Last Remote IP Address. This will be the range of IP addresses that remote PPTP & L2TP over IPSec users will be given when they connect.!note Ensure that the IP addresses entered here do not overlap with the LAN DHCP address range! Page 2 of 18
7. Click on the Apply button on the right of the screen 8. Click on the VPN Connections tab at the top of the page 9. Click on the New button on the right of the screen, a pop-up window will appear Figure 3 Configuring a VPN client connection on the OfficeConnect Cable/DSL Secure Gateway 10. User Name - Enter the user name of the remote user that will be connecting 11. Description - Add a description that will make the connection easily identifiable 12. Connection Type Click on the Remote User Access radio button 13. Tunnel Type Select L2TP over IPSec from the pull down menu 14. Password - Enter the password that the remote user will use to authenticate the connection. 15. Click on the Add button on the right of the screen The OfficeConnect Cable/DSL Secure Gateway is now ready to accept a connection from a remote L2TP over IPSec VPN client. Make a note of all information used in the configuration, as it will be required to configure the VPN client. Page 3 of 18
2.2 Configuring the VPN Client Windows XP 3Com recommends using the Windows XP native L2TP over IPSec VPN client. The following describes how to configure this. Step 1 New Connection Wizard From the Windows Start button, select Settings>Network Connections>New Connection Wizard Step 2 New Connection Wizard Click Next and select Connect to the network at my workplace Step 3 New Connection Wizard Click Next and select Virtual Private Network connection Step 4 New Connection Wizard Click Next and enter a name for the VPN connection: Page 4 of 18
Step 5 New Connection Wizard Click Next and choose an initial connection to dial if required: Step 6 New Connection Wizard Click Next and enter the public (WAN) IP address of the OfficeConnect Secure Gateway: Step 7 New Connection Wizard Click Next, then Finish. Step 1 Dial up Configuration Select Properties on the Dial-Up connection prompt Step 2 Dial up Configuration Select the Security tab Page 5 of 18
Step 3 Dial up Configuration Click IPSec settings and tick the Use pre-shared key for authentication Enter the OfficeConnect Secure Gateway L2TP IPSec Shared Key shared secret. Click OK. Step 4 Dial up Configuration Select the Networking Tab and change the Type of VPN to L2TP IPSec VPN. Click OK. Step 5 Options Select the Options tab and check the Include Windows logon domain checkbox Step 6 - Connect The Domain field is now visible. Enter the Domain specified in the OfficeConnect Secure Gateway L2TP Configuration Establishing a Connection From the Windows Start button, select Settings>Network Connections and choose the connection that was configured to access the OfficeConnect Secure Gateway. Enter the Username and password and press Connect. If selecting the connection does not present the username and password dialogue, click the connection with the right button and select Properties. Under the Options tab, tick the Prompt for name and password checkbox. Page 6 of 18
Windows NT4 Microsoft provides a freely available L2TP over IPSec VPN client for pre-windows 2000 operating systems (not Windows 95). The installation file msl2tp.exe is available from the Microsoft web site http://www.microsoft.com/vpn. In addition to the above Microsoft VPN client, Windows NT4 requires Service Pack 6A, which can be found at: http://www.microsoft.com/ntserver/nts/downloads/recommended/sp6/allsp6.asp You will need to install the Point to Point Tunneling Protocol by using the following procedure if it is not already installed: Step 1 From Control Panel, Open the network folder Step 2 Network Configuration Select the Protocols tab. If the Network Protocols list does not include the Point to Point Tunneling Protocol, click Add. Otherwise Cancel the dialog and proceed to installation of the VPN client. Step 3 Select Network Protocol Select the Point to Point Tunneling Protocol and click OK. Step 4 PPTP Configuration Set the Number of Virtual Private Networks to 1. Step 5 Remote Access Setup Add the RASPPTPM device if not already present. Click Continue and then close all the dialogs. Windows will need to restart. Page 7 of 18
Installation of the VPN Client Step 1 Ensure your operating system is upgraded with the latest patches (see above) Step 2 Download and install the Microsoft L2TP over IPSec VPN client msl2tp.exe (a reboot is required) Step 3 From the Windows Start button select: Programs>Microsoft IPSec VPN>Microsoft IPSec VPN Configuration Step 4 Select Use a pre-shared key for IPSec authentication, and enter the OfficeConnect Secure Gateway L2TP over IPSec shared secret, as the key (see below). Click OK. Step 5 The IPSec configuration is now complete, you now need to create a new VPN connection in the Windows Dial-up networking Connection Wizard Page 8 of 18
After installing the VPN client you will need to reboot the PC. After this, you will first need to reconfigure Remote Access. Step 1 From Control Panel, Open the network folder Step 2 Network Configuration Select the Protocols tab. Select Point to Point Tunneling Protocol and click Properties. Step 3 Select Network Protocol Change the Number of Virtual Private Networks to 2. Step 4 Remote Access Setup Add the RASL2TPM device. Click Continue and then close all the dialogs. Windows will need to restart. Page 9 of 18
Windows NT4 Dialup OfficeConnect Cable/DSL Secure Gateway VPN Set-Up Guide Step 1 From My Computer, Open Dial-Up Networking. Step 2 New Phonebook Entry Create a new phonebook entry. Provide the entry with a name. Step 3 Configure Phonebook Entry Click Next and leave all the check boxes unchecked. Step 4 Select Modem Click Next and select the RASL2TPM modem. Step 5 Phone Number Click Next. For the phone number, enter the public (WAN) IP address of the OfficeConnect Secure Gateway. Page 10 of 18
