Configuring a Layer 2 Tunneling Protocol (L2TP) Site-to-Site VPN Connection Between Two ISA Servers in Remote Sites

The most secure encryption method for setting up a site-to-site VPN connection involves creating a L2TP encrypted tunnel. This option, although slightly more complex, is the preferred connection method when possible. The steps outlined in this section assume that a PPTP tunnel has not yet been created. If it has, it must be reconfigured.

NOTE

L2TP VPN connections are supported only between Windows-based VPN servers, such as ISA Server 2004, Windows Server 2003 RRAS, or Windows 2000 RRAS.

Deciding Between Shared Key and PKI

There are two different options to be considered when establishing L2TP VPN tunnels. The options are outlined as follows :

• Certificates-based Encryption The most secure method of encryption involves the use of x509 certificates within a public key infrastructure (PKI) environment. Using certificates-based encryption allows for both machine-level and user -level controls that are used to encrypt the connection, so that a nearly unbreakable tunnel is established.

• Shared Key An alternative to PKI-based encryption involves the use of a shared key, which is a static line of text that is entered in both servers and that allows for the VPN connection to be encrypted. Because it does not change, this form of encryption is subject to brute-force attack techniques and should be avoided when possible.

Each of these options is outlined in more detail in the following section of this chapter.

Configuring a PKI Infrastructure for PKI-Based Certificate Encryption

If choosing to use a PKI certificates-based infrastructure, there must be one in place already, or one can be set up and configured in an environment. Windows Server (2000/ 2003) itself has the built-in capabilities to allow for a PKI-based certificate authority (CA) to be set up in an environment through the creation of either a stand-alone CA or an Enterprise CA. For more information on each of these options, see Chapter 9.

For this example, an Enterprise Root certificate authority is set up and enabled. This has the added advantage of enabling certificates to be configured automatically on domain members . To install the Enterprise CA and distribute certificates to the ISA Servers, follow the steps outlined in Chapter 9 in the section titled "Creating a Public Key Infrastructure (PKI) for L2TP with IPSec Support."

Requesting a Certificate for the ISA VPN Server

If the local ISA Server is a domain member in a domain with an Enterprise Certificate Authority installed, issuing a certificate to the server itself is relatively straightforward through the following procedure:

NOTE

If using a pre-shared key or the PPTP protocol, this step is unnecessary because certificates will not be used.

If the ISA Server is not a domain member, it instead must receive the certificate through the web-based enrollment methods described in the section of Chapter 9 titled "Configuring the Enterprise Root CA."

In either case, certificates from the same CA must be installed on both ISA Servers in each location, either through domain-based enrollment or through the web-based enrollment mechanisms.

Configuring the L2TP Remote Site Network Definition on the ISA Servers

The first step in setting up a L2TP site-to-site VPN connection is to configure the remote site network definition. To do this, perform the following steps:

After the L2TP remote site networks have been created on each server, network and firewall rules must be created to enable connectivity between the two networks. Skip to the section titled "Configuring Network and Firewall Rules Between ISA Site Networks" for more information on this.