L2TP Server with MS 2008 CA server certificates (9.x)

Security Gateway Articles and How to's
Locked
Peter
Posts: 627
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

L2TP Server with MS 2008 CA server certificates (9.x)

Post by Peter » 01 Dec 2010, 14:04

This How-to applies to:
  • Clavister Security Gateway version 9.x, Clavister InControl version 1.10 and later.
    Microsoft Windows 2008 R2, XP / Vista / Windows 7
This document assumes that you already got the Security Gateway and InControl client & server up and running. If not, please consult the proper documentation for this.

Topics covered in this document
  • 1. Clavister - Preparing objects used by the gateway
    1.1. Generating Gateway Certificate Request using InControl
    1.2. Generating Gateway Certificate Request using OpenSSL
    1.3. Preparing the Host & Networks
    1.4. Preparing a IPsec Proposal List
    1.5. Preparing a new Local User Database
    2. Microsoft CA - Introduction
    3. Microsoft CA - Generating certificates
    3.1. CA root certificate
    3.2. Security gateway certificate
    3.3. Client certificates
    4. Microsoft CA - Exporting user certificates from the MMC console
    5. Clavister - Importing certificates
    6. Clavister - Setting up the IPsec Tunnel
    7. Clavister - Setting up the L2TP Tunnel
    8. Clavister - Setting up the User Authentication Rule
    9. Clavister - Setting up the Rules
    10. Importing the Certificates in Windows.
    11. Windows XP VPN Client - Setting up the new network connection
    12. Using Certificate Revocation List (CRL)
    13. Troubleshooting
1. Clavister - Preparing objects used by the gateway
First of all we need to create all needed objects & requests.

1.1 Generating Gateway Certificate Request using InControl
In section Objects \ Authentication Objects, add a new Certificate object. Then select “Create new” and “Create Certificate Request”. Enter the desired Certificate properties. Once the Certificate request is created it will be of the type “Request”. Export the Certificate request by pressing the “export button”. This will be used on the CA server later.

Note: When using MAC OS X client(s) make sure that you enter the field "Subject Alternative Name Parameters" with a DNS object that matches exactly the name of the terminating gateway (FQDN).

1.2 Generating Gateway Certificate Request using OpenSSL

Since it is not possible to create a Certificate request in the WebUI we have to use the Open Source program called “OpenSSL” to create such a request to be used as gateway certificate.

OpenSSL can be found at http://www.openssl.org

Create a private key and then generate a certificate request from it:

Code: Select all

openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out req.pem
Note: The syntax may be subject to change depending on the programs development. For latest syntax and version information please see the OpenSSL homepage.

Save the req.pem file for use on the CA server later.

Note: When using MAC OS X client(s) make sure that you enter the field "Subject Alternative Name Parameters" with a DNS object that matches exactly the name of the terminating gateway (FQDN).

1.3 Preparing the Host & Networks
The first thing to do is to add/create all objects needed by the L2TP tunnel, that is the network that is going to be assigned to the L2TP clients. In this guide we use a range of the internal network (192.168.0.0/24).

When this is done, you should have one new object in the Host & Networks, it should look something like this:
Pic-1.png
Pic-1.png (3.24 KiB) Viewed 5008 times
1.4 Preparing a IPsec Proposal List
The IPsec proposal list is, very simplified, a list of proposals defining how to encrypt the data that is sent through the IPsec tunnel. In version 9.xx there are two pre-defined proposal lists, High and Medium. In this How-To we will use the High proposal list for both IKE and IPsec.

1.5 Preparing a new Local User Database
To be able to authenticate the users using the L2TP tunnel a local user database will be used, this can of course also be a RADIUS or LDAP server. Create a new database under User authentication->Local User Databases.
Pic-2.png
Pic-2.png (8.01 KiB) Viewed 5008 times
In this How-to a user database named UserDB will be used.

Add a few users to this database. There is no need to define groups to get L2TP up and running. But groups could later be used in the rules to setup different policies based on group membership.

2. Microsoft CA - Introduction
In this How-to we will give an example how to use Microsoft CA server issued certificates in order to establish a VPN connection between Microsoft L2TP/IPsec clients and Clavister security gateway. Microsoft CA server is a built-in service in Windows 2008 Server and is called Active Directory Certificate Services.

We will use CA server issued certificates both on our clients and on our security gateway. The client certificates generated will be password protected for secure deploying to the users, and it contains both the private encryption key, the personal certificate and the CA server root certificate. The certificate can be distributed to the users by e-mail and the password needed for importing it into the client can for instance be transferred directly to the user by SMS or by phone.

