Print Download PDF Send Feedback

Previous

Next

Layer Two Tunneling Protocol (L2TP) Clients

In This Section:

The Need for Supporting L2TP Clients

Introduction to L2TP Clients

Establishing a VPN between a IPsec / L2TP Client and a Gateway

Behavior of an L2TP Connection

Security Gateway Requirements for IPsec / L2TP

L2TP Global Configuration

Authentication of Users

User Certificate Purposes

Considerations for Choosing Microsoft IPsec / L2TP Clients

Configuring Remote Access for Microsoft IPsec / L2TP Clients

The Need for Supporting L2TP Clients

For some organizations there are clear benefits to be gained by using the Microsoft IPsec client for remote access to internal network, rather than the more feature rich and secure Check Point SecuRemote / Endpoint Security.

Reasons for using the Microsoft L2TP IPsec client include the fact that it is an inherent part of all Windows operating systems, as well as Mac OS X and iOS, does not require an additional client to be installed, and is free.

Introduction to L2TP Clients

Check Point Security Gateways can create VPNs with a number of third party IPsec clients. This explanation focuses on the Microsoft IPsec / L2TP client.

You can access a private network through the Internet by using a virtual private network (VPN) connection with the Layer Two Tunneling Protocol (L2TP). L2TP is an industry-standard Internet tunneling protocol.

Creating a Remote Access environment for users with Microsoft IPsec / L2TP clients is based on the same principles as those used for setting up Check Point Remote Access Clients. Make sure that you understand how to configure Remote Access VPN before you begin to configure Remote Access for Microsoft IPsec / L2TP clients.

Establishing a VPN between a IPsec / L2TP Client and a Gateway

To allow the user at the Microsoft IPsec / L2TP client to access a network resource protected by a Security Gateway, a VPN tunnel is established between the Microsoft IPsec / L2TP client and the Security Gateway, as shown below.

IPSec Client to Check Point Gateway Connection

The process of the VPN establishment is transparent to the user, and works as follows:

  1. A user at an IPsec / L2TP client initiates a connection to a Security Gateway.
  2. The IPsec / L2TP client starts an IKE (Internet Key Exchange) negotiation with the peer Security Gateway. The identities of the remote client machine and the Security Gateway may be authenticated one of these ways:
    • Through exchange of certificates
    • Through pre-shared keys

      Note - this option is less secure, since pre-shared key is shared among all L2TP clients.

    Only authenticated machine can establish a connection.

  3. Both peers exchange encryption keys, and the IKE negotiation ends.
  4. Encryption is now established between the client and the Security Gateway. All connections between the client and the Security Gateway are encrypted inside this VPN tunnel, using the IPsec standard.
  5. The Client starts a short L2TP negotiation, at the end of which the client can pass to the Security Gateway L2TP frames that are IPsec encrypted and encapsulated.
  6. The Security Gateway now authenticates the user at the Microsoft IPsec / L2TP client. This authentication is in addition to the client machine authentication in step 3. This identification can happen via two methods.
    • A Certificate
    • An MD5 challenge, whereby the user is asked to enter a username and a password (pre-shared secret)
    • A username and a password
  7. The Security Gateway allocates to the remote client an Office Mode IP address to make the client routable to the internal network. The address can be allocated from all of the Office Mode methods.
  8. The Microsoft IPsec / L2TP client connects to the Security Gateway, and can browse and connect to locations in the internal network.

Behavior of an L2TP Connection

When using an IPsec / L2TP client, it is not possible to connect to organization and to the outside world at the same time.

This is because when the client is connected to the Security Gateway, all traffic that leaves the client is sent to the Security Gateway, and is encrypted, whether or not it is intended to reach the protected network behind the Security Gateway. The Security Gateway then drops all encrypted traffic that is not destined for the encryption domain of the Security Gateway.

