- Clavister cOS Core 11.x
Windows Server 2012 R2
- Preparing configuration objects
User Authentication Rule
Windows 10 VPN Client - New VPN connection
I want to use LDAP (Active Directory) as authentication source for my L2TP/IPsec connection.
There are two ways that an Active Directory can be used with L2TP/IPsec. If default settings are used in the Windows L2TP Client, a slight modifcation has to be made in the AD. Instead of logging in with the username and password found in the AD, a different password attribute has to be used (see cOS Core AdminGuide for explanation). This how-to uses the Description field as an example.
NOTE: If you do not want to use the description field as this How-To describes, it is recommended that you read through this FAQ that is related to a PAP (unencrypted password) only restriction when using LDAP towards MS AD.
NOTE: This post is not updated.
Preparing configuration objects
First of all we need to create all needed objects.
Objects > Address Book
The first thing to do is to add all objects needed by the L2TP tunnel. The Network, the IP range the clients will use and the "interface IP" of the tunnel.
When this is done, you should have three new objects in the address book. It should look something like this: Proposal Lists Create two proposal lists, one for IKE and one for IPsec. Select SHA1 and AES as algorithms. This is to match the incoming proposals sent from Windows. This is done under Objects -> VPN Objects -> IKE/IPsec Algorithms.
NOTE: The proposals sent to the Clavister varies depending on the operating system that connects. For example Android and iOS proposes more secure algorithms to be used, such as SHA256. We recommend using the more secure algorithms when connecting to IPsec from these OS's.
Preparing the Pre-Shared Key
To be able to authenticate the IPsec tunnel that will be used for the L2TP tunnel, a pre-shared key needs to be defined. This is done under Objects -> Key Ring -> Pre-Shared Keys. In this How-to a pre-shared key named IPsec_psk will be used.
Adding the LDAP Server
This is done under Policies -> User Authentication -> User Directories -> LDAP NOTE: The IP and Database Settings are just examples. We should use the corresponding IP and Database Settings in a live environment.
Adding Users to the LDAP Server
You can create users by pressing the "Create User in the Current Directory" icon on your Windows Server. In this scenario we will create a user named "testuser" User Settings
This is found on our Win2012R2 Server in the Active Directory Users and Computers server tools. Configuring the IPsec Tunnel
Now it's time to set up the IPsec tunnel, this is done in the IPsec section located in the Network tab of the Security Gateway.
First of all, a name is needed for the VPN connection.
In this example, the name IPsec_L2TP is being used.
Here we select IKEv1.
As we're setting up a L2TP tunnel this should be set to Transport Mode.
Authentication Authentication Method
Here we choose Pre-shared Key.
Here we select our previously created PSK, IPsec_psk.
IKE (Phase-1) Diffie-Hellman group
Here we select DH-Group 14(2048-bit) since that is the most secure proposal group sent by Windows.
Here we select the IKE algorithm that we created earlier.
We leave the life-time to it's default value.
We choose Main mode and not Aggressive mode since we want the connection establishment to be encrypted.
Outgoing Routing Table
We select the routing table main.
Here we select our Wan_ip.
NOTE: Remember this interface IP is simply an example, in this scenario we're assuming that our connection attempts are from the outside, you should of course use the interface and ip corresponding to your network.
Incoming Interface Filter
This is an optional setting used with virtual routing scenarios, so we will use the standard any.
Here we leave all settings to their default value.
IPsec (Phase-2) PFS (Perfect Forward Secrecy)
We leave the default values.
Select the IPsec algorithm we created earlier and leave the life-time settings to there default.
Setup SA Per
In the routing section under advanced make sure that you have Add Route Statically Disabled.
NOTE: We're setting this setting to disabled since the L2TP Server will take care of the routing.
Setting up the L2TP Server
Now it's time to setup the L2TP Server, this is done in the PPTP/L2TP Servers section located in the Network folder of the Security Gateway. General
First of all, a name is needed for the L2TP interface. This virtual interface will be used later in the policies and user authentication rules sections.
In this example, the name L2TP is being used.
Inner IP Address
This IP should be a part of the network which the clients are assigned IP addresses from, in this case it should be IPsec_ip (192.168.99.1).
As we are setting up a L2TP server, L2TP is selected as Tunnel Protocol.
Outer Interface Filter
This is the interface that the L2TP server will accept connections on. As IPsec is used when running L2TP from Windows 10, the interface should be the IPsec tunnel, created earlier IPsec_L2TP.
This is the IP that the L2TP server is accepting connections on. It should be the same as the IPsec tunnel endpoint, i.e. Wan_ip.
PPP Parameters Use Authentication Rule
Should be enabled, and a rule needs to be configured, (as described further down "Setting up the User Authentication Rules").
Microsoft Point-to-Point Encryption
Select the encryption strength the server should allow.
NOTE: The recommendation is to ONLY have None checked. Disable the 40/56/128 bit encryption.
We already have IPsec encryption, there is no need to encrypt once more, and MPPE is not hardware accelerated, meaning that throughput and CPU usage will suffer. IPsec is hardware accelerated on certain models which gives vastly improved performance.
Specify the addresses that are to be assigned to the clients. In this case, use the pool created earlier, IPsec_range. You can also specify up to two DNS and WINS servers. In this scenario we select Google's DNS Server(188.8.131.52).
Add Route A ProxyARP needs to be configured for the IP's used by the L2TP Clients. What we do is publish the IP's from the L2TP_range on the Lan interface and the L2TP server will automatically route them over the L2TP_tunnel interface.
We leave this tab untouched.
Setting up the User Authentication Rules
A user authentication rule needs to be configured as below:
- Name: LDAP_Auth
Authentication Agent: L2TP/PPTP/SSL_VPN (As we're using an L2TP tunnel)
Authentication Source: LDAP (Since we are using an LDAP Server)
Interface: L2TP(This should be the L2TP server)
Originator IP: all-nets (As the clients are roaming)
Terminator IP: Wan_ip (Should be the same as the Outer IP)
LDAP servers: Win_AD (This is the LDAP Server we created earlier, this setting is found under the Authentication Options tab)
Setting up the Policies
When the other parts are done, all that is left are the policies. To let traffic trough from the tunnel two policies should be added, the first one with the following characteristics:
Source Interface: L2TP
Source Network: IPsec_range
Destination Interface: any
Destination Network: Lan_net
The second one with the following characteristics:
Source Interface: L2TP
Source Network: IPsec_range
Destination Interface: Wan
Destination Network: all-nets
Source Translation: NAT
To setup the new L2TP/IPsec network connection in Windows 10, in Settings press Network & Internet -> VPN -> Add a VPN connection, then enter the information for the L2TP/IPsec connection.
Choose “Windows (built in)”.
Give the VPN connection a name.
Server name or address
Type in the hostname or IP of the Clavister Security Gateway you are connecting to.
Since we want to set up a L2TP/IPsec connection we choose “L2TP/IPsec with pre-shared key”.
Type of sign-in info
Since we want to authenticate with LDAP we use the user on the LDAP Server(Windows 2012 R2) we created , choose Username and password.
Here you enter the Username of the user you want to connect as, in this example we use the user we created earlier, testuser. This is optional, if you don’t fill this in you will get a pop-up asking for your username and password.
Here you enter the password matching with the user you want to connect as. This is also optional, in the same way as the username.