We will not discuss the actual installation of the CA server, but it is pretty straight-forward and should cause no problems. Don’t forget to allow HTTPS connections to the CA server, to allow this go to the IIS manager -> Sites -> Default Web Site and click Bindings, and then add HTTPS.

You should configure the CA server to automatically issue certificate requests to simplify the process.
This is done on the CA server and the program Certification Authority. Select Properties and this setting can be changed on the Policy Module tab.

All operations will be done directly on the CA server in this example and we are using Windows 2008 R2 CA server.

3. Microsoft CA - Generating certificates
Make sure you have Administrator rights when you are requesting certificates. We are using the built-in Internet Explorer as our browser. Other browsers like Opera, Firefox etc can only retrieve certificates directly from a Microsoft CA server by submitting a request file in base64 encoded PKCS #10 format or post the content of it to the CA server. Basically some options are not shown when you use something other than Explorer to connect to the CA server.

Note: Even though it is possible to access the CA server’s WebUI from another computer based on your policies, it is recommended that you connect to the CA server locally for all your certificate handlings. The How-To parts involving the CA server assumes that everything is performed locally on the server. From a security standpoint it is recommended to restrict access to the CA server as much as possible.

3.1 CA root certificate
  • Go to your CA server address http://[myServer]/certsrv
  • Select “Download a CA certificate, certificate chain, or CRL”.
  • Select your CA (root) certificate and click Download CA certificate.
  • Pick a name and location for your root certificate. We are going to import this root certificate later in to the Security Gateway configuration and this step is only needed once.
3.2 Security gateway certificate
  • Go back to the start page http://[myServer]/certsrv and select “Request a certificate”.
  • Select “Advanced certificate request”.
  • Select “Submit a certificate request by using a base-64-encoded....“.
  • Paste the complete content of the request created earlier in Clavister InControl or OpenSSL and press Submit.
  • Press Download certificate using DER encoded format and pick a name and location for your gateway certificate. We are going to import this certificate later in to the Security Gateway configuration and this step is only needed once.


3.3 Client certificates
  • Go back to the start page http://[myServer]/certsrv and select “Request a certificate”.
  • Select Advanced certificate request.
  • Select “Create Submit a certificate request to this CA”.
Pic-3.png
Pic-3.png (56.4 KiB) Viewed 5007 times
  • Type in all of the identifying information for the user certificate.
  • As the Type of Certificate Needed: select IPsec certificate.
  • Change the Key Size if stronger security is wanted.
  • Select Mark keys as exportable and press Submit. (Answer Yes if you are asked if a request can be sent from Internet Explorer)
  • Click on Install this certificate. (If you are asked if you trust this certificate select Yes)
  • If everything worked OK you should see the text Your new certificate has been successfully installed.
Repeat the steps above for every client certificate needed.

4. Microsoft CA - Exporting user certificates from the MMC console
  • Open up a MMC console by pressing Start and Run. Type in “MMC” and press OK.
  • Select Console and Add/Remove Snap-in. Press Add and select Certificates. Press Add and pick My user account, press Finish, Close and OK.
  • Select your user certificate under Personal\Certificates, right-click and select All Tasks and Export..
Pic-4.png
Pic-4.png (51 KiB) Viewed 5007 times
  • Press Next, select Yes, Export the private key and Next.
  • Select Include all certificates... and Delete the private key.... (Deleting the private key is for increased security. It stops the ability to export the Certificate from the target machine and move it to another).
  • Type in a password to protect the private key. This password must be entered when importing the certificate to the VPN client. Make this password unique for this user.
  • Pick a name and a location for the certificate and either press Next or Browse and Save.
Continue to export all of your user certificates according to the instruction above, and you can then distribute the certificates to the users manually or by e-mail or equivalent.
You must also provide them with their corresponding password needed for importing the certificates in to the VPN client. This password can be sent through SMS or by phone or equivalent.

5. Clavister - Importing certificates
In section Objects \ Authentication Objects open your previous Certificate request and select Import. Select your gateway certificate request signed earlier on the CA server. The pending request should now change Type to Local.

Click Add \ Certificate and name it i.e RootCert. Click the import button and import the CA servers Root Certificate from step 3.1. Its type should change to be “Remote”.

6. Clavister - Setting up the IPsec Tunnel
Pic-5.png
Pic-5.png (21.76 KiB) Viewed 5007 times
Now it's time to setup the IPsec tunnel, this is done in the IPsec Tunnels section located in the Interfaces folder of the Security Gateway. The example screenshot above shows the Clavister Security Gateway.

