N
noabody
This isn't really a question but if someone has a better way to
accomplish this then please reply. Essentially I wanted to set up an
L2TP VPN server using Windows 2000. With zero background in running a
CA and issuing certificates I had some trouble. I used Windows 2000
Server with one NIC connected to a Linksys router for the LAN. The WAN
side port of the Linksys connects to a DSL modem. The 2000 server is
running in Workgroup mode since it's only purpose is to serve VPN
connections. It is also a Standalone Root certificate authority.
Here's how I got my IPSec certificate for L2TP. The better part of
this dialog is derived from Microsoft Knowledge Base article Q253498.
While logged onto the server as an administrator, open up Internet
Explorer and type http://127.0.0.1/certsrv into the address bar. Click
Request a certificate, then Advanced request, then Submit a certificate
request to this CA using a form. Type a name for the certificate then,
under Intended Purpose, select IPSec Certificate. Set the Key Size to
1024, and check the boxes next to Mark keys as exportable and Use local
machine store.
You should get a certificate pending screen. Open up Start Menu ->
Programs -> Administrative Tools -> Certification Authority, click on
Pending Requests, and issue the certificate you just requested. Back
at Internet Explorer click on Home in the upper right corner or re-open
the url noted earlier. Click Check on a pending certificate, find and
install the certificate.
Still on the server type mmc in the run box or at a dos prompt. Click
File -> Add/Remove snap-in, then Add and select Certificates. Add
again, select Computer Account and Local Computer. Close and ok.
Expand Certificates (Local Computer) -> Personal -> Certificates.
Right click on your certificate, highlight All Tasks, then Export.
Click Next, then check Yes, export Private Key. On the next dialog
check Include all certificates in the certification path if possible.
Provide a password for the key, on the next screen choose where to save
the file and save it.
At this point we have completed the Windows 2000 Server portion.
Transport the exported key file to a Windows XP machine. While logged
on as an administrator open up the mmc for certificates as noted above.
Expand Certificates (Local Computer) -> Personal. Highlight Personal,
right click and highlight All Tasks, then Import. Locate the key file,
on the next screen type in the password for the key. On the next
screen select Automatically select the certificate store based on the
type of certificate and continue. After you've finished importing the
key right click in the right hand pane of the Certificates manager and
Refresh. You should now see a certificates folder that contains the
imported certificate.
At this point we have issued out an IPSec certificate which is stored
in the local machine account of both the Windows 2000 Server and the
Windows XP client. By doing it in this way we are certain the
certificates match.
After following this proceedure I was able to establish an L2TP VPN
connection from the XP Client to the 2000 server while on the same LAN.
Keep in mind that an outside internet connection will only work if the
server is not going through a NAT device. Most NAT devices do not
properly handle protocol 50 (ESP) and will corrupt the L2TP IPSec
header as it translates from WAN I.P. to LAN I.P.
accomplish this then please reply. Essentially I wanted to set up an
L2TP VPN server using Windows 2000. With zero background in running a
CA and issuing certificates I had some trouble. I used Windows 2000
Server with one NIC connected to a Linksys router for the LAN. The WAN
side port of the Linksys connects to a DSL modem. The 2000 server is
running in Workgroup mode since it's only purpose is to serve VPN
connections. It is also a Standalone Root certificate authority.
Here's how I got my IPSec certificate for L2TP. The better part of
this dialog is derived from Microsoft Knowledge Base article Q253498.
While logged onto the server as an administrator, open up Internet
Explorer and type http://127.0.0.1/certsrv into the address bar. Click
Request a certificate, then Advanced request, then Submit a certificate
request to this CA using a form. Type a name for the certificate then,
under Intended Purpose, select IPSec Certificate. Set the Key Size to
1024, and check the boxes next to Mark keys as exportable and Use local
machine store.
You should get a certificate pending screen. Open up Start Menu ->
Programs -> Administrative Tools -> Certification Authority, click on
Pending Requests, and issue the certificate you just requested. Back
at Internet Explorer click on Home in the upper right corner or re-open
the url noted earlier. Click Check on a pending certificate, find and
install the certificate.
Still on the server type mmc in the run box or at a dos prompt. Click
File -> Add/Remove snap-in, then Add and select Certificates. Add
again, select Computer Account and Local Computer. Close and ok.
Expand Certificates (Local Computer) -> Personal -> Certificates.
Right click on your certificate, highlight All Tasks, then Export.
Click Next, then check Yes, export Private Key. On the next dialog
check Include all certificates in the certification path if possible.
Provide a password for the key, on the next screen choose where to save
the file and save it.
At this point we have completed the Windows 2000 Server portion.
Transport the exported key file to a Windows XP machine. While logged
on as an administrator open up the mmc for certificates as noted above.
Expand Certificates (Local Computer) -> Personal. Highlight Personal,
right click and highlight All Tasks, then Import. Locate the key file,
on the next screen type in the password for the key. On the next
screen select Automatically select the certificate store based on the
type of certificate and continue. After you've finished importing the
key right click in the right hand pane of the Certificates manager and
Refresh. You should now see a certificates folder that contains the
imported certificate.
At this point we have issued out an IPSec certificate which is stored
in the local machine account of both the Windows 2000 Server and the
Windows XP client. By doing it in this way we are certain the
certificates match.
After following this proceedure I was able to establish an L2TP VPN
connection from the XP Client to the 2000 server while on the same LAN.
Keep in mind that an outside internet connection will only work if the
server is not going through a NAT device. Most NAT devices do not
properly handle protocol 50 (ESP) and will corrupt the L2TP IPSec
header as it translates from WAN I.P. to LAN I.P.