Solved

Converting from PPTP to L2TP/IP Sec VPN

Posted on 2010-11-24
22
769 Views
Last Modified: 2012-05-10
Hi all,

Im transistioning over to a network admin role in my company, and have been asked to increase security on our existing Microsoft based VPN that currently is using a PPTP with certificate based VPN.  We would like to change to a L2TP/IP sec VPN based on everything we've read about that its better security.  From what I've been reading, this doesnt seem to be an easy task and Im a little confused.  My questions is, does anyone have a step by step procedure that either entails converting an existing Microsoft VPN server to L2TP/IP Sec or starting from scratch on a new server?  In our current environment, we have a RAS server, which contains the internal/external IP address to connect into and a CA(certificate authority) server that issues/manages the certificates.

If there isnt a step by step, Im hoping for a little guidance on whether this task can be accomplished by converting the existing VPN method or starting from scratch in a live environment.

Thanks!
0
Comment
Question by:SGCAdmin
  • 10
  • 9
  • 2
  • +1
22 Comments
 
LVL 11

Expert Comment

by:diprajbasu
ID: 34207901
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 34231366
Hi, thank you for the link.  Unfortunately, when I go to pick up an advanced certificate request, I do not have the option to choose an IPSec certificate (see attachment). I didnt really think it was that easy.  I am pretty sure I need to upgrade the server to allow for L2TP (IPSec ) traffic and give it a preshared key.  That is what I am looking for as far as step by step.  Our current solution works, we just want more security by going this route.  Please advise.

Thanks!
Advanced-Certificate-Request.jpg
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34231436
All L2TP/IPSec connections we work with use a pre-shared key, no certificate. AFAIK managing L2TP in conjunction with certificates works only with computer certificates, and it is a PITA managementwise.
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 34231618
Yes, a preshared key would be fine, I just need some assistance setting up the RAS server to hand them out to the workstation.  Currently, the RAS server is a PPTP VPN server.

Thanks again
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34233275
AFAIK you can only supply a single PSK (that is all I found) for all users. Maybe there is another IPSec policy setting for each user. For a start you should try with the PSK defined in your RRAS properties, Security, User-Defined IPSec Policy.
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 34252950
Hi Qlemo,

I think that advice would be used when the server for PPTP is converted over to L2TP (IPSec), then I would think I would setup policies.  Or perhaps Im confused.  I thought the technology of l2tp ipsec vpns had more to do with the connection itself, as I know their are certain ports I need our ISP to unblock for the IP address we are using that are dedicated to this kind of traffic.  Best case scenario that I'm looking for is to take the existing server and convert it, but I am willing to setup another server if need be, but I just need instructions on how to do this.

Thanks!
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 34253086
No, it is not only about ports. L2TP needs a certificate or preshared key, or both. After that, user authentification is to be performed as it is with PPTP. If you setup that general policy PSK, it is the one to use on all clients.
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 34253273
So really, I just need to add specific policies to use either a cert or PSK on the same RAS server that is already setup using L2TP security?  Do you know of a procedure that walks through that for the server end?

Thanks
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34253297
What is the issue? It looks that easy, so you should just try!
Allow for enough L2TP WAN adapters (default is 16, IIRC), set up the policy setting as told above, and that should be it. The policy setting will not allow for different PSKs, but that should not matter at the moment, at least for testing purposes.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34253563
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 34372154
Thank You Digitap, that document did explain things a little better.

In the meantime....

Currently, our ISP provider is having problems unblocking the UDP 500 and IP protocol 50 are required for IP Sec traffic and this is at a stand still.  I havnt been able to test because of the firewall issues, but it seems like this is a very complicated task to do this using a RAS and policies.  We may be looking at VPN routers that communicate using IPSec security, but for now, Id like to leave this open in case some
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 68

Expert Comment

by:Qlemo
ID: 34372856
I have to agree - using IPSec-capable devices is a better idea. But remember that you will need to install an IPSec client on each PC trying to get access then (exception is W7 and a device featuring IKEv2). Some devices come with a rebranded SafeNet SoftRemote client, but I recommend to use the free ShrewSoft VPN Client (www.shrew.net), which works with many devices (configuration examples provided in the Support Wiki).
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 34372904
Yeah, Im thinking that may save a ton of my time and will be easier to maintain.

Right now, Im looking at SonicWall:

http://www.sonicwall.com/us/products/12033.html
0
 
LVL 33

Expert Comment

by:digitap
ID: 34372955
Looks like they eliminated their previous models that I've deployed, but i can say they are nice appliances.

here's a sonicwall KB on the different deployment scenarios for their ssl-vpn appliance(s):

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7911
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34372961
There are a lot of opinions about SonicWalls. Some say it is the consumer part of enterprise class ;-).
Some say they are happy with it. I can neither recommend pro nor against SonicWall. I use Juniper Netscreen for many reasons, but those may not apply here. But as rule of thumb: The more features you will need later, the more expensive the device.
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 34394972
I did take a look at the shrew website and received this message on the support tab:
"The Sonicwall products are not yet supported by the Shrew Soft VPN Client"

Is there anyone out there using SonicWall with Shrew?  Might be helpful if we end up going with their VPN device.

Thanks!


0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34395454
Forgot totally about that ... I'm listening to many threads here, and the Shrew support and dev mails, but never hit anybody who could get Shrew and SonicWall together.
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 34396746
Well, I am making some progress here.  I have been able to connect over L2TP using MS-CHAP v2 (username and password) and using a PSK.  However, I cannot get this to work using a certificate.  Any ideas?

Thanks!
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34408012
All I know about using certificates with L2TP is in my first post: "AFAIK managing L2TP in conjunction with certificates works only with computer certificates, and it is a PITA managementwise."
0
 
LVL 1

Author Comment

by:SGCAdmin
ID: 34482357
I believe I have this working finally through a RAS.  I created another policy, for L2TP and attached the constraints in the attachment below.  However, I have to leave this policy as the 2nd in the order, because the certificates we are using will not work unless the existing PPTP policy stays in place.  So I'm not 100 percent this is working perfectly, but when I look at the connection on the computer, it tells me the Authentication is using EAP with Encryption Type:  IPsec: ESP 3DES and using WAN Miniport (L2TP).  On top of that, I'm also using a PSK, perhaps a little more security :-)

So I believe I need both policies in there, but its connecting great now.  Let me know if you think this isnt working as an L2TP over IPSec connection.

Appreciate all the help to get to this point!
L2TP-Policy.jpg
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34483425
It should be ok that way. The connection status infos fit 100% to L2TP/IPsec, so you can be sure you are using it.
0
 
LVL 1

Author Closing Comment

by:SGCAdmin
ID: 34499528
Using PPTP Policy for Authentication and L2TP IPSec to connect, this has been working great since impelemented this week.  Thanks for the help!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now