Name
First of all, a name is needed for the VPN connection. This virtual interface will later be used in the L2TP section.

In this example, the name IPsec_L2TP is being used.

Local Network
This is the local network that the remote users will connect to. As we are going to use L2TP this is the IP the L2TP tunnel will connect to, i.e. ip_wan.

Note: When the SGW is behind a NAT:ing device, Local Network should be all-nets because of the incorrect local ID that will be sent due to the SGW being behind NAT.

Remote Network
The Security Gateway looks at this field and compares it to the roaming user's source IP address in order to allow connections only from the configured local net to remote net. However, in this scenario, clients should be allowed to roam in from everywhere. Thus, this field is set to all-nets (0.0.0.0/0). That means that virtually all existing IPv4-addresses are allowed to connect.

Remote Gateway
Basically, this field is only used when setting up a Lan-to-Lan VPN. Remote gateway is the machine where all the packets originating from Local net travelling to Remote net will be sent, in order to be processed by the IPsec engine.

The remote gateway none (or all-nets) is used in roaming client scenarios. The Security Gateway will send its reply to the IP address that initiated the IKE/IPsec connection instead of a certain gateway. That makes it the obvious choice for roaming clients.

Proposal Lists
Select the pre-defined “High” as IKE and IPsec Algorithms, as it's very close to what Windows is using.

Authentication
Pic-6.png
Pic-6.png (20.68 KiB) Viewed 5007 times
As authentication method, choose X.509 Certificate. Then, in the Root Certificate drop-down list, select the root certificate you got from the CA and select the correct Gateway certificate from the CA server.

Automatic routing
The IPsec tunnel needs to be configured to dynamically add routes to the remote network when the tunnel is established.
Pic-7.png
Pic-7.png (4.25 KiB) Viewed 5007 times
This is done under the Routing tab of the IPsec tunnel dialog.

Clavister - Setting up the L2TP Tunnel
Now it's time to setup the L2TP Server, this is done in the “PPTP/L2TP Servers” section located in the Interfaces folder of the Security Gateway.
Pic-8.png
Pic-8.png (4.43 KiB) Viewed 5007 times
Name
First of all, a name is needed for the L2TP interface. This virtual interface will be used later in the rules and user authentication rules sections.

In this example, the name L2TPSrv is being used.

Inner IP Address
This IP should be a part of the network which the clients are assigned IP addresses from, in this case it should be ip_lan (192.168.0.1).

Tunnel Protocol
As we are setting up a L2TP server, L2TP is selected as Tunnel Protocol.

Outer Interface Filter
This is the interface that the L2TP server will accept connections on. As IPsec is used when running L2TP from i.e Windows XP, this is the IPsec tunnel created earlier IPsec_L2TP.

Outer Server IP
This is the IP that the L2TP server is accepting connections on. It should be the same as the IPsec tunnel endpoint, i.e. ip_wan.

Authentication
Should be enabled, and a rule needs to be configured, (see below "Clavister - Setting up the User Authentication Rules").
Pic-9.png
Pic-9.png (23.38 KiB) Viewed 5007 times
Microsoft Point-to-Point Encryption
Select the encryption strength the server should allow.

IP Pool
Specify the addresses that are to be assigned to the clients. In this case use the pool created earlier, L2TP_pool. Also specify up to two DNS and WINS servers.

Add Route
Pic-10.png
Pic-10.png (23.77 KiB) Viewed 5007 times
A ProxyARP needs to be configured for the IP's used by the L2TP Clients. What we do is publish the IP's from the l2tp_pool on int and the L2TP server will automatically route them over the l2tp_tunnel interface.

Clavister - Setting up the User Authentication Rules
A user authentication rule needs to be configured as below, the Interface should be the L2TP server, in this case L2TPSrv, the Source IP should be all-nets as the clients are roaming. The Destination IP should be the same as the Outer IP, in this case ip_wan. When using L2TP or PPTP the Agent should be PPP.

The rule should look like this:
Pic-11.png
Pic-11.png (4.78 KiB) Viewed 5007 times
We are using a local user database, so under the Authentication Options tab, select UserDB as “Local User DB”.

Clavister - Setting up the Rules
When the other parts are done, all that is left is the rules. To let traffic trough from the tunnel a rule should be added with the following characteristics: Action is Allow, Source Interface is L2TPSrv, Source Network is l2tp_pool, the Destination Interface is Any, the Destination Network is lannet and finally the Service is All. The reason for using Any as destination interface is to be able to both access the internal network and the internal IP on <core>.
Pic-12.png
Pic-12.png (9.91 KiB) Viewed 5007 times
The NAT rule is used if you want the L2TP users to be able to reach i.e the internet as well. This rule can be skipped if no such access should be allowed thru the VPN tunnel.

