L2TP/IPsec with Active Directory using LDAP (11.x)

Security Gateway Articles and How to's
Locked
jein
Posts: 53
Joined: 30 Oct 2008, 09:16
Location: Clavister HQ

L2TP/IPsec with Active Directory using LDAP (11.x)

Post by jein » 19 Jan 2010, 11:35

This How-to applies to:
  • Clavister cOS Core 11.x
    Windows 10
    Windows Server 2012 R2
Topics covered in this document
  • Preparing configuration objects
    User Settings
    IPsec Tunnel
    L2TP Tunnel
    User Authentication Rule
    IP Policies
    Windows 10 VPN Client - New VPN connection

Problem:
I want to use LDAP (Active Directory) as authentication source for my L2TP/IPsec connection.

Solution:
There are two ways that an Active Directory can be used with L2TP/IPsec. If default settings are used in the Windows L2TP Client, a slight modifcation has to be made in the AD. Instead of logging in with the username and password found in the AD, a different password attribute has to be used (see cOS Core AdminGuide for explanation). This how-to uses the Description field as an example.

NOTE: If you do not want to use the description field as this How-To describes, it is recommended that you read through this FAQ that is related to a PAP (unencrypted password) only restriction when using LDAP towards MS AD.
NOTE: This post is not updated.
viewtopic.php?f=18&t=5144


Preparing configuration objects

First of all we need to create all needed objects.

Objects > Address Book
The first thing to do is to add all objects needed by the L2TP tunnel. The Network, the IP range the clients will use and the "interface IP" of the tunnel.
When this is done, you should have three new objects in the address book. It should look something like this:
IPsec_L2TP_Addresses.png
IPsec_L2TP_Addresses.png (9.94 KiB) Viewed 2950 times
Proposal Lists
Algorithms.png
Algorithms.png (32.38 KiB) Viewed 2950 times
Create two proposal lists, one for IKE and one for IPsec. Select SHA1 and AES as algorithms. This is to match the incoming proposals sent from Windows. This is done under Objects -> VPN Objects -> IKE/IPsec Algorithms.
NOTE: The proposals sent to the Clavister varies depending on the operating system that connects. For example Android and iOS proposes more secure algorithms to be used, such as SHA256. We recommend using the more secure algorithms when connecting to IPsec from these OS's.


Preparing the Pre-Shared Key
To be able to authenticate the IPsec tunnel that will be used for the L2TP tunnel, a pre-shared key needs to be defined. This is done under Objects -> Key Ring -> Pre-Shared Keys.
IPsec-Psk.png
IPsec-Psk.png (30.04 KiB) Viewed 2950 times
In this How-to a pre-shared key named IPsec_psk will be used.


Adding the LDAP Server
This is done under Policies -> User Authentication -> User Directories -> LDAP
LDAP Settings.png
LDAP Settings.png (48.1 KiB) Viewed 2950 times
NOTE: The IP and Database Settings are just examples. We should use the corresponding IP and Database Settings in a live environment.


Adding Users to the LDAP Server
You can create users by pressing the "Create User in the Current Directory" icon on your Windows Server.
Adding User LDAP.png
Adding User LDAP.png (69.17 KiB) Viewed 2950 times
In this scenario we will create a user named "testuser"
Testuser.png
Testuser.png (13.46 KiB) Viewed 2950 times
User Settings
This is found on our Win2012R2 Server in the Active Directory Users and Computers server tools.
Description.png
Description.png (17.53 KiB) Viewed 2950 times
Configuring the IPsec Tunnel
Now it's time to set up the IPsec tunnel, this is done in the IPsec section located in the Network tab of the Security Gateway.

General
IPsec_General.png
IPsec_General.png (22.62 KiB) Viewed 2950 times
Name
First of all, a name is needed for the VPN connection.
In this example, the name IPsec_L2TP is being used.

IKE Version
Here we select IKEv1.

Encapsulation mode
As we're setting up a L2TP tunnel this should be set to Transport Mode.