Security Gateway Requirements for IPsec / L2TP

In order to use Microsoft IPsec / L2TP clients, the Security Gateway must be set up for remote access. The setup is very similar to that required for remote access using Check Point Remote Access Clients, and involves creating a Remote Access community that includes the Security Gateways and the user groups.

An additional requirement is to configure the Security Gateway to supply addresses to the clients by means of the Office Mode feature.

L2TP Global Configuration

Certain settings related to L2TP authentication can be configured globally for Security Gateways of version R71 and higher. These setting are configured in the global properties configuration section of the SmartDashboard.

All L2TP clients can be configured to use a Pre-shared key for IKE in addition to the standard user authentication.

Note - IKE Security Association created for L2TP cannot be used for regular IPsec traffic.

Authentication of Users

There are two methods used to authenticate an L2TP connection:

Authentication Methods

L2TP clients can use any of the following Authentication schemes to establish a connection:

Using a username and password verifies that a user is who they claim to be. All users must be part of the Remote Access community and be configured for Office Mode.

Certificates

During the process of establishing the L2TP connection, two sets of authentication are performed. First, the client machine and the Security Gateway authenticate each other's identity using certificates. Then, the user at the client machine and the Security Gateway authenticate each other using either certificates or a pre-shared secret.

The Microsoft IPsec / L2TP client keeps separate certificates for IKE authentication of the client machine, and for user authentication.

On the Security Gateway, if certificates are used for user authentication, then the Security Gateway can use the same certificate or different certificates for user authentication and for the IKE authentication.

Certificates for both clients and users can be issued by the same CA or a different CA. The users and the client machines are defined separately as users in SmartDashboard.

Certificates can be issued by:

Authenticating the Client Machine During IKE

The Microsoft IPsec / L2TP client machine needs a certificate to authenticate itself to the Security Gateway during IKE negotiation.

The computer account (we call it the machine account) must use PKI and must be in the Remote Access community. It is not affected by the authentication scheme in the Remote Access tab in the GUI. It may or may not be a good idea to use the same certificate (and "machine" user) for all clients. You can use an internal CA certificate with no problem for this user. It makes no difference if the authentication tab is defined or not.

The user account is more important, because that is the basis for rule matches and logs. This may use either MD5-challenge (passwords) or certificates. If you choose MD5-challenge, the certificate selection in the remote access tab is irrelevant. As for the user definition, it makes no difference how, if at all, the authentication tab is defined. The password is always the shared secret defined in the encryption tab. Note that this behavior differs from that of SecureClient, where passwords in the authentication tab override shared secrets from the encryption tab.

The client machine administrator must install the certificate in the machine certificate store.

Authenticating the User

Connecting with Microsoft IPsec / L2TP clients requires that every user be authenticated. Users can be authenticated with:

The user certificate can be easily added to the user certificate store. If the user certificate is on a Smart Card, plugging it into the client machine will automatically place the certificate into the certificate store.

User Certificate Purposes

It is possible to make sure that PKI certificates are used only for a defined purpose. A certificate can have one or more purposes, such as "client authentication", "server authentication", "IPsec" and "email signing". Purposes appear in the Extended Key Usage extension in the certificate.

The certificates used for IKE authentication do not need any purposes. For the user authentication, the Microsoft IPsec / L2TP client requires that

Most CAs (including the ICA) do not specify such purposes by default. This means that the CA that issues certificates for IPsec / L2TP clients must be configured to issue certificates with the appropriate purposes (in the Extended Key Usage extension).

It is possible to configure the ICA on the Security Management Server so that the certificates it issues will have these purposes. For OPSEC certified CAs, it is possible to configure the Security Management Server to create a certificate request that includes purposes (in the Extended Key Usage extension).

It is also possible to configure the Microsoft IPsec / L2TP clients so that they do not validate the Security Gateway certificate during the L2TP negotiation. This is not a security problem because the client has already verified the Security Gateway certificate during IKE negotiation.

