Re: L2TP setup.

Hello Adrian,

Thank you for kind update.

You are right, as I know, the L2TP/IPSsc VPN do not need to use GRE47.
However, we have to open the following ports:
UDP 500
UDP 4500
UDP 1701
And we have to forward these ports from router to SBS.

Meanwhile, I'd like show you a document about how to configure ISA 2004 as
L2TP/IPSsc VPN server:

http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe8
76f06/isa2004se_vpnkit-rev%201%2004.doc

Note: Please perform the steps in "Issue Certificates to the ISA Server
2004 Firewall and VPN Clients" and "Test a L2TP/IPSec VPN Connection" nodes
in Chapter 4

I hope everything is going well.

Please do not hesitate to let me know if there's anything else I can do for
you.

Thank you and have a nice day,

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Date: Tue, 10 Apr 2007 20:05:28 +0100
| From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
| User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
| MIME-Version: 1.0
| Subject: Re: L2TP setup.
| References: <u$40X0ueHHA.3956@xxxxxxxxxxxxxxxxxxxx>
<9ZWaeL1eHHA.5016@xxxxxxxxxxxxxxxxxxxxxx>
| In-Reply-To: <9ZWaeL1eHHA.5016@xxxxxxxxxxxxxxxxxxxxxx>
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| X-Antivirus: avast! (VPS 000732-0, 10/04/2007), Outbound message
| X-Antivirus-Status: Clean
| Message-ID: <uvJb0M6eHHA.4064@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 213-162-121-253.adrian080.adsl.metronet.co.uk
213.162.121.253
| Lines: 1
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:28980
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Terence,
|
| Yes PPTP would be my first choice, but this specific users router/ISP
| doesn't seem to allow GRE47, and can't connect.
|
| Therefore I need to try something else. I do know that a UDP-encap
| IPSEC tunnel previously worked for this user for another company, so I'm
| hoping that L2TP/IPSEC would work too..
|
| Adrian.
|
| Terence Liu [MSFT] wrote:
| > Hello Adrian,
| >
| > Thank you for posting here.
| >
| > According to your description, I understand that you cannot set up
| > L2TP/IPSec VPN connection. If I have misunderstood the problem, please
| > don't hesitate to let me know.
| >
| > Based on my research, L2TP/IPSec VPN configuration is complex,
L2TP/IPSec
| > VPN connection need install certificate on server and clients or
configure
| > a preshared key on server and client. However, the PPTP VPN only need
| > correct username and password for client, it is easy to use.
| > Meanwhile, the PPTP is also safe for data encryption.
| >
| > I suggest we try the following steps to setup PPTP VPN:
| >
| > 1: Run CEICW
| > You have to rerun the CEICW to make sure your SBS 2003 server have
right
| > network configuration. Go through the follow KB and Rerun CEICW again
| > carefully.
| >
| > How to configure Internet access in Windows Small Business Server 2003
| > http://support.microsoft.com/kb/825763/en-us
| >
| > 2: Run Remote Access wizard on SBS
| >
| > a) On the Small Business Server 2003-based server, click To Do List in
the
| > left pane of the Server Management console.
| >
| > b) Under Network Tasks, click Configure Remote Access.
| >
| > c) Click Next, click Enable Remote Access, click to select the VPN
Access
| > check box, and then click Next.
| >
| > d) Type the fully qualified public domain name (FQDN) of your server,
click
| > Next, and then click Finish.
| >
| > e) When the wizard is completed, click Close.
| >
| > 3: Go to the client and establish the VPN connection to the SBS Server,
you
| > can refer to this KB article for more information:
| >
| > How to configure a connection to a virtual private network (VPN) in
Windows
| > XP
| > http://support.microsoft.com/default.aspx?scid=KB;EN-US;314076
| >
| > If you want to set up L2TP/IPSec VPN connection, I suggest you try the
| > following steps:
| >
| > Method 1: install certificate for L2TP/IPSec VPN connection
| >
| > i. Create a new VPN and choose L2TP
| > ii. Obtain a new machine certificate and install it
| > iii. Configure RRAS so it will use L2TP/IPSEC
| > iv. Make an L2TP connection to the server
| > v. Run IPSECMON to see if the data is encypted -
| >
| > Create New VPN COnnection to the IP of the rras server, specifically
choose
| > l2tp.
| > Manually Configure RRAS for VPN, instead of choosing RRAS VPN server.
Or
| > add a
| > filter for port 80 so that the client can browse over port 80 for the
cert.
| > (Make
| > sure you enable dial in access for specified user accounts)
| >
| > Browse to <http://certserver/certsrv> and create a certificate.
| >
| > For RRAS VPN Server
| > Request A Certificate
| > Advanced Request
| > Submit a Certificate request to this CA using a form
| > Fill out the form
| > Intended Purpose - Server Authenication Certificate
| > Check Use Local Machine Store - DO NOT FORGET THIS PART!
| > Then click Submit
| >
| > For L2TP Client
| > Request A Certificate
| > Advanced Request
| > Submit a Certificate request to this CA using a form
| > Fill out the form
| > Intended Purpose - Client Authenication Certificate
| > Check Use Local Machine Store - DO NOT FORGET THIS PART!
| > Then click Submit
| >
| > Issue both certificates from the Certification Authority MMC Snap In
| >
| > From RRAS VPN Server browse to <http://certserver/certsrv> and Check on
| > Pending
| > Certificate
| > Highlight Certificate and click Next. Then click Install this
Certificate.
| > Close
| > Browser.
| >
| > From Client browse to <http://certserver/certsrv> and Check on Pending
| > Certificate
| > Highlight Certificate and click Next. Then click Install this
Certificate.
| > Close
| > Browser.
| >
| > Launch the Connection created for the VPN Server.
| >
| > Once connected open the RRAS MMC and goto Ports and view the Active
L2TP
| > Connection.
| >
| > Once connectied from the RRAS Server, run ipsecmon to view the IP Sec
| > Connection.
| > You should see a Policy name of L2TP Rule. This shows the negotiated
IPSEC
| > Connection.
| >
| > More more information you can Enable Oakley Logging.
| >
| > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
| >
| > Add a REG_DWORD value named EnableLogging with a value of 1 to this
key. The
| > Oakley.log file is created in the %SystemRoot%\debug folder.
| >
| > NOTE: A value of 0 for EnableLogging disables logging.
| >
| > A reboot is required, and this would need to be enabled on Client and
| > Server.
| >
| > Method 2: install preshared key for L2TP/IPSec VPN connection
| >
| > This article describes how to configure the preshared key to be use
with a
| > demand dial interface:
| > 1. On the initiating Routing and Remote Access server, start the
Routing
| > and Remote Access snap-in.
| > 2. Click to expand the Routing and Remote Access server that you want
to
| > configure.
| > 3. Click Network Interface .
| > 4. Right-click the demand dial interface that you want to configure to
use
| > a preshared key, and then click Properties .
| > 5. Click the Security tab, and then click IPSec Settings .
| >
| > NOTE : If this interface is not a virtual private network (VPN)
interface
| > and it is not an L2TP interface, the IPSec Settings button is not
| > displayed.
| > 6. Click to select the Use preshared key for authentication check box.

