Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

Transcription

1 Overview This guide is used as a supplement to the SuperStack 3 Firewall manual, and details how to configure the native Windows VPN client to work with the Firewall, via the Microsoft recommended Layer 2 Tunneling Protocol with IP Security or L2TP/IPSec. In order to support this capability, you will require SuperStack Firewall firmware v or later. This supports an integrated L2TP/IPSec server. Note that v also supports a mechanism to connect to the Internet using L2TP this is not covered in this document. IPSec, L2TP and PPTP Overview IPSec is the protocol used to secure IP traffic. IPSec supports a mode that can be used to tunnel IP traffic over a public network such as the Internet IPSec tunnel-mode. Alternatively, a tunneling protocol such as L2TP or PPTP can be used to achieve secure access to a Corporate LAN over the Internet. This tunneling protocol can optionally be secured itself using IPSec. IPSec tunnel-mode is used for site-to-site connections and can also be used for individual Internet users with VPN client software. L2TP and PPTP are only used for VPN clients in particular, native Windows VPN clients. SuperStack 3 Firewall firmware v6.3.3 supports L2TP termination only when secured by IPSec. (This is the default on Windows XP but on Windows 2000, the default configuration is to use L2TP without IPSec.) V6.3.3 firmware for the SuperStack 3 Firewall is also backward compatible with older firmware it continues to support the Safenet Soft-PK VPN client supplied with the Firewall. This VPN client is an IPSec tunnel-mode client; it does not use L2TP. SuperStack 3 Firewall can support both IPSec tunnel mode clients and L2TP/IPSec clients simultaneously. The standard Microsoft VPN client before Windows 2000 was PPTP. SuperStack 3 Firewall does not support a PPTP server. However Microsoft now also supplies a L2TP/IPSec VPN client for older versions of Windows (except Windows 95). Windows OS Compatibility Matrix VPN Client Technology Operating System IPSec Only L2TP / IPSec 3Com Recommended Deployment Windows 95 YES NO SafeNet Soft-PK VPN client using IPSec only Windows NT4 YES YES* Windows 98 / Me YES YES* SafeNet Soft-PK VPN client using IPSec only Windows 2000 YES YES Native L2TP/IPSec VPN client requires policy patch ** Window XP NO*** YES Native L2TP/IPSec VPN client * A L2TP/IPSec integrated VPN client for Windows NT4, 98 & Me is available from Microsoft website ** Windows 2000 requires a registry change in order to support shared secret IKE, 3Com has provided a utility to complete this task. L2TP and IPSec are separate components on Windows 2000 and need to be configured individually. The 3Com utility configures the IPSec component. *** The Safenet Soft-PK VPN client provided with the SuperStack 3 Firewall does not support Windows XP. Safenet ( provide a commercial version of this VPN client that supports Windows XP and is compatible with the SuperStack 3 Firewall. Certificates SuperStack 3 Firewall firmware v6.3.3 supports X.509 certificates but these are not supported for either IPSec tunnelmode or L2TP VPN clients they are only supported for site-to-site connections. If a VPN client requests a certificate or says that a certificate cannot be found, the Windows PC has not been properly configured to use the GroupVPN shared secret.