Considerations for Choosing Microsoft IPsec / L2TP Clients

Check Point Endpoint Security VPN is much more than a personal firewall. It is a complete desktop security solution that allows the administrator to define a full desktop security policy for the client. IPsec / L2TP clients are more basic remote clients, and for some organizations may provide an adequate set of capabilities.

Configuring Remote Access for Microsoft IPsec / L2TP Clients

Establishing a Remote Access VPN for Microsoft IPsec / L2TP clients requires configuration to be performed both on the Security Gateway and on the client machine. The configuration is the same as setting up Check Point Remote Access Clients, with a few additional steps.

High-level workflow to create a Remote Access deployment:

  1. Configure a Remote Access environment, including objects and authentication credentials (normally certificates) for the users.
  2. Configure support for Office Mode and L2TP on the Security Gateway.
  3. On the client machine, place the user certificate in the User Certificate Store, and the client machine certificate in the Machine Certificate Store.
  4. On the client machine, set up the Microsoft IPsec / L2TP client connection profile.

Configuring a Remote Access Environment

Configure the network to use VPN connections for Remote Access.

Defining the Client Machines and their Certificates

  1. Define a user that corresponds to each client machine, or one user for all machines, and generate a certificate for each client machine user. The steps are the same as those required to define users and their certificate.
  2. Add users that correspond to the client machines to a user group, and add the user group to the Remote Access VPN community.

Configuring Office Mode and L2TP Support

  1. Configure Office Mode. For detailed instructions, see Configuring Office Mode.
  2. On the Security Gateway object, IPsec VPN > Remote Access page, check Support L2TP.
  3. Select the Authentication Method for the users:
    • To use certificates, choose Smart Card or other Certificates (encryption enabled).
    • To use a username and a shared secret (password), choose MD5-challenge.
  4. For Use this certificate, select the certificate that the Security Gateway presents in order to authenticate itself to users. This certificate is used if certificates are the chosen Authentication Method for users, in step 3.

Preparing the Client Machines

  1. In the Windows Services window of the client machine, make sure that the IPsec Policy Agent is running. It should preferably be set to Automatic.
  2. Make sure that no other IPsec Client is installed on the machine.

Placing the Client Certificate in the Machine Certificate Store

  1. Log in to the client machine with administrator permissions.
  2. Run the Microsoft Management Console. Click Start > Run
  3. Type: MMC, and press Enter.
  4. Select Console > Add/Remove Snap-In.
  5. In the Standalone tab, click Add.
  6. In the Add Standalone Snap-in window, select Certificates.
  7. In the Certificates snap-in window, select Computer account.
  8. In the Select Computer window select the computer (whether local or not) where the new certificates have been saved.
  9. Click Finish to complete the process and click Close to close the Add/Remove Snap- in window.
  10. The MMC Console window is displayed, where a new certificates branch has been added to the Console root.
  11. Right-click on the Personal entry of the Certificates branch and select All Tasks > Import. A Certificate Import Wizard is displayed.
  12. In the Certificate Import Wizard, browse to the location of the certificate.
  13. Enter the certificate file password.
  14. In the Certificate Store window make sure that the certificate store is selected automatically based on the certificate type.
  15. Select Finish to complete the Import operation.

Using the MMC, the certificate can be seen in the certificate store for the "Local Computer".

Placing the User Certificate in the User Certificate Store

  1. On the client machine, double-click on the user's certificate icon (the .p12 file) in the location where it is saved. A Certificate Import Wizard is displayed
  2. Enter the password.
  3. In the Certificate Store window make sure that the certificate store is selected automatically based on the certificate type.
  4. Select Finish to complete the Import operation.

Using the MMC, the certificate can be seen in the certificate store for the "current user".

Setting up the Microsoft IPsec/L2TP Client Connection Profile

Once the Client machine's certificate and the user's certificate have been properly distributed, set up the L2TP connection profile.

