Print Download PDF Send Feedback

Previous

Next

Layer Two Tunneling Protocol (L2TP) Clients

In This Section:

Introduction to L2TP Clients

Establishing a VPN between a IPsec / L2TP Client and a Gateway

Behavior of an L2TP Connection

Security Gateway Requirements for IPsec / L2TP

L2TP Global Configuration

Authentication of Users

User Certificate Purposes

Configuring Remote Access for Microsoft IPsec / L2TP Clients

Introduction to L2TP Clients

Some organizations prefer to use L2TP clients for remote access to internal networks, rather than the more feature-rich and secure Check Point clients. There are L2TP clients built into many operating systems.

Check Point Security Gateways can create VPNs with L2TP IPsec clients. This explanation focuses on the Microsoft IPsec / L2TP client.

You can access a private network through the Internet by using a virtual private network (VPN) connection with the Layer Two Tunneling Protocol (L2TP). L2TP is an industry-standard Internet tunneling protocol.

Creating a Remote Access environment for users with Microsoft IPsec / L2TP clients is based on the same principles as those used for setting up Check Point Remote Access Clients. Make sure that you understand how to configure Remote Access VPN before you begin to configure Remote Access for Microsoft IPsec / L2TP clients.

Establishing a VPN between a IPsec / L2TP Client and a Gateway

To allow the user at the Microsoft IPsec / L2TP client to access a network resource protected by a Security Gateway, a VPN tunnel is established between the Microsoft IPsec / L2TP client and the Security Gateway, as shown below.

Item

Description

1

Internal hosts

2

Security Gateway

3

Internet

4

Remote IPsec Client

The process of the VPN establishment is transparent to the user, and works as follows:

  1. A user at an IPsec / L2TP client initiates a connection to a Security Gateway.
  2. The IPsec / L2TP client starts an IKE (Internet Key Exchange) negotiation with the peer Security Gateway. The identities of the remote client machine and the Security Gateway may be authenticated one of these ways:
    • Through exchange of certificates
    • Through pre-shared keys

      Note - this option is less secure, since pre-shared key is shared among all L2TP clients.

    Only authenticated machine can establish a connection.

  3. Both peers exchange encryption keys, and the IKE negotiation ends.
  4. Encryption is now established between the client and the Security Gateway. All connections between the client and the Security Gateway are encrypted inside this VPN tunnel, using the IPsec standard.
  5. The Client starts a short L2TP negotiation, at the end of which the client can pass to the Security Gateway L2TP frames that are IPsec encrypted and encapsulated.
  6. The Security Gateway now authenticates the user at the Microsoft IPsec / L2TP client. This authentication is in addition to the client machine authentication in step 3. This identification can happen with these methods.
    • A Certificate
    • An MD5 challenge, whereby the user is asked to enter a username and a password (pre-shared secret)
    • A username and a password
  7. The Security Gateway allocates to the remote client an Office Mode IP address to make the client routable to the internal network. The address can be allocated from all of the Office Mode methods.
  8. The Microsoft IPsec / L2TP client connects to the Security Gateway, and can browse and connect to locations in the internal network.

Behavior of an L2TP Connection

When using an IPsec / L2TP client, it is not possible to connect to organization and to the outside world at the same time.

This is because when the client is connected to the Security Gateway, all traffic that leaves the client is sent to the Security Gateway, and is encrypted, whether or not it is intended to reach the protected network behind the Security Gateway. The Security Gateway then drops all encrypted traffic that is not destined for the encryption domain of the Security Gateway.

Security Gateway Requirements for IPsec / L2TP

In order to use Microsoft IPsec / L2TP clients, the Security Gateway must be set up for remote access. The setup is very similar to that required for remote access using Check Point Remote Access Clients, and involves creating a Remote Access community that includes the Security Gateways and the user groups.

An additional requirement is to configure the Security Gateway to supply addresses to the clients by means of the Office Mode feature.

L2TP Global Configuration

Certain settings related to L2TP authentication can be configured globally for Security Gateways of version R71 and higher. These setting are configured in the global properties configuration section of the SmartConsole.

All L2TP clients can be configured to use a Pre-shared key for IKE in addition to the standard user authentication.

To use a Pre-shared key for IKE, go to Global Properties > Remote Access > VPN - Authentication and Encryption and select Support L2TP with Pre-Shared Key.

Note - IKE Security Association created for L2TP cannot be used for regular IPsec traffic.

Authentication of Users

There are two methods used to authenticate an L2TP connection:

Authentication Methods

L2TP clients can use any of the following Authentication schemes to establish a connection:

Using a username and password verifies that a user is who they claim to be. All users must be part of the Remote Access community and be configured for Office Mode.