2 Safenet L2TP Adapter The Safenet VPN client includes a L2TP adapter component. This L2TP/IPSec client can be used with the SuperStack 3 Firewall instead of the Microsoft L2TP clients. However, if the XAUTH feature (user authentication) is enabled on the GroupVPN SA, these clients will authenticate users twice once for XAUTH and once for L2TP. This document does not describe how to configure and use the Safenet IPSec tunnel-mode or Safenet L2TP/IPSec client. NAT-traversal Support SuperStack 3 Firewall v6.3.3 supports NAT-traversal but this feature only works when used with a VPN client that also supports NAT-traversal. Windows 2000 and XP IPSec do not currently support NAT-traversal, i.e. a device performing NAT cannot be used between the Windows PC and its Internet connection or between the SuperStack 3 Firewall and its Internet connection when using these VPN clients. The Microsoft integrated L2TP/IPSec client for Win9x/NT4 and the Safenet VPN client do support NAT-traversal. Firewall Configuration Network Configuration The SuperStack 3 Firewall can either be configured in Standard or NAT enabled network addressing mode with a static public (WAN) IP address to allow VPN termination. Note that in Standard mode, L2TP clients that have terminated on the SuperStack 3 Firewall will not be able to access the Internet via the VPN tunnel. VPN Configuration Select the VPN button on the SuperStack 3 Firewall web interface to configure VPN and L2TP. The GroupVPN security association configuration used for IPSec tunnel-mode clients is also for L2TP users. The GroupVPN SA must be enabled for L2TP. (By default, it is disabled.) The L2TP server itself must also be enabled on the L2TP tab. (By default it is disabled.) The following GroupVPN configurations are recommended for the SuperStack 3 Firewall when using Windows L2TP/IPSec clients: Firewall Encryption Level Phase 1 DH Group Phase 1 Encryption / Authentication Phase 2 Encryption / Authentication 56-bit 1 DES-SHA1 DES-SHA1 168-bit 2 3DES-SHA1 3DES-SHA1 User Authentication User authentication is optional for IPSec tunnel-mode VPN clients (such as the Safenet Soft-PK client). Selecting the XAUTH feature on the GroupVPN SA Advanced Settings enables user authentication VPN clients must supply a valid username and password before they can connect to the SuperStack 3 Firewall. These username and passwords are configured on the Firewall or a RADIUS server. VPN user authentication is disabled by default.

3 When using the Microsoft L2TP/IPSec client on Windows NT4, 98 and Me, the GroupVPN XAUTH feature must be disabled on the SuperStack 3 Firewall otherwise the client will fail to connect. For Windows 2000 and XP, you can enable the Firewall GroupVPN XAUTH without these clients being prompted for IPSec tunnel-mode authentication they will only be prompted for L2TP authentication. This allows you to enforce user authentication for all clients; use L2TP/IPSec for Windows 2000 and XP; use Safenet Soft-PK for other versions of Windows with GroupVPN XAUTH enabled. User authentication is not optional for L2TP and must be configured on the Firewall by selecting the Policy button and the User Privileges tab. L2TP users supply a username and password within the VPN client to allow them to connect to the SuperStack 3 Firewall. These username/passwords must be configured for each user either locally on the Firewall or by selecting Use RADIUS to use a RADIUS server. If there are more than 100 users, RADIUS must be used. RADIUS is configured on the Firewall using the RADIUS tab the v6.3.3 firmware provides a RADIUS test button to confirm successful configuration. Firewall L2TP Users On the Firewall web interface, click the Policy button and then the User Privileges tab. For each L2TP user configured on the Firewall, provide the username, password and then click the Access from L2TP VPN Client checkbox before selecting the Update User button. For IPSec tunnel-mode clients, select the Access from VPN Client with XAUTH checkbox. (A user can have both checkboxes enabled.) RADIUS L2TP Users When using RADIUS, select the Access from L2TP VPN Client checkbox on the RADIUS tab under Privileges for all Users. The Firewall will authenticate all L2TP clients with the configured RADIUS server. If authentication is successful, the Firewall will grant access to the LAN. It is also possible to configure the RADIUS server to indicate which particular users are allowed and not allowed L2TP access a separate document, the Funk Dictionary file, on the 3Com support web site details this procedure for the Funk Steel-belted RADIUS server. To integrate the SuperStack 3 Firewall with Microsoft Active Directory for user authentication, enable and configure the Windows Internet Authentication Service (IAS) this is the Windows RADIUS server. Refer to the Windows documentation for configuration of IAS. The Firewall must be configured with the IP address and shared secret of the Windows IAS server. IP Address Configuration As well as username/password configuration, L2TP users must also be provided with an internal LAN IP address, which they obtain when they connect to the SuperStack 3 Firewall. Configure the L2TP Local IP Pool Settings with an appropriately sized IP address pool for the number of L2TP users. The pool of IP addresses is typically a subset of the Firewall s LAN IP subnet but it can be any set of unused IP addresses. Alternatively, if RADIUS is being used, you can select IP Address provided by RADIUS server and configure the RADIUS server to provide IP addresses for L2TP clients.

