I would suggest you start by reading the following: A nice overview of the technology and concepts: http://www.microsoft.com/technet/community/columns/cableguy/cg0801.mspx
Probably what you really want: How To Install and Configure a Virtual Private Network Server in Windows 2000: http://support.microsoft.com/default.aspx?scid=kb;en-us;308208 To hopefully answer your question with regards to L2TP, IPSEC, and policies: http://support.microsoft.com/default.aspx?scid=kb;en-us;248750 A Q&A that provides some interesting information and links; search for L2TP: http://www.microsoft.com/technet/community/chats/trans/windowsnet/win060 8.mspx Some useful pointers: http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/w indows2000/en/advanced/help/sag_VPN_us06.htm Basic troubleshooting around L2TP: http://support.microsoft.com/default.aspx?scid=kb;en-us;259335 To answer your questions below: MS-CHAPv2 is used during the authentication of user credentials. It has nothing "specifically" to do with L2TP. Your VPN concentrator once connected to by the client will probably allow any traffic to flow between the client and a device on the "other side" of the VPN even if that traffic is encrypted with IPSEC. The question you need to ask is what is happening between the client and the VPN concentrator. The answer is probably one of the following: PPTP, L2F, or L2TP. L2TP is an industry standard created in cooperation by Microsoft and Cisco. Hope this helps... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, November 24, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. In RRAS mmc there is nothing to set cert or kerberos auth. there is an authentication tab which allows you to use ms-chap v2 or just chap,etc in the remote access policy. Also, a question- in the RRAS mmc,are you just setting L2TP propertites or L2TP/IPsec propertites? Or do you just set the L2TP properties in the RRAS mmc and IPsec properties in the local policy on the server(or GPO on the server's OU)? Finally, I've used Cisco VPN concentrator 3000 and it seems to allow pure IPsec from client to NAS. Is using L2TP for tunneling between client and VPN endpoint just a MS feature? Sorry for harping on this but MS has made it a little confusing to my small mind. Thanks -----Original Message----- From: Bernard, Aric [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 1:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. L2TP, or Layer 2 Tunneling Protocol, is a protocol designed to create VPN tunnel between a client and a VPN endpoint or 2 VPN end-points. It includes mutual authentication of the caller and the VPN host which differs from PPTP. In addition, user credentials, in addition to the machine credentials, are typically required to ensure that not only the machine is known but the user is authorized to make the connection. IPSec is coupled with L2TP to encrypt the communication between the caller and VPN host. However, the VPN host decrypts the communications when received and transmits them on the other side (corporate LAN?) as a unencrypted communication stream (typically). L2TP is not used between two systems on a LAN or private WAN in normal situations. Instead, if it is mandatory that communications between two systems on a corporate WAN/LAN are encrypted, pure IPSEC is used to encrypt these communications. Since both nodes are on the corporate network they both have access to trusted KDCs (assuming AD) and therefore Kerberos is a viable solution for IPSec. In the GPO you are specifying just properties surrounding pure IPSEC. In the RRAS administrative MMC you configure LT2P without regard to the policy specified in the GPO. Hope this helps.... Aric Bernard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, November 24, 2004 9:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. So, you can use pure ipsec machine to machine but only L2TP/IPsec machine to RRAS server? and where is it that you can specify just IPsec and NOT L2TP? Can you elaborate? Thanks -----Original Message----- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. SO like client to domain controller during logon? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, November 24, 2004 12:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. Unfortunately this is not applicable to an L2TP connection; however it works like a charm for basic machine to machine IPSEC. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, November 24, 2004 8:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. In secpol.msc under "ip security policies on local machine". open up one of the pre built policies and go to authentication. you have a choice of pre shared key,cert and kerberos. kerberos is checked off as the default. Thanks -----Original Message----- From: Bernard, Aric [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. Can you clarify as to where you are seeing Kerberos as an option for L2TP/IPSEC? Thanks -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, November 24, 2004 8:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. Then why oh why is kerberos an option? thanks -----Original Message----- From: Bernard, Aric [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hate to beg.. Tom, I do not think you can use L2TP/IPSEC without a certificate. Regards, Aric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, November 24, 2004 8:28 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Hate to beg.. I don't want to beat a dead horse,but can someone point me to a doc or resource on configuring Win2k RRAS VPN server for L2TP/IPsec with WinXP clients using Kerberos and NOT pre-shared keys or certs? I have edited ipsec gpo's on both client and RRAS server and still I get a "need cert" error. Please help. Thanks. I know I've been sending alot of emails to the list on this but i really would like to get it going. I have 10 winxp domain members(user and machine) that need to connect over a dsl link thru the internet to us for exchange email,auth,and term services. I wanted to implement a RRAS IPsec solution so i wouldn't have to push out vpn clients. This dept of users does not have the money to buy a dedicated server for end to end RRAS so I think this solution works best. However,right now its a chicken and egg thing so i can't push out a cert and would rather use IPsec instead of pptp. Thanks again List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