| > 7. Enter the preshared key that matches the one that is configured on
the
| > destination Routing and Remote Access server, and then click OK .
| > After you have configured the initiating server, follow these steps on
the
| > destination server:
| > 1. Start the Routing and Remote Access snap-in.
| > 2. Click to expand the Routing and Remote Access server that you want
to
| > configure.
| > 3. Right-click the destination Routing and Remote Access server and
click
| > Properties .
| > 4. Click the Security tab, and then click to select the Allow custom
IPSec
| > policy for L2TP connection check box.
| > 5. Enter the preshared key that matches the one that you configured on
the
| > initiating Routing and Remote Access server.
| >
| > Hope these steps will give you some help.
| >
| > Thanks and have a nice day!
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Date: Mon, 09 Apr 2007 22:21:50 +0100
| > | From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
| > | User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
| > | MIME-Version: 1.0
| > | Subject: L2TP setup.
| > | Content-Type: text/plain; charset=ISO-8859-1
| > | Content-Transfer-Encoding: 7bit
| > | X-Antivirus: avast! (VPS 000731-1, 08/04/2007), Outbound message
| > | X-Antivirus-Status: Clean
| > | Message-ID: <u$40X0ueHHA.3956@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: 213-162-121-253.adrian080.adsl.metronet.co.uk
| > 213.162.121.253
| > | Lines: 1
| > | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:28722
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I'm trying to setup L2TP as an option for my SBS server.
| > |
| > | I've run the RAS setup wizard, and theres 20 L2TP ports in the pool.
| > |
| > | I've forwarded u1701 to the SBS server, and ethereal confirms LT2P
| > | Control Message (SCCRQs) are being received.
| > |
| > | However, theres no reply from the server to the client (at all).
| > |
| > |
| > |
| >
|

.