4 Debugging L2TP/IPSec server To help debug problems with L2TP/IPSec, enable the Network Debug category in the Log Settings on the Firewall. The following provides the log output from a successful L2TP/IPSec connection with comments: RECEIVED<<< ISAKMP OAK MM (MsgID: 0x0) (SA, VID) Firewall receives VPN client request. If this log entry is missing, check that the client is configured with the WAN IP address of the Firewall. Alternatively the Internet router may be blocking the IKE protocol that is used to negotiate IPSec keys. IKE uses UDP port 500. IKE Responder: Begin Main Mode Phase 1 SENDING>>>> ISAKMP OAK MM (MsgID: 0x0) (SA) RECEIVED<<< ISAKMP OAK MM (MsgID: 0x0) (KE, NON) NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal Some VPN clients such as Windows XP do not support NAT traversal the ability to work through NAT devices. This warning can be ignored if there are no NAT devices between the VPN client and SuperStack 3 Firewall. SENDING>>>> ISAKMP OAK MM (MsgID: 0x0) (KE, NON, VID, VID, VID) RECEIVED<<< ISAKMP OAK MM (MsgID: 0x0) *(ID, HASH) IKE Responder: Main Mode Phase 1 Done SENDING>>>> ISAKMP OAK MM (MsgID: 0x0) *(ID, HASH) IKE Responder: Begin Phase 2 RECEIVED<<< ISAKMP OAK QM (MsgID: 0x1A14E711) *(HASH, SA, NON, ID, ID) IKE Responder: Accepting IPSec proposal SENDING>>>> ISAKMP OAK QM (MsgID: 0x11E7141A) *(HASH, SA, NON, ID, ID) Loading IPSec SA (Message ID = 0x1a14e711, Local SPI = 0xe98d3fed, Remote SPI = 0xdf1a63f7) RECEIVED<<< ISAKMP OAK QM (MsgID: 0x1A14E711) *(HASH) IKE negotiation complete. Adding IPSec SA. Phase 2 Done IKE has completed successfully. Start of L2TP negotiation over IPSec. If the following logging does not appear, the Internet router may block IPSec traffic. IPSec traffic normally uses IP protocol number 50 (ESP). (Note: not UDP port number.) lifeseconds=3600 remote range: ( ) - L2TP Server : L2TP Tunnel Established. - Source: , Destination: , LocalTunnelID=0xe0c5, RemoteTunnelId=0x2, RemoteHostName=test-laptop.3com.com L2TP Server : L2TP Session Established. - Source: , Destination: , LocalSessionID=0xd9cf, RemoteSessionId=0x1 L2TP Server: Local Authentication Success. - Source: , Destination: , Host Name :test-laptop.3com.com, User Name :test, Auth Algorithm :MD5 CHAP - L2TP has completed successfully. You should be able to ping the Firewall s LAN IP address and access the LAN. If this fails, check the L2TP configuration page on the Firewall for a valid IP address pool or check the configuration on the RADIUS server, if used. The following log entries indicate common problems: SENDING>>>> ISAKMP OAK INFO (MsgID: 0x4F68AE7F) *(HASH, NOTIFY:PAYLOAD_MALFORMED) The shared secret did not match. L2TP Server: Local Authentication Failure The L2TP username or password was invalid.

5 Windows XP VPN Client Configuration Guide 3Com recommends using the Windows XP native L2TP/IPSec VPN client. The following describes how to configure this. Step 1 New Connection Wizard From the Windows Start button, select Settings>Network Connections>New Connection Wizard Step 2 New Connection Wizard Click Next and select Connect to the network at my workplace Step 3 New Connection Wizard Click Next and select Virtual Private Network connection Step 4 New Connection Wizard Click Next and enter a name for the VPN connection:

6 Step 5 New Connection Wizard Click Next and choose an initial connection to dial if required: Step 6 New Connection Wizard Click Next and enter the public (WAN) IP address of the Firewall: Step 7 New Connection Wizard Click Next, then Finish. Step 1 Dial up Configuration Select Properties on the Dial-Up connection prompt Step 2 Dial up Configuration Select the Security tab

