Originally, the Microsoft Windows client software was developed for Remote Access Server (RAS) environments. Normally, you think of a remote access VPN as a solution that protects traffic from the user desktop to the VPN gateway at the corporate site, but Microsoft added flexibility into the design with PPTP and L2TP/IPsec to allow an intermediate device, typically an RAS, to perform this process on behalf of the client. In this situation, the client would dial into the RAS with a clear-text PPP connection, authenticate via PPP, and then request the RAS to set up a PPTP or L2TP/IPsec encrypted connection to the corporate RAS. Using this process offloads the protection process to the RAS instead of to an underpowered user PC.
Today, of course, most PCs and laptops should have no problem handling the processing required to protect traffic for a VPN. Therefore, in today's networks, most PPTP or L2TP/ IPsec sessions start with the remote access user and terminate at the remote corporate office VPN gateway (see Chapter 4, "PPTP and L2TP," for more information on the connection and operation process of these protocols).
Understanding Features of the Windows Client
The current Windows client supports L2TP over IPsec (L2TP/IPsec) for VPN sessions, but also supports PPTP. With the L2TP/IPsec client, you can use either pre-shared keys or digital certificates for authentication. If you recall from Chapter 4, both protocols rely on PPP to perform authentication, provide protection services, and transport data.
Because of the encryption strength of 3DES, it is recommended to use L2TP/IPsec rather than either L2TP or PPTP with MPPE's encryption. Whereas 3DES supports 168-bit encryption, the highest that MPPE supports is RC-4's 128-bit encryption; and where MPPE provides only data confidentiality (encryption), IPsec provides data confidentiality, data origin authentication (using a hashing function), data integrity (using a hashing function), and anti-replay protection. Another concern with PPTP is that of security issues surrounding the use of MSCHAPv1 and v2 for authentication. Therefore, this chapter will focus on the use of L2TP over IPsec.
Verifying that the Windows Client is Operational
With Windows 2000 and later, the Windows VPN client should be installed automatically when you install the operating system. However, if you have installed another VPN client product, the Microsoft VPN client might be deactivated (Starting with Cisco VPN 3.6 client software, Cisco and Microsoft's clients can co-exist with each other). To determine if the Microsoft VPN client is running, perform the following:
1. |
Go to Start > (Programs) > Administrative Tools > Component Services. |
2. |
Double-click Services (Local) under the Tree tab. |
3. |
Find the IPsec Policy Agent and make sure that it is set to "Automatic" (in XP, it's called IPSEC Services); if not, right-click it and select Properties. Set the Startup Type to Automatic. See Figure 13-1 for an example of this screen. Figure 13-1. Windows Component Services Window |
4. |
If it's not started, start it up by right-clicking IPsec Policy Agent and selecting Start. |
By setting the service to automatic, every time you reboot your computer, the L2TP/IPsec client will be operational.
Tip
If you need to use both a Cisco VPN Client and Microsoft's L2TP/IPsec remote access products, you'll minimally need to use the Cisco 3.6 client version, which allows more than one VPN client to be used on the same platform. After installing the Cisco client, follow the guidelines in this section to verify that the L2TP/IPsec client is still active. In 3.5 and earlier versions of the Cisco client, the Cisco installation software automatically disables the Microsoft L2TP/IPsec client.
If you don't have the L2TP/IPsec client installed, go to http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/l2tpclientfaq.asp.
You'll find the installation file (msl2tp.exe), and release notes and an administrator guide that you can download; Windows versions earlier than 2000 require the download of this file. Plus, with some Windows platforms, such as 2000, the L2TP over IPsec functionality in the client did not support NAT-T, which can create connectivity issues in environments using address translation; however, Microsoft has issued a patch to their VPN client that adds this functionality. Use the Windows Update utility on Microsoft's site to add this feature to your client.
Once you install this update, you'll need to reboot your computer. You must also have Version 1.4 of the Microsoft Dial-Up Networking software installed on your computer, which is required if you have Windows 95 (http://www.microsoft.com/downloads/release.asp?ReleaseID=29411&area=search&ordinal=1). You might need to install other service packs or updates as required by the operating system. For example, with Windows NT, you need Service Pack 6. Downloading the above-mentioned release notes will assist you with this process.
Tip
Because of the complexities in getting the right software loaded on the PC, you might want to put all of these on an internal web server or on a CD-ROM and have the user install the software from one of these locations.
Part I: VPNs
Overview of VPNs
VPN Technologies
IPsec
PPTP and L2TP
SSL VPNs
Part II: Concentrators
Concentrator Product Information
Concentrator Remote Access Connections with IPsec
Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN
Concentrator Site-to-Site Connections
Concentrator Management
Verifying and Troubleshooting Concentrator Connections
Part III: Clients
Cisco VPN Software Client
Windows Software Client
3002 Hardware Client
Part IV: IOS Routers
Router Product Information
Router ISAKMP/IKE Phase 1 Connectivity
Router Site-to-Site Connections
Router Remote Access Connections
Troubleshooting Router Connections
Part V: PIX Firewalls
PIX and ASA Product Information
PIX and ASA Site-to-Site Connections
PIX and ASA Remote Access Connections
Troubleshooting PIX and ASA Connections
Part VI: Case Study
Case Study
Index