Authentication
IPsec_Authentication.png
IPsec_Authentication.png (42.46 KiB) Viewed 2950 times
Authentication Method
Here we choose Pre-shared Key.

Pre-shared Key
Here we select our previously created PSK, IPsec_psk.

IKE (Phase-1)
IPsec_IKE_Phase.png
IPsec_IKE_Phase.png (60.91 KiB) Viewed 2950 times
Diffie-Hellman group
Here we select DH-Group 14(2048-bit) since that is the most secure proposal group sent by Windows.

Algorithms
Here we select the IKE algorithm that we created earlier.
We leave the life-time to it's default value.

Mode
We choose Main mode and not Aggressive mode since we want the connection establishment to be encrypted.

Outgoing Routing Table
We select the routing table main.

Local Endpoint
Here we select our Wan_ip.
NOTE: Remember this interface IP is simply an example, in this scenario we're assuming that our connection attempts are from the outside, you should of course use the interface and ip corresponding to your network.

Incoming Interface Filter
This is an optional setting used with virtual routing scenarios, so we will use the standard any.

Miscellaneous
Here we leave all settings to their default value.


IPsec (Phase-2)
IPsec_IPsec_Phase.png
IPsec_IPsec_Phase.png (49.53 KiB) Viewed 2950 times
PFS (Perfect Forward Secrecy)
We leave the default values.

Algoritms
Select the IPsec algorithm we created earlier and leave the life-time settings to there default.

Setup SA Per
Select Network.


Advanced
Static Route.png
Static Route.png (10.42 KiB) Viewed 2950 times
Routing
In the routing section under advanced make sure that you have Add Route Statically Disabled.
NOTE: We're setting this setting to disabled since the L2TP Server will take care of the routing.


Setting up the L2TP Server
Now it's time to setup the L2TP Server, this is done in the PPTP/L2TP Servers section located in the Network folder of the Security Gateway.
L2TP_General.png
L2TP_General.png (22.95 KiB) Viewed 2950 times
General

Name
First of all, a name is needed for the L2TP interface. This virtual interface will be used later in the policies and user authentication rules sections.
In this example, the name L2TP is being used.

Inner IP Address
This IP should be a part of the network which the clients are assigned IP addresses from, in this case it should be IPsec_ip (192.168.99.1).

Tunnel Protocol
As we are setting up a L2TP server, L2TP is selected as Tunnel Protocol.

Outer Interface Filter
This is the interface that the L2TP server will accept connections on. As IPsec is used when running L2TP from Windows 10, the interface should be the IPsec tunnel, created earlier IPsec_L2TP.

Server IP
This is the IP that the L2TP server is accepting connections on. It should be the same as the IPsec tunnel endpoint, i.e. Wan_ip.


PPP Parameters
L2TP_PPP_Parameters.png
L2TP_PPP_Parameters.png (43.67 KiB) Viewed 2950 times
Use Authentication Rule
Should be enabled, and a rule needs to be configured, (as described further down "Setting up the User Authentication Rules").

Microsoft Point-to-Point Encryption
Select the encryption strength the server should allow.
NOTE: The recommendation is to ONLY have None checked. Disable the 40/56/128 bit encryption.
We already have IPsec encryption, there is no need to encrypt once more, and MPPE is not hardware accelerated, meaning that throughput and CPU usage will suffer. IPsec is hardware accelerated on certain models which gives vastly improved performance.

IP Pool
Specify the addresses that are to be assigned to the clients. In this case, use the pool created earlier, IPsec_range. You can also specify up to two DNS and WINS servers. In this scenario we select Google's DNS Server(8.8.8.8).


Add Route
L2TP_ProxyARP.png
L2TP_ProxyARP.png (34.56 KiB) Viewed 2950 times
A ProxyARP needs to be configured for the IP's used by the L2TP Clients. What we do is publish the IP's from the L2TP_range on the Lan interface and the L2TP server will automatically route them over the L2TP_tunnel interface.