7 Step 3 Dial up Configuration Click IPSec settings and tick the Use pre-shared key for authentication Enter the Firewall GroupVPN shared secret. Click OK. Step 4 Dial up Configuration Select the Networking Tab and change the Type of VPN to L2TP IPSec VPN. Click OK. Establishing a Connection From the Windows Start button, select Settings>Network Connections and choose the connection that was configured to access the SuperStack 3 Firewall. Enter the Username and password and press Connect. If selecting the connection does not present the username and password dialogue, click the connection with the right button and select Properties. Under the Options tab, tick the Prompt for name and password checkbox.

8 Windows 98, Me & NT4 VPN Client Microsoft has provided a freely available L2TP/IPSec VPN client for pre-windows 2000 operating systems (not Windows 95). The installation file msl2tp.exe is available from the Microsoft web site This client requires XAUTH to be disabled on the SuperStack 3 Firewall, configured under GroupVPN advanced features. Note that this implies that a user with Safenet Soft-PK VPN client can connect to the SuperStack 3 Firewall with no user authentication. To force user authentication for all users, enable XAUTH on the SuperStack 3 Firewall and use Safenet Soft- PK VPN client for Windows 98, Me and NT users. This is the 3Com recommended configuration. However, if you wish to use the Microsoft VPN client, the following instructions will help you configure this. Windows 98 / 98SE In addition to the above Microsoft VPN client, Windows 98 requires the latest version of dial-up networking to be installed for Windows 98 / 98SE which can be found at It also requires the latest version of Internet Explorer to be installed (although this does not need to be used as the default browser). Windows NT4 In addition to the above Microsoft VPN client, Windows NT4 requires Service Pack 6A, which can be found at: For NT4 only, you will need to install the Point to Point Tunneling Protocol by using the following procedure if it is not already installed: Step 1 From Control Panel, Open the network folder Step 2 Network Configuration Select the Protocols tab. If the Network Protocols list does not include the Point to Point Tunneling Protocol, click Add. Otherwise Cancel the dialog and proceed to installation of the VPN client. Step 3 Select Network Protocol Select the Point to Point Tunneling Protocol and click OK.

9 Step 4 PPTP Configuration Set the Number of Virtual Private Networks to 1. Click OK. Step 5 Remote Access Setup Add the RASPPTPM device if not already present. Click Continue and then close all the dialogs. Windows will need to restart. Installation of the VPN Client (Windows 98, Me and NT4) Step 1 Ensure your operating system is upgraded with the latest patches (see above) Step 2 Download and install the Microsoft L2TP/IPSec VPN client msl2tp.exe (a reboot is required) Step 3 From the Windows Start button select: Programs>Microsoft IPSec VPN>Microsoft IPSec VPN Configuration Step 4 Select Use a pre-shared key for IPSec authentication, and enter the GroupVPN Firewall shared secret, as the key (see below). Click OK. Step 5 The IPSec configuration is now complete, you now need to create a new VPN connection in the Windows Dial-up networking Connection Wizard

10 Windows 98, Me, Dial-up Networking Connection Wizard Step 1 From My Computer, Open Dial-Up Networking Step 2 Double click Make New Connection Step 3 New Connection Wizard Enter a name for the connection and set the device to be the Microsoft L2TP/IPSec VPN adapter Step 4 New Connection Wizard Click Next and enter the public (WAN) IP address of the SuperStack 3 Firewall as the VPN server Step 5 New Connection Wizard Click Finish to complete the wizard Step 6 Dial-up Configuration From My Computer, open up Dial-Up Networking. Select the new L2TP connection with the right mouse button and select Properties, On the Server Types tab, uncheck the NetBEUI and IPX/SPX Compatible tick boxes. Establishing a Connection From My Computer, open up Dial-up Networking. Open the connection that you ve just created to access the SuperStack 3 Firewall, enter the username and password and press Connect.

