The most secure encryption method for setting up a site-to-site VPN connection involves creating a L2TP encrypted tunnel. This option, although slightly more complex, is the preferred connection method when possible. The steps outlined in this section assume that a PPTP tunnel has not yet been created. If it has, it must be reconfigured.
L2TP VPN connections are supported only between Windows-based VPN servers, such as ISA Server 2004, Windows Server 2003 RRAS, or Windows 2000 RRAS.
Deciding Between Shared Key and PKI
There are two different options to be considered when establishing L2TP VPN tunnels. The options are outlined as follows:
Certificates-based Encryption The most secure method of encryption involves the use of x509 certificates within a public key infrastructure (PKI) environment. Using certificates-based encryption allows for both machine-level and user-level controls that are used to encrypt the connection, so that a nearly unbreakable tunnel is established.
Shared Key An alternative to PKI-based encryption involves the use of a shared key, which is a static line of text that is entered in both servers and that allows for the VPN connection to be encrypted. Because it does not change, this form of encryption is subject to brute-force attack techniques and should be avoided when possible.
Each of these options is outlined in more detail in the following section of this chapter.
Configuring a PKI Infrastructure for PKI-Based Certificate Encryption
If choosing to use a PKI certificates-based infrastructure, there must be one in place already, or one can be set up and configured in an environment. Windows Server (2000/ 2003) itself has the built-in capabilities to allow for a PKI-based certificate authority (CA) to be set up in an environment through the creation of either a stand-alone CA or an Enterprise CA. For more information on each of these options, see Chapter 9.
For this example, an Enterprise Root certificate authority is set up and enabled. This has the added advantage of enabling certificates to be configured automatically on domain members. To install the Enterprise CA and distribute certificates to the ISA Servers, follow the steps outlined in Chapter 9 in the section titled "Creating a Public Key Infrastructure (PKI) for L2TP with IPSec Support."
Requesting a Certificate for the ISA VPN Server
If the local ISA Server is a domain member in a domain with an Enterprise Certificate Authority installed, issuing a certificate to the server itself is relatively straightforward through the following procedure:
If using a pre-shared key or the PPTP protocol, this step is unnecessary because certificates will not be used.
Click Start, Run, type in mmc, and click OK.
Click File, Add/Remove Snap-in.
Click the Add button.
Select Certificates and click Add.
Select Computer Account and click Next.
Select Local Computer and click Finish, Close, and OK.
Expand the Certificates MMC Console to display Console RootCertificate (Local Computer) and Personal.
Right click on Personal and choose All Tasks, Request New Certificate.
Click Next at the welcome wizard.
Select Computer from Certificate Types and click the Advanced check box. Click Next to continue.
Leave the default at Microsoft RSA SChannel Cryptographic Provider and click Next to continue.
Select the local Enterprise Certificate Authority, such as what is shown in Figure 10.9, and click Next to continue.
Figure 10.9. Creating a certificate request for the ISA server.
Remember that this option is available only if the ISA Server is a domain member in an AD domain that currently has an Enterprise CA installed in it.
Enter a friendly name for the certificate, such as ISA Computer Certificate, and click Next to continue.
If the ISA Server is not a domain member, it instead must receive the certificate through the web-based enrollment methods described in the section of Chapter 9 titled "Configuring the Enterprise Root CA."
In either case, certificates from the same CA must be installed on both ISA Servers in each location, either through domain-based enrollment or through the web-based enrollment mechanisms.
Configuring the L2TP Remote Site Network Definition on the ISA Servers
The first step in setting up a L2TP site-to-site VPN connection is to configure the remote site network definition. To do this, perform the following steps:
Open the ISA Server Management console.
Select the Virtual Private Networks (VPN) node from the console tree.
Select the Remote Sites tab from the Details pane.
Select Add Remote Site Network from the Tasks pane.
Enter the name of the connection in the Network Name field; for example, enter Toronto and click Next.
Select Layer Two Tunneling Protocol (L2TP) over IPSec and then click Next.
Click OK when prompted about needing to create a remote user account.
Enter the IP address of the remote ISA server (for example 192.168.10.253), then click Next.
Check the box labeled Local Site Can Initiate Connections to Remote Site Using These Credentials.
Enter the username, domain name, and password of the local user account in the remote site and click Next.
At the subsequent dialog box, shown in Figure 10.10, the option for entering a pre-shared key is given. If a PKI certificates-based model is chosen, this step can be skipped; otherwise, come up with a pre-shared key from scratch (any alphanumeric pattern) and enter it (it is entered on the remote server as well) and click Next.
Figure 10.10. Entering an L2TP pre-shared key.
Add the network ranges of the remote network. For example, use 10.10.20.0 as the starting address and 10.10.20.255 as the ending address.
Click Finish, Apply, and OK to save the changes.
Repeat the procedure on the remote site server.
After the L2TP remote site networks have been created on each server, network and firewall rules must be created to enable connectivity between the two networks. Skip to the section titled "Configuring Network and Firewall Rules Between ISA Site Networks" for more information on this.