RE: L2TP setup.

Hello Adrian,

Thank you for posting here.

According to your description, I understand that you cannot set up
L2TP/IPSec VPN connection. If I have misunderstood the problem, please
don't hesitate to let me know.

Based on my research, L2TP/IPSec VPN configuration is complex, L2TP/IPSec
VPN connection need install certificate on server and clients or configure
a preshared key on server and client. However, the PPTP VPN only need
correct username and password for client, it is easy to use.
Meanwhile, the PPTP is also safe for data encryption.

I suggest we try the following steps to setup PPTP VPN:

1: Run CEICW
You have to rerun the CEICW to make sure your SBS 2003 server have right
network configuration. Go through the follow KB and Rerun CEICW again
carefully.

How to configure Internet access in Windows Small Business Server 2003
http://support.microsoft.com/kb/825763/en-us

2: Run Remote Access wizard on SBS

a) On the Small Business Server 2003-based server, click To Do List in the
left pane of the Server Management console.

b) Under Network Tasks, click Configure Remote Access.

c) Click Next, click Enable Remote Access, click to select the VPN Access
check box, and then click Next.

d) Type the fully qualified public domain name (FQDN) of your server, click
Next, and then click Finish.

e) When the wizard is completed, click Close.

3: Go to the client and establish the VPN connection to the SBS Server, you
can refer to this KB article for more information:

How to configure a connection to a virtual private network (VPN) in Windows
XP
http://support.microsoft.com/default.aspx?scid=KB;EN-US;314076

If you want to set up L2TP/IPSec VPN connection, I suggest you try the
following steps:

Method 1: install certificate for L2TP/IPSec VPN connection

i. Create a new VPN and choose L2TP
ii. Obtain a new machine certificate and install it
iii. Configure RRAS so it will use L2TP/IPSEC
iv. Make an L2TP connection to the server
v. Run IPSECMON to see if the data is encypted -

Create New VPN COnnection to the IP of the rras server, specifically choose
l2tp.
Manually Configure RRAS for VPN, instead of choosing RRAS VPN server. Or
add a
filter for port 80 so that the client can browse over port 80 for the cert.
(Make
sure you enable dial in access for specified user accounts)

Browse to <http://certserver/certsrv> and create a certificate.

For RRAS VPN Server
Request A Certificate
Advanced Request
Submit a Certificate request to this CA using a form
Fill out the form
Intended Purpose - Server Authenication Certificate
Check Use Local Machine Store - DO NOT FORGET THIS PART!
Then click Submit

For L2TP Client
Request A Certificate
Advanced Request
Submit a Certificate request to this CA using a form
Fill out the form
Intended Purpose - Client Authenication Certificate
Check Use Local Machine Store - DO NOT FORGET THIS PART!
Then click Submit

Issue both certificates from the Certification Authority MMC Snap In

From RRAS VPN Server browse to <http://certserver/certsrv> and Check on
Pending
Certificate
Highlight Certificate and click Next. Then click Install this Certificate.
Close
Browser.

From Client browse to <http://certserver/certsrv> and Check on Pending
Certificate
Highlight Certificate and click Next. Then click Install this Certificate.
Close
Browser.

Launch the Connection created for the VPN Server.

Once connected open the RRAS MMC and goto Ports and view the Active L2TP
Connection.

Once connectied from the RRAS Server, run ipsecmon to view the IP Sec
Connection.
You should see a Policy name of L2TP Rule. This shows the negotiated IPSEC
Connection.

More more information you can Enable Oakley Logging.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley

Add a REG_DWORD value named EnableLogging with a value of 1 to this key. The
Oakley.log file is created in the %SystemRoot%\debug folder.

NOTE: A value of 0 for EnableLogging disables logging.

A reboot is required, and this would need to be enabled on Client and
Server.

Method 2: install preshared key for L2TP/IPSec VPN connection

This article describes how to configure the preshared key to be use with a
demand dial interface:
1. On the initiating Routing and Remote Access server, start the Routing
and Remote Access snap-in.
2. Click to expand the Routing and Remote Access server that you want to
configure.
3. Click Network Interface .
4. Right-click the demand dial interface that you want to configure to use
a preshared key, and then click Properties .
5. Click the Security tab, and then click IPSec Settings .

NOTE : If this interface is not a virtual private network (VPN) interface
and it is not an L2TP interface, the IPSec Settings button is not
displayed.
6. Click to select the Use preshared key for authentication check box.
7. Enter the preshared key that matches the one that is configured on the
destination Routing and Remote Access server, and then click OK .
After you have configured the initiating server, follow these steps on the
destination server:
1. Start the Routing and Remote Access snap-in.
2. Click to expand the Routing and Remote Access server that you want to
configure.
3. Right-click the destination Routing and Remote Access server and click
Properties .
4. Click the Security tab, and then click to select the Allow custom IPSec
policy for L2TP connection check box.
5. Enter the preshared key that matches the one that you configured on the
initiating Routing and Remote Access server.

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Date: Mon, 09 Apr 2007 22:21:50 +0100
| From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
| User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
| MIME-Version: 1.0
| Subject: L2TP setup.
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| X-Antivirus: avast! (VPS 000731-1, 08/04/2007), Outbound message
| X-Antivirus-Status: Clean
| Message-ID: <u$40X0ueHHA.3956@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 213-162-121-253.adrian080.adsl.metronet.co.uk
213.162.121.253
| Lines: 1
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:28722
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I'm trying to setup L2TP as an option for my SBS server.
|
| I've run the RAS setup wizard, and theres 20 L2TP ports in the pool.
|
| I've forwarded u1701 to the SBS server, and ethereal confirms LT2P
| Control Message (SCCRQs) are being received.
|
| However, theres no reply from the server to the client (at all).
|
|
|

.