11 Windows NT4 Configuration After installing the VPN client on NT4 you will need to reboot the PC. After this, you will first need to reconfigure Remote Access. Step 1 From Control Panel, Open the network folder Step 2 Network Configuration Select the Protocols tab. Select Point to Point Tunneling Protocol and click Properties. Step 3 Select Network Protocol Change the Number of Virtual Private Networks to 2. Step 4 Remote Access Setup Add the RASL2TPM device. Click Continue and then close all the dialogs. Windows will need to restart.

12 Windows NT4 Dialup Step 1 From My Computer, Open Dial-Up Networking. Step 2 New Phonebook Entry Create a new phonebook entry. Provide the entry with a name. Step 3 Configure Phonebook Entry Click Next and select the check boxes below. Step 4 Select Modem Click Next and select the RASL2TPM modem. Step 5 Phone Number Click Next. For the phone number, enter the public (WAN) IP address of the SuperStack 3 Firewall.

13 Step 6 IP Address Click Next. Leave your IP address as SuperStack 3 Firewall will provide this. Step 7 DNS Server Click Next. You must manually configure the DNS server with the correct IP address otherwise the NT4 VPN client will not connect. Also configure a WINS server if required. Obtain the DNS and WINS information from the SuperStack 3 Firewall administrator. Click Next and Finish. Step 8 DNS Server Select More and Edit Entry and modem properties. Step 9 DNS Server Select the Server tab and ensure that the settings are as below. Click TCP/IP Settings. Step 10 TCP/IP Settings Check the DNS (and WINS if required) are manually configured. If you wish to access Internet sites directly (not via the VPN connection), untick Use default gateway on remote network. However, you will need to leave this ticked if your VPN connection is to a site with multiple IP subnets. Click OK and OK again.

14 Establishing a Connection From My Computer, select Dial-Up Networking and choose the phonebook entry that was configured to access the SuperStack 3 Firewall. Click Dial, enter the username and password and then click OK. Windows 2000 The L2TP VPN client is a pre-installed component of the Windows 2000 operating system. However configuring its use with a shared secret and defining the IPSec policies to allow L2TP over IPSec can be quite complex. 3Com has provided a utility in order to simplify this configuration, and only supports this deployment when configured using this utility. The 3Com Windows 2000 L2TP/IPSec VPN client configuration utility 3c2kl2tp.hta is freely available and can be downloaded from Step 1 Step 2 Run the 3Com Windows 2000 L2TP/IPSec configuration utility 3c2kl2tp.hta and click Download IPSec tool from Microsoft Click Open and follow the instructions on installing the ipsecpol.exe utility to its default installation directory. Step 3 Step 4 Click Enter Shared Secret and configure IPSec Enter the SuperStack 3 Firewall GroupVPN shared secret and click OK Step 5 You must now REBOOT your PC The IPSec configuration is now complete, you now need to create a new VPN connection in the Windows Dial-up Networking Connection Wizard Note You can use the 3Com 3c2kl2tp.hta utility at any time in order to change the shared secret or remove the IPSec policy configuration. You may not need to reboot your PC for a new shared secret to take affect, but it is recommended that you always do so.

15 Windows 2000 Dial-up Networking Connection Wizard Step 1 New Connection Wizard From the Windows Start button, select Settings>Network and Dialup Connections>Make New Connection Step 2 New Connection Wizard Click Next and select Connect to a private network through the Internet Step 3 New Connection Wizard Click Next and choose an initial connection to dial if required Step 4 New Connection Wizard Click Next and enter the public (WAN) IP address of the Firewall Step 5 New Connection Wizard Click Next and choose the connection availability Step 6 New Connection Wizard Click Next and enable Internet Connection Sharing if required, for security reasons 3Com recommends this be left disabled

16 Step 7 New Connection Wizard Click Next, enter a name for the VPN connection, then click Finish Step 1 Dial up Configuration From the Windows Start button, select Settings>Network and Dial-up Connections and choose the connection that was configured to access the Firewall. Select Properties Step 2 Dial up Configuration Select the Networking tab and change the Type of VPN server to Layer-2 Tunneling Protocol (L2TP) The click OK Establishing a Connection From the Windows Start button, select Settings>Network and Dial-up Connections and choose the connection that was configured to access the SuperStack 3 Firewall. Enter the Username and password and press Connect.