(The Following Steps may or may not appear during your setup) Step 7 DNS Server Step 6 IP Address Click Next. Leave your IP address as 0.0.0.0. The Click Next. You must manually configure the DNS OfficeConnect Secure Gateway will provide this. server with the correct IP address otherwise the NT4 VPN client will not connect. Also configure a WINS server if required. Obtain the DNS and WINS information from the OfficeConnect Secure Gateway administrator. Click Next and Finish. Step 8 DNS Server Select More and Edit Entry and modem properties. Step 9 DNS Server Select the Server tab and ensure that the settings are as below. Click TCP/IP Settings. Page 11 of 18
Step 10 TCP/IP Settings OfficeConnect Cable/DSL Secure Gateway VPN Set-Up Guide Check the DNS (and WINS if required) are manually configured. If you wish to access Internet sites directly (not via the VPN connection), untick Use default gateway on remote network. However, you will need to leave this ticked if your VPN connection is to a site with multiple IP subnets. Click OK and OK again. Step 11 - Connect Enter the Username, password and Domain as specified in the VPN configuration in the OfficeConnect Secure Gateway and click on the OK button. Establishing a Connection From My Computer, select Dial-Up Networking and choose the phonebook entry that was configured to access the OfficeConnect Secure Gateway. Click Dial, enter the username and password (and domain if required) and then click OK. Page 12 of 18
Windows 98/Me Microsoft provides a freely available L2TP over IPSec VPN client for pre-windows 2000 operating systems (not Windows 95). The installation file msl2tp.exe is available from the Microsoft web site http://www.microsoft.com/vpn. However, if you wish to use the Microsoft VPN client, the following instructions will help you configure this. In addition to the above Microsoft VPN client, Windows 98 requires the latest version of dialup networking to be installed for Windows 98 / 98SE which can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;q285189& It also requires the latest version of Internet Explorer to be installed (although this does not need to be used as the default browser). Installation of the VPN Client Step 1 Ensure your operating system is upgraded with the latest patches (see above) Step 2 Download and install the Microsoft L2TP over IPSec VPN client msl2tp.exe (a reboot is required) Step 3 From the Windows Start button select: Programs>Microsoft IPSec VPN>Microsoft IPSec VPN Configuration Step 4 Select Use a pre-shared key for IPSec authentication, and enter the OfficeConnect Secure Gateway L2TP over IPSec shared secret, as the key (see below). Click OK. Step 5 The IPSec configuration is now complete, you now need to create a new VPN connection in the Windows Dial-up networking Connection Wizard Windows 98, Me, Dial-up Networking Connection Wizard Step 1 From My Computer, Open Dial-Up Networking Step 2 Double click Make New Connection Page 13 of 18
Step 3 New Connection Wizard Enter a name for the connection and set the device to be the Microsoft L2TP/IPSec VPN adapter Step 4 New Connection Wizard Click Next and enter the public (WAN) IP address of the OfficeConnect Secure Gateway as the VPN server Step 5 New Connection Wizard Click Finish to complete the wizard Step 6 Dial-up Configuration From My Computer, open up Dial-Up Networking. Select the new L2TP connection with the right mouse button and select Properties, On the Server Types tab, uncheck the NetBEUI and IPX/SPX Compatible tick boxes. Page 14 of 18
Step 7 If a domain is being used, edit Client for Microsoft Networks Right click on Network Neighbourhood. Then highlight Client For Microsoft Networks and click on the Properties button Step 8 Configure domain name Check the Log on to Windows NT domain checkbox and type the domain name entered in the OfficeConnect Secure Gateway in the Windows NT domain field Establishing a Connection From My Computer, open up Dial-up Networking. Open the connection that you ve just created to access the OfficeConnect Secure Gateway, enter the username and password and press Connect. Page 15 of 18
Windows 2000 OfficeConnect Cable/DSL Secure Gateway VPN Set-Up Guide The L2TP VPN client is a pre-installed component of the Windows 2000 operating system. However configuring its use with a shared secret and defining the IPSec policies to allow L2TP over IPSec is required. Please follow the instructions on the Microsoft website Microsoft Knowledge Base Article - 240262 http://support.microsoft.com/default.aspx?scid=kb;en-us;240262 and then refer back to this document Step 1 New Connection Wizard From the Windows Start button, select Settings>Network and Dialup Connections>Make New Connection Step 2 New Connection Wizard Click Next and select Connect to a private network through the Internet Step 3 New Connection Wizard Click Next and choose an initial connection to dial if required Step 4 New Connection Wizard Click Next and enter the public (WAN) IP address of the Gateway Page 16 of 18
Step 5 New Connection Wizard Step 6 New Connection Wizard Click Next and choose the connection availability Click Next and enable Internet Connection Sharing if required, for security reasons 3Com recommends this be left disabled Step 7 New Connection Wizard Click Next, enter a name for the VPN connection, then click Finish Page 17 of 18
Step 1 Dial up Configuration From the Windows Start button, select Settings>Network and Dial-up Connections and choose the connection that was configured to access the Gateway. Select Properties Step 2 Dial up Configuration Select the Networking tab and change the Type of VPN server to Layer-2 Tunneling Protocol (L2TP) The click OK Establishing a Connection From the Windows Start button, select Settings>Network and Dial-up Connections and choose the connection that was configured to access the OfficeConnect Secure Gateway. Enter the Username and password and press Connect. Page 18 of 18