The most secure method of setting up VPN access is to utilize a method that combines both user authentication, such as inputting a username and password, with machine authentication, which involves making sure the computer the user is using is a trusted resource. The advantage to this approach is that even if a user's password is stolen, access is not automatically granted. The Layer 2 Tunneling Protocol (L2TP) with IP Security (IPSec) is the supported method within ISA Server for accomplishing this level of security.
Unfortunately, however, unlike PPTP VPN connections, L2TP VPN tunnels cannot reliably traverse NAT connections. For example, if the ISA Server resides on the inside of a packet-filter firewall, such as a PIX firewall, and that firewall provides for a NAT relationship to the ISA Server, the L2TP tunnel will fail to be established. L2TP relies on an accurate negotiation between two known addresses.
Recent moves have been made to move to a model known as NAT-T (NAT traversal), which enables this type of access to occur, but this implementation is currently in its infancy, and all routers between source and destination must support its implementation. In the meantime, if a NAT relationship exists between ISA and the clients it supports, PPTP protocol support is the only reliable way to create VPN connections.
If the ISA Server holds a public IP address (or if all devices support NAT traversal properly), then L2TP protocol VPN connections can be established. The following process can be used to enable L2TP/IPSec VPN support on the ISA VPN server:
Configuring an IPSec Pre-Shared Key
Essentially two options can be used to encrypt the L2TP VPN session. The first option is to use a pre-shared key, which is a manually configured alphanumeric password that is inputted on the server and on all the VPN clients. This creates a secure L2TP IPSec VPN tunnel, but is not considered secure because someone could theoretically uncover the key through social engineering and, when compromised, it must then be manually reset on all clients. The more secure approach is to deploy a PKI infrastructure, which can take more time to set up, but is more inherently secure.
For the purposes of testing an L2TP connection, or to deploy a limited L2TP infrastructure using a pre-shared key, use the following procedure:
Configuring a Windows XP Professional Client for an L2TP VPN Connection
The following process can be used to configure a remote Windows XP workstation for standard L2TP communication. For automatic provisioning of this VPN Connection, see the later section of this chapter that details the use of the Connection Management Administration Kit (CMAK) to create automatic VPN connections.