Windows: IPSec/L2TP Client

From ReceptiveIT

Windows 2000 and XP have in-built IPSec support, but it is fairly complex to set up. Luckily, there is a mechanism to set up a secure VPN that is easy to set up on the client PC.

Contents 1 Setting up 1.1 Import the x509 digital certificate 1.2 Add a L2TP VPN 2 Troubleshooting 2.1 IPSec IKE Logging 2.2 Windows Specific Notes 2.3 Disable Internet Key Exchange (IKE) certificate revocation list (CRL) checking 2.4 Enabling the IKE tracing log in Windows 2000 and Windows XP 2.5 View IPSec Status

Setting up

Import the x509 digital certificate

1. Click on Start, then select Run, then type mmc and click OK

2. Click on File, then select Add/Remove Snap-in

3. Click on Add

4. Select Certificates and click Add

5. Select Computer account and click Next

6. Select Local computer and click Finish. Click Close and then OK

7. Expand Certificates (Local Computer), then expand Personal

8. Right click on Certificates, then select All Tasks, then select Import

9. Click on Next

10. Click on Browse

11. Change the drop down Files of type: to Personal Information Exchange (*.pfx;*.p12), select your digital certificate, then click Open

12. Click Next

13. Enter your certificate password in the Password field:

14. Leave the selection of Place all certificates in the following store, leave the Certificate store as Personal and Click Next

15. Click Finish

16. You should see a window that says The import was successful. Click OK

17. Click and hold the Certificate Authority certificate, located under Personal \ Certificates, and drag it to Trusted Root Certification Authorities \ Certificates

File:Windows-x509-17.jpg

18. Click on File, then click on Exit. If you are prompted to save console settings, click on No

File:Windows-x509-18.jpg

Add a L2TP VPN

1. Click on Start, then select Programs then Accessories

2. Select Communications then New Connection Wizard

3. In the New Connection Wizard, click Next

4. Select Connect to the Network at my workplace and click Next

5. Select Virtual Private Network connection and click Next

6. Enter Work VPN into the Company Name field and click Next

7. Enter the fully qualified hostname of the VPN concentrator into the Host name or IP address field and click Next

8. Click on the checkbox next to Add a shortcut to this connection to my desktop and click Finish

9. Click on Start, then select Connect To then Show all connections

10. Right click on Work VPN, then select Properties

11. Select Networking from the top tabs

12. Drop down Type of VPN, select L2TP IPSec VPN and click OK

13. Double click on the shortcut to Work VPN

14. Enter your username into the User name field, enter your password into the Password field. You can check Save this user name and password for convenience. Click Connect.

Troubleshooting

IPSec IKE Logging

To debug IKE on Windows, start regedit, move to

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

and create a new key, "Oakley". Then, inside Oakley, create a new DWORD, "EnableLogging". Set this to 1. Windows will then log Oakley debug messages to \WINNT\Debug\Oakley.log. Now that's what I call obvious!

Windows Specific Notes

If the certificate you created and imported into Windows expires after the CA certificate, Windows will not use the certificate. You may receive an error in the event log stating IKE failed to find valid machine certificate.

Stop the IPSec service

net stop policyagent

Start the IPSec service

net start policyagent

Disable Internet Key Exchange (IKE) certificate revocation list (CRL) checking

By default, in Windows 2000 CRLs are not checked during IKE certificate authentication. In Windows XP and the Windows Server 2003 family, CRLs are checked during IKE certificate authentication, but a fully successful check is not required for the certificate to be accepted. In some cases, failures during CRL processing might cause IKE to not accept the certificate. Or, the delay required for CRL checking might delay IKE negotiation enough to cause the connection attempt to time-out. To determine whether certificate authentication will be successful without CRL checking, you can disable IKE CRL checking. To do this, type the following at the command prompt:

netsh ipsec dynamic set config strongcrlcheck 0

Enabling the IKE tracing log in Windows 2000 and Windows XP

In Windows 2000 and Windows XP, you must enable IKE tracing by modifying the registry. For the changes to take effect, you must also stop and restart the IPSec service:

To enable the IKE tracing log in Windows XP and Windows 2000, do the following:

Set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging DWORD registry setting to a value of 1.

The Oakley key does not exist by default and must be created.

Enabling and disabling the IKE tracing log in the Windows Server 2003 family

In the Windows Server 2003 family, you can enable or disable the IKE tracing log dynamically while the IPSec service is running by doing the following:

To enable the IKE tracing log, type the following at the command prompt:

netsh ipsec dynamic set config ikelogging 1

This command creates the IKE tracing log file if it does not exist. If the file does exist, it appends logging information to the existing file.

To disable the IKE tracing log, type the following at the command prompt:

netsh ipsec dynamic set config ikelogging 0

View IPSec Status

Windows 2000

netdiag /test:ipsec /v /debug

Windows XP

ipseccmd show all

Windows 2003 Server

netsh ipsec dynamic show all