Certificates

During the process of establishing the L2TP connection, two sets of authentication are performed. First, the client machine and the Security Gateway authenticate each other's identity using certificates. Then, the user at the client machine and the Security Gateway authenticate each other using either certificates or a pre-shared secret.

The Microsoft IPsec / L2TP client keeps separate certificates for IKE authentication of the client machine, and for user authentication.

On the Security Gateway, if certificates are used for user authentication, then the Security Gateway can use the same certificate or different certificates for user authentication and for the IKE authentication.

Certificates for both clients and users can be issued by the same CA or a different CA. The users and the client machines are defined separately as users in SmartConsole.

Certificates can be issued by:

User Certificate Purposes

It is possible to make sure that PKI certificates are used only for a defined purpose. A certificate can have one or more purposes, such as "client authentication", "server authentication", "IPsec" and "email signing". Purposes appear in the Extended Key Usage extension in the certificate.

The certificates used for IKE authentication do not need any purposes. For the user authentication, the Microsoft IPsec / L2TP client requires that

Most CAs (including the ICA) do not specify such purposes by default. This means that the CA that issues certificates for IPsec / L2TP clients must be configured to issue certificates with the appropriate purposes (in the Extended Key Usage extension).

It is possible to configure the ICA on the Security Management Server so that the certificates it issues will have these purposes. For OPSEC certified CAs, it is possible to configure the Security Management Server to create a certificate request that includes purposes (in the Extended Key Usage extension).

It is also possible to configure the Microsoft IPsec / L2TP clients so that they do not validate the Security Gateway certificate during the L2TP negotiation. This is not a security problem because the client has already verified the Security Gateway certificate during IKE negotiation.

Configuring Remote Access for Microsoft IPsec / L2TP Clients

Establishing a Remote Access VPN for Microsoft IPsec / L2TP clients requires configuration to be performed both on the Security Gateway and on the client machine. The configuration is the same as setting up Check Point Remote Access Clients, with a few additional steps.

High-level workflow to create a Remote Access deployment:

  1. Configure a Remote Access environment, including objects and authentication credentials (normally certificates) for the users.
  2. Configure support for Office Mode and L2TP on the Security Gateway.
  3. On the client machine, place the user certificate in the User Certificate Store, and the client machine certificate in the Machine Certificate Store.
  4. On the client machine, set up the Microsoft IPsec / L2TP client connection profile.

Configuring a Remote Access Environment

Configure the network to use VPN connections for Remote Access.

Defining the Client Machines and their Certificates

  1. Define a user that corresponds to each client machine, or one user for all machines, and generate a certificate for each client machine user. The steps are the same as those required to define users and their certificate.
  2. Add users that correspond to the client machines to a user group, and add the user group to the Remote Access VPN community.

Configuring Office Mode and L2TP Support

To configure L2TP support:

  1. Configure Office Mode.
  2. Click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  3. From the navigation tree, click VPN Clients > Remote Access.
  4. Click Support L2TP.
  5. Select the Authentication Method for the users:
    • To use certificates, choose Smart Card or other Certificates (encryption enabled).
    • To use a username and a shared secret (password), choose MD5-challenge.
  6. For Use this certificate, select the certificate that the Security Gateway presents in order to authenticate itself to users.
  7. Click OK and publish the changes.

Preparing the Client Machines

  1. In the Windows Services window of the client machine, make sure that the IPsec Policy Agent is running. It should preferably be set to Automatic.
  2. Make sure that no other IPsec Client is installed on the machine.

Placing the Client Certificate in the Machine Certificate Store

  1. Log in to the client machine with administrator permissions.
  2. Run the Microsoft Management Console. Click Start > Run
  3. Type: MMC, and press Enter.
  4. Select Console > Add/Remove Snap-In.
  5. In the Standalone tab, click Add.
  6. In the Add Standalone Snap-in window, select Certificates.
  7. In the Certificates snap-in window, select Computer account.
  8. In the Select Computer window select the computer (whether local or not) where the new certificates have been saved.
  9. Click Finish to complete the process and click Close to close the Add/Remove Snap- in window.
  10. The MMC Console window is displayed, where a new certificates branch has been added to the Console root.
  11. Right-click on the Personal entry of the Certificates branch and select All Tasks > Import. A Certificate Import Wizard is displayed.
  12. In the Certificate Import Wizard, browse to the location of the certificate.
  13. Enter the certificate file password.
  14. In the Certificate Store window make sure that the certificate store is selected automatically based on the certificate type.
  15. Select Finish to complete the Import operation.
  16. Go to the Certificate subdirectory (under Personal). There is one certificate with the user name and a second certificate with the management name.
  17. Select the management certificate and drag it to the Certificates list under the Trusted Root Certificate subdirectory.
  18. Exit from the MMC console. You do not have to save it. You can see the changes in Internet Explorer Properties.