To configure the L2TP profile:

  1. In the client machine, right-click on the My Network Places icon on the desktop and select Properties.
  2. In the Network and Dial-up Connections window, select Make New Connection. The Network Connection Wizard is displayed.
  3. In the Network Connection Type window: On Windows 2000 machines select Connect to a private network through the Internet. On Windows XP machines select VPN or dial-up, and in the next window select VPN.
  4. In the Destination Address window, enter the IP address or the resolvable host name of the Security Gateway.
  5. In the Connection Availability window, make the new connection available For all users or Only for myself.
  6. In the closing window, provide a name for the new connection, for example, L2TP_connection.
  7. The Connect window for the new connection type is displayed.

To complete the L2TP connection configuration:

  1. In the Connect window, click Properties.
  2. In the Networking tab, select the L2TP server.
  3. In the Security tab, choose Advanced > Settings, and select Use extensible Authentication protocols or Allow these protocols.

    If you select Use extensible Authentication protocols: Choose either MD5-challenge, or Smart Card or other Certificates (encryption enabled). Make the same choice as made on the Security Gateway.

    If you select Allow these protocols: Choose Unencrypted password (PAP).

  4. Click OK to save the configured settings and to return to the Connect window.
  5. In the Connect window, enter the user name and password or select a certificate.

Configuring User Certificate Purposes

A CA that issues certificates for IPsec/L2TP clients must be configured to issue certificates with the appropriate purposes.

Alternatively, the Microsoft IPsec/L2TP Client can be set to not require the "Server Authentication" purpose on the Security Gateway certificate.

To configure the CA to Issue Certificates with Purposes
  1. If using the ICA, run the ICA Management Tool.
    • Change the property IKE Certificate Extended Key Usage property to the value 1, to issue Security Gateway certificates with the "server authentication" purpose.
    • Change the property IKE Certificate Extended Key Usage to the value 2 to issue user certificates with the "client authentication" purpose.

      If using an OPSEC certified CA to issue certificates, use the dbedit command line (see skI3301) or the GuiDBedit Tool (see sk13009) to change the value of the global property cert_req_ext_key_usage to 1. This will cause the Security Management Server to request a certificate that has purposes (Extended Key Usage extension) in the certificate.

  2. Using SmartDashboard, issue a new certificate for the Security Gateway. (In the VPN page, in the Certificate List section click Add. A new Certificate Properties window opens.) Look at the certificate properties and check that the Extended Key Usage Extension appears in the certificate.
  3. In the Remote Access page of the Security Gateway object, in the L2TP Support section, select the new certificate.
To Configure the Microsoft IPsec/L2TP Clients so they do not Check for the "Server Authentication" Purpose

The following procedure tells the Microsoft IPsec/L2TP Client not to require the "Server Authentication" purpose on the Security Gateway certificate.

  1. In the client machine, right-click on the My Network Places icon on the desktop and select Properties.
  2. In the Network and Dial-up Connections window, double click the L2TP connection profile.
  3. Click Properties, and select the Security tab.
  4. Select Advanced (custom settings), and click Settings.
  5. In the Advanced Security Settings window, under Logon security, select Use Extensible Authentication Protocol (EAP), and click Properties.
  6. In the Smart Card or other Certificate Properties window, uncheck Validate server certificate, and click OK.

Note - The client validates all aspects of the Security Gateway certificate, during IKE authentication, other than the "Server Authentication" purpose.

Making the L2TP Connection

  1. Click on Connect to make the L2TP connection.
  2. To view the IP address assigned to the connection, either view the Details tab in the connection Status window, or use the ipconfig /all command.

For More Information

The L2TP protocol is defined in RFC 2661. Encryption of L2TP using IPsec is described in RFC 3193. For information about the L2TP protocol and the Microsoft IPsec/L2TP client, see the Network and Dial Up Connections Help in Windows for your version.