Converting from PPTP to L2TP/IP Sec VPN

Hi all,

Im transistioning over to a network admin role in my company, and have been asked to increase security on our existing Microsoft based VPN that currently is using a PPTP with certificate based VPN.  We would like to change to a L2TP/IP sec VPN based on everything we've read about that its better security.  From what I've been reading, this doesnt seem to be an easy task and Im a little confused.  My questions is, does anyone have a step by step procedure that either entails converting an existing Microsoft VPN server to L2TP/IP Sec or starting from scratch on a new server?  In our current environment, we have a RAS server, which contains the internal/external IP address to connect into and a CA(certificate authority) server that issues/manages the certificates.

If there isnt a step by step, Im hoping for a little guidance on whether this task can be accomplished by converting the existing VPN method or starting from scratch in a live environment.

Thanks!
LVL 1
SGCAdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SGCAdminAuthor Commented:
Hi, thank you for the link.  Unfortunately, when I go to pick up an advanced certificate request, I do not have the option to choose an IPSec certificate (see attachment). I didnt really think it was that easy.  I am pretty sure I need to upgrade the server to allow for L2TP (IPSec ) traffic and give it a preshared key.  That is what I am looking for as far as step by step.  Our current solution works, we just want more security by going this route.  Please advise.

Thanks!
Advanced-Certificate-Request.jpg
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
All L2TP/IPSec connections we work with use a pre-shared key, no certificate. AFAIK managing L2TP in conjunction with certificates works only with computer certificates, and it is a PITA managementwise.
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

SGCAdminAuthor Commented:
Yes, a preshared key would be fine, I just need some assistance setting up the RAS server to hand them out to the workstation.  Currently, the RAS server is a PPTP VPN server.

Thanks again
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
AFAIK you can only supply a single PSK (that is all I found) for all users. Maybe there is another IPSec policy setting for each user. For a start you should try with the PSK defined in your RRAS properties, Security, User-Defined IPSec Policy.
0
SGCAdminAuthor Commented:
Hi Qlemo,

I think that advice would be used when the server for PPTP is converted over to L2TP (IPSec), then I would think I would setup policies.  Or perhaps Im confused.  I thought the technology of l2tp ipsec vpns had more to do with the connection itself, as I know their are certain ports I need our ISP to unblock for the IP address we are using that are dedicated to this kind of traffic.  Best case scenario that I'm looking for is to take the existing server and convert it, but I am willing to setup another server if need be, but I just need instructions on how to do this.

Thanks!
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
No, it is not only about ports. L2TP needs a certificate or preshared key, or both. After that, user authentification is to be performed as it is with PPTP. If you setup that general policy PSK, it is the one to use on all clients.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SGCAdminAuthor Commented:
So really, I just need to add specific policies to use either a cert or PSK on the same RAS server that is already setup using L2TP security?  Do you know of a procedure that walks through that for the server end?

Thanks
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
What is the issue? It looks that easy, so you should just try!
Allow for enough L2TP WAN adapters (default is 16, IIRC), set up the policy setting as told above, and that should be it. The policy setting will not allow for different PSKs, but that should not matter at the moment, at least for testing purposes.
0
digitapCommented:
0
SGCAdminAuthor Commented:
Thank You Digitap, that document did explain things a little better.

In the meantime....

Currently, our ISP provider is having problems unblocking the UDP 500 and IP protocol 50 are required for IP Sec traffic and this is at a stand still.  I havnt been able to test because of the firewall issues, but it seems like this is a very complicated task to do this using a RAS and policies.  We may be looking at VPN routers that communicate using IPSec security, but for now, Id like to leave this open in case some
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I have to agree - using IPSec-capable devices is a better idea. But remember that you will need to install an IPSec client on each PC trying to get access then (exception is W7 and a device featuring IKEv2). Some devices come with a rebranded SafeNet SoftRemote client, but I recommend to use the free ShrewSoft VPN Client (www.shrew.net), which works with many devices (configuration examples provided in the Support Wiki).
0
SGCAdminAuthor Commented:
Yeah, Im thinking that may save a ton of my time and will be easier to maintain.

Right now, Im looking at SonicWall:

http://www.sonicwall.com/us/products/12033.html
0
digitapCommented:
Looks like they eliminated their previous models that I've deployed, but i can say they are nice appliances.

here's a sonicwall KB on the different deployment scenarios for their ssl-vpn appliance(s):

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7911
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
There are a lot of opinions about SonicWalls. Some say it is the consumer part of enterprise class ;-).
Some say they are happy with it. I can neither recommend pro nor against SonicWall. I use Juniper Netscreen for many reasons, but those may not apply here. But as rule of thumb: The more features you will need later, the more expensive the device.
0
SGCAdminAuthor Commented:
I did take a look at the shrew website and received this message on the support tab:
"The Sonicwall products are not yet supported by the Shrew Soft VPN Client"

Is there anyone out there using SonicWall with Shrew?  Might be helpful if we end up going with their VPN device.

Thanks!


0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Forgot totally about that ... I'm listening to many threads here, and the Shrew support and dev mails, but never hit anybody who could get Shrew and SonicWall together.
0
SGCAdminAuthor Commented:
Well, I am making some progress here.  I have been able to connect over L2TP using MS-CHAP v2 (username and password) and using a PSK.  However, I cannot get this to work using a certificate.  Any ideas?

Thanks!
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
All I know about using certificates with L2TP is in my first post: "AFAIK managing L2TP in conjunction with certificates works only with computer certificates, and it is a PITA managementwise."
0
SGCAdminAuthor Commented:
I believe I have this working finally through a RAS.  I created another policy, for L2TP and attached the constraints in the attachment below.  However, I have to leave this policy as the 2nd in the order, because the certificates we are using will not work unless the existing PPTP policy stays in place.  So I'm not 100 percent this is working perfectly, but when I look at the connection on the computer, it tells me the Authentication is using EAP with Encryption Type:  IPsec: ESP 3DES and using WAN Miniport (L2TP).  On top of that, I'm also using a PSK, perhaps a little more security :-)

So I believe I need both policies in there, but its connecting great now.  Let me know if you think this isnt working as an L2TP over IPSec connection.

Appreciate all the help to get to this point!
L2TP-Policy.jpg
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
It should be ok that way. The connection status infos fit 100% to L2TP/IPsec, so you can be sure you are using it.
0
SGCAdminAuthor Commented:
Using PPTP Policy for Authentication and L2TP IPSec to connect, this has been working great since impelemented this week.  Thanks for the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.