Originally, the Microsoft Windows client software was developed for Remote Access Server (RAS) environments. Normally, you think of a remote access VPN as a solution that protects traffic from the user desktop to the VPN gateway at the corporate site, but Microsoft added flexibility into the design with PPTP and L2TP/IPsec to allow an intermediate device, typically an RAS, to perform this process on behalf of the client. In this situation, the client would dial into the RAS with a clear-text PPP connection, authenticate via PPP, and then request the RAS to set up a PPTP or L2TP/IPsec encrypted connection to the corporate RAS. Using this process offloads the protection process to the RAS instead of to an underpowered user PC.
Today, of course, most PCs and laptops should have no problem handling the processing required to protect traffic for a VPN. Therefore, in today's networks, most PPTP or L2TP/ IPsec sessions start with the remote access user and terminate at the remote corporate office VPN gateway (see Chapter 4, "PPTP and L2TP," for more information on the connection and operation process of these protocols).
Understanding Features of the Windows Client
The current Windows client supports L2TP over IPsec (L2TP/IPsec) for VPN sessions, but also supports PPTP. With the L2TP/IPsec client, you can use either pre-shared keys or digital certificates for authentication. If you recall from Chapter 4, both protocols rely on PPP to perform authentication, provide protection services, and transport data.
Because of the encryption strength of 3DES, it is recommended to use L2TP/IPsec rather than either L2TP or PPTP with MPPE's encryption. Whereas 3DES supports 168-bit encryption, the highest that MPPE supports is RC-4's 128-bit encryption; and where MPPE provides only data confidentiality (encryption), IPsec provides data confidentiality, data origin authentication (using a hashing function), data integrity (using a hashing function), and anti-replay protection. Another concern with PPTP is that of security issues surrounding the use of MSCHAPv1 and v2 for authentication. Therefore, this chapter will focus on the use of L2TP over IPsec.
Cisco VPN Client versus Microsoft s L2TP IPsec Client
Obviously both clients support IPsec; however, even though they support IPsec, this basically means that they follow the first three steps in ISAKMP/IKE Phase 1 (negotiate the IKE parameters, use DH, and perform device authentication with either pre-shared keys or certificates) and ISAKMP/IKE Phase 2. As I pointed out in Chapter 7, "Concentrator Remote Access Connections with IPsec," Cisco has added some additional functionality to ISAKMP/IKE Phase 1 which is not part of the IPsec standards. For example, Cisco supports the following for their software and hardware clients: split-tunneling (supported only in XP by the L2TP/IPsec client) and split DNS, client type and version limiting, backup server lists, IPsec over TCP, client and network extension modes, reverse route injection, load balancing, and firewall policies, to name a few. When using a Microsoft L2TP/IPsec client, you don't have access to these features when terminating the client on a Cisco VPN gateway. In other words, using Cisco VPN products, for both the gateway and client devices, gives you much more centralized control over policies on the gateway device. Another disadvantage of Microsoft's client is that two levels of encryption will be used for dataIPsec and MPPEadding additional overhead.
However, this is not to say that you should never use Microsoft's client. It does have some advantages related to the use of L2TP over IPsec. For example, because PPP is used, you can run multiple protocols across the connection, such as IP and IPX (Cisco VPN 3000 concentrators, though, only support IP). Plus, the client comes pre-installed on Windows 2000 and higher computers, so no extra software needs to be installed. You can even create a special installation package that installs all IPsec policies and VPN connection profiles. And before the release of Cisco VPN Client 4.6, upgrading the Cisco software client was not very easy.
Verifying that the Windows Client is Operational
With Windows 2000 and later, the Windows VPN client should be installed automatically when you install the operating system. However, if you have installed another VPN client product, the Microsoft VPN client might be deactivated (Starting with Cisco VPN 3.6 client software, Cisco and Microsoft's clients can co-exist with each other). To determine if the Microsoft VPN client is running, perform the following:
Go to Start > (Programs) > Administrative Tools > Component Services.
Double-click Services (Local) under the Tree tab.
Find the IPsec Policy Agent and make sure that it is set to "Automatic" (in XP, it's called IPSEC Services); if not, right-click it and select Properties. Set the Startup Type to Automatic. See Figure 13-1 for an example of this screen.
Figure 13-1. Windows Component Services Window
If it's not started, start it up by right-clicking IPsec Policy Agent and selecting Start.
By setting the service to automatic, every time you reboot your computer, the L2TP/IPsec client will be operational.
If you need to use both a Cisco VPN Client and Microsoft's L2TP/IPsec remote access products, you'll minimally need to use the Cisco 3.6 client version, which allows more than one VPN client to be used on the same platform. After installing the Cisco client, follow the guidelines in this section to verify that the L2TP/IPsec client is still active. In 3.5 and earlier versions of the Cisco client, the Cisco installation software automatically disables the Microsoft L2TP/IPsec client.
If you don't have the L2TP/IPsec client installed, go to http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/l2tpclientfaq.asp.
You'll find the installation file (msl2tp.exe), and release notes and an administrator guide that you can download; Windows versions earlier than 2000 require the download of this file. Plus, with some Windows platforms, such as 2000, the L2TP over IPsec functionality in the client did not support NAT-T, which can create connectivity issues in environments using address translation; however, Microsoft has issued a patch to their VPN client that adds this functionality. Use the Windows Update utility on Microsoft's site to add this feature to your client.
Once you install this update, you'll need to reboot your computer. You must also have Version 1.4 of the Microsoft Dial-Up Networking software installed on your computer, which is required if you have Windows 95 (http://www.microsoft.com/downloads/release.asp?ReleaseID=29411&area=search&ordinal=1). You might need to install other service packs or updates as required by the operating system. For example, with Windows NT, you need Service Pack 6. Downloading the above-mentioned release notes will assist you with this process.
Because of the complexities in getting the right software loaded on the PC, you might want to put all of these on an internal web server or on a CD-ROM and have the user install the software from one of these locations.
Part I: VPNs
Overview of VPNs
PPTP and L2TP
Part II: Concentrators
Concentrator Product Information
Concentrator Remote Access Connections with IPsec
Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN
Concentrator Site-to-Site Connections
Verifying and Troubleshooting Concentrator Connections
Part III: Clients
Cisco VPN Software Client
Windows Software Client
3002 Hardware Client
Part IV: IOS Routers
Router Product Information
Router ISAKMP/IKE Phase 1 Connectivity
Router Site-to-Site Connections
Router Remote Access Connections
Troubleshooting Router Connections
Part V: PIX Firewalls
PIX and ASA Product Information
PIX and ASA Site-to-Site Connections
PIX and ASA Remote Access Connections
Troubleshooting PIX and ASA Connections
Part VI: Case Study