Using the MMC, the certificate can be seen in the certificate store for the "Local Computer".

Placing the User Certificate in the User Certificate Store

  1. On the client machine, double-click on the user's certificate icon (the .p12 file) in the location where it is saved. A Certificate Import Wizard is displayed
  2. Enter the password.
  3. In the Certificate Store window make sure that the certificate store is selected automatically based on the certificate type.
  4. Select Finish to complete the Import operation.

Using the MMC, the certificate can be seen in the certificate store for the "current user".

Setting up the Microsoft IPsec/L2TP Client Connection Profile

Once the Client machine's certificate and the user's certificate have been properly distributed, set up the L2TP connection profile. The instruction might be slightly different on different versions of Windows.

To configure the L2TP profile:

  1. On the client machine, go to the Network and Sharing Center.
  2. Select Set up a new connection or network > Connect to a workplace > Use my Internet connection (VPN).
  3. In Internet address, enter the IP address or the resolvable host name of the Security Gateway.
  4. In Destination name, enter a name for the new connection, for example, L2TP_connection.
  5. On Windows 7: Select Don't connect now; just set it up so I can connect later.
  6. Click Next.
  7. Click Create.
  8. Click Close.

To complete the L2TP connection configuration:

  1. In the Network and Sharing Center, click Change adapter settings.
  2. Right-click on the connection you created and select Properties.
  3. In the Security tab, under Type of VPN, select Layer 2 Tunneling Protocol with IPSEC (L2TP/IPSEC).
  4. Click Advanced settings, and in the L2TP tab:
    • If you configured the gateway to use MD5-Challenge select, Use preshared key for authentication and enter the preshared key, .
    • If you configured the gateway to use Smart Card or another certificate, select Use certificate for authentication.
  5. Click OK.
  6. Under Authentication select Use Extensible Authentication protocols or Allow these protocols.
    • If you select Use extensible Authentication protocols: Select MD5-challenge, or Smart Card or other Certificates. Choose the authentication method chosen on the gateway.
    • If you select Allow these protocols: Select Unencrypted password (PAP).
  7. Click OK.

Configuring User Certificate Purposes

A CA that issues certificates for IPsec/L2TP clients must be configured to issue certificates with the appropriate purposes.

Alternatively, the Microsoft IPsec/L2TP Client can be set to not require the "Server Authentication" purpose on the Security Gateway certificate.

Configuring the CA to Issue Certificates (L2TP)

To configure the CA with the ICA Management Tool:

  1. Run the ICA Management tool:
  2. Change the property IKE Certificate Extended Key Usage property to the value 1, to issue Security Gateway certificates with the "server authentication" purpose.
  3. Change the property IKE Certificate Extended Key Usage to the value 2 to issue user certificates with the "client authentication" purpose.

    If you are using an OPSEC certified CA to issue certificates, use the GuiDBedit Tool (see sk13009) to change the value of the global property cert_req_ext_key_usage to 1. This causes the Security Management Server to request a certificate that has purposes (Extended Key Usage extension) in the certificate.

To configure the CA with SmartConsole:

  1. Click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click IPsec VPN.
  3. In the Repository of Certificates Available to the Gateway section, click Add.
  4. The Certificate Properties window opens.
  5. Configure the settings for the certificate and click OK.
  6. Select the certificate and click View.
  7. Make sure that the Extended Key Usage Extension appears in the certificate.
  8. From the navigation tree, click VPN Clients > Remote Access.
  9. In the L2TP Support section, select the new certificate.
  10. Click OK and publish the changes.

To Configure the Microsoft IPsec/L2TP Clients so they do not Check for the "Server Authentication" Purpose

The following procedure tells the Microsoft IPsec/L2TP Client not to require the "Server Authentication" purpose on the Security Gateway certificate.

  1. In the client machine, right-click on the My Network Places icon on the desktop and select Properties.
  2. In the Network and Dial-up Connections window, double click the L2TP connection profile.
  3. Click Properties, and select the Security tab.
  4. Select Advanced (custom settings), and click Settings.
  5. In the Advanced Security Settings window, under Logon security, select Use Extensible Authentication Protocol (EAP), and click Properties.
  6. In the Smart Card or other Certificate Properties window, uncheck Validate server certificate, and click OK.

Note - The client validates all aspects of the Security Gateway certificate, during IKE authentication, other than the "Server Authentication" purpose.

Making the L2TP Connection

  1. Click on Connect to make the L2TP connection.
  2. To view the IP address assigned to the connection, either view the Details tab in the connection Status window, or use the ipconfig /all command.

For More Information

The L2TP protocol is defined in RFC 2661. Encryption of L2TP using IPsec is described in RFC 3193. For information about the L2TP protocol and the Microsoft IPsec/L2TP client, see the Network and Dial Up Connections Help in Windows for your version.