Virtual Routing
We leave this tab untouched.


Setting up the User Authentication Rules
A user authentication rule needs to be configured as below:
  • Name: LDAP_Auth
    Authentication Agent: L2TP/PPTP/SSL_VPN (As we're using an L2TP tunnel)
    Authentication Source: LDAP (Since we are using an LDAP Server)
    Interface: L2TP(This should be the L2TP server)
    Originator IP: all-nets (As the clients are roaming)
    Terminator IP: Wan_ip (Should be the same as the Outer IP)
    LDAP servers: Win_AD (This is the LDAP Server we created earlier, this setting is found under the Authentication Options tab)
The rule should look like this:
L2TP_Auth_Rule.png
L2TP_Auth_Rule.png (25.9 KiB) Viewed 2950 times
L2TP_LDAP_Server.png
L2TP_LDAP_Server.png (39.8 KiB) Viewed 2950 times

Setting up the Policies
When the other parts are done, all that is left are the policies. To let traffic trough from the tunnel two policies should be added, the first one with the following characteristics:
  • Name:L2TP_Internal
    Action: Allow
    Source Interface: L2TP
    Source Network: IPsec_range
    Destination Interface: any
    Destination Network: Lan_net
    Service: all_services
NOTE:The reason for using any as destination interface is to be able to both access the internal network and the internal IP on core.

The second one with the following characteristics:
  • Name:L2TP_out
    Action: Allow
    Source Interface: L2TP
    Source Network: IPsec_range
    Destination Interface: Wan
    Destination Network: all-nets
    Service: all_services
    Source Translation: NAT
NOTE: In an live environment it's a good idea to select other services then all_services, this is to restrict access to the internet.
L2TP_Policies.png
L2TP_Policies.png (15.67 KiB) Viewed 2950 times
Setting up the VPN connection
To setup the new L2TP/IPsec network connection in Windows 10, in Settings press Network & Internet -> VPN -> Add a VPN connection, then enter the information for the L2TP/IPsec connection.

VPN provider
Choose “Windows (built in)”.

Connection name
Give the VPN connection a name.

Server name or address
Type in the hostname or IP of the Clavister Security Gateway you are connecting to.

VPN type
Since we want to set up a L2TP/IPsec connection we choose “L2TP/IPsec with pre-shared key”.

Type of sign-in info
Since we want to authenticate with LDAP we use the user on the LDAP Server(Windows 2012 R2) we created , choose Username and password.

Username (optional)
Here you enter the Username of the user you want to connect as, in this example we use the user we created earlier, testuser. This is optional, if you don’t fill this in you will get a pop-up asking for your username and password.

Password (optional)
Here you enter the password matching with the user you want to connect as. This is also optional, in the same way as the username.
Windows 10 VPN.png
Windows 10 VPN.png (30.85 KiB) Viewed 2950 times

jein
Posts: 53
Joined: 30 Oct 2008, 09:16
Location: Clavister HQ

Re: How to set up L2TP/IPsec with Active Directory using LDAP

Post by jein » 19 Jan 2010, 11:46

Problem:
I do not want to modify my Active Directory in order to use LDAP as authentication source.

Solution:
There is a way to use the user's Active Directory password when logging in. The following modifications have to be done:
Change the User authentication rule, so we use only PAP when we communicate with the LDAP server:
L2TP_PAP.png
L2TP_PAP.png (27.72 KiB) Viewed 2948 times
We also have to change the client's settings so it will only use PAP:
Windows Tunnel Properties.png
Windows Tunnel Properties.png (20.38 KiB) Viewed 2948 times

Now it is possible to login using the username and password set in Active Directory.

mape
Posts: 41
Joined: 24 Oct 2016, 08:23

Re: L2TP/IPsec with Active Directory using LDAP (11.x)

Post by mape » 08 Dec 2016, 13:43

Updated 2016-12-08

Locked