10. Importing the Certificates in Windows.
In this How-To we will use Windows XP as the client, the principle is the same when using 2000, Vista etc. So as a point of reference we will base the client setup on Windows XP.

First of all the certificates (user, private key and CA root certificates) need to be imported into windows.
You can manually import the certificates with the Windows wizard by double-click on them, but the default setting on the Windows wizard imports them to the wrong certificate store on the client.

Instead we can recommend using a tool called “Certimport” which automatically imports the Certificate to the correct certificate store.

This tool can be found here: ftp://ftp.openswan.org/openswan/windows/certimport.

Important note: Windows 7 / Vista works with this program but you have to be logged in as administrator, if you run into problems you can always move the Certificates to the correct Certificate Store manually (See below). This most likely applies to Windows Server 2008 as well.

In Windows 2003/2008 server you can use the tool "Connection Manager Administration Kit" to customize and create an executable file that automatically installs and configures the VPN connection without any user input. You can then make a simple batch file that first runs the tool certimport and then installs the VPN connection for the end-user.

Below is an example of such a batch file:

Code: Select all

      -------------------------------------------------------------------------
      echo off
      cls
      set /p cert=Please enter the complete name (with extension) of your personal certificate:
      set /p pwd=Please enter your certificate import password:
      certimport -p %pwd% %cert%
      pause
      install_vpn
      -------------------------------------------------------------------------
For newer versions of Windows (Vista, 2008, Win7 etc) some additional parameters are needed in order to make the batch file execute all commands from the same directory. Example:

Code: Select all

      -------------------------------------------------------------------------
      echo off
      pushd "%CD%"      
      CD /D "%~dp0"
      set /p cert=Please enter the complete name (with extension) of your personal certificate:
      set /p pwd=Please enter your certificate import password:
      certimport -p %pwd% %cert%
      pause
      install_vpn
      popd
      -------------------------------------------------------------------------
Where “install_vpn” is the file created by the Connection Manager Administration Kit.
Note: In Windows 7 / Vista you must execute the batch file as "Run as administrator"

If you want to import the certificate manually you have to first import it by simply double-clicking the PFX file. You can let Windows install it automatically. But then you have to move the certificate to the correct Certificate store by using the MMC (Microsoft Management Console). The correct path for the Certificates should be Certificates(Local Computer)->Personal (for the Host Certificate) and Certificates(Local Computer)->Trusted Root Certification Authorities.

11 Windows XP VPN Client - Setting up the new network connection manually

To setup the new L2TP network connection in Windows XP, in Network Connections take Create new connection, this will bring up the New Connection Wizard. Follow the steps below to setup the L2TP Client.
Pic-13.png
Pic-13.png (31.25 KiB) Viewed 5007 times
Step 1. Choose Next to start the wizard.
Pic-14.png
Pic-14.png (37.71 KiB) Viewed 5007 times
Step 2. Choose Connect to the network at my workplace.
Pic-15.png
Pic-15.png (27.83 KiB) Viewed 5007 times
Step 3. Choose Virtual Private Network connection as this will create a new VPN tunnel.
Pic-16.png
Pic-16.png (21.71 KiB) Viewed 5007 times
Step 4. Give the new network connection a name.
Pic-17.png
Pic-17.png (22.05 KiB) Viewed 5007 times
Step 5. Choose Do not dial the initial connection if you are connecting using the LAN. If you are using a modem to dial to the Internet specify that dial up connection under Automatically dial this initial connection.
Pic-18.png
Pic-18.png (21.44 KiB) Viewed 5007 times
Step 6. Type in the hostname or IP of the Clavister Security Gateway you are connecting to.
Pic-19.png
Pic-19.png (39.25 KiB) Viewed 5007 times
Step 7. Click Finish to save the configuration.

You should now be able to connect to your Clavister Security Gateway with L2TP.

Note: When the Security Gateway is behind a NAT:ing device, you must modify the client registry using this setting:
http://support.microsoft.com/kb/885407

Note: If you encounter problems to access publicly published resources when another user located behind the same NATing device is connected with L2TP/IPsec to the Clavister device, there is a "trick" you can use:
  • 1. Create a new Routing Table, ordering First. It should be empty. You can name it "L2TP-trick".
    2. Make the IPsec tunnel for L2TP a member of the "L2TP-trick" routing table (PBR Membership).
Now it will work properly again.

12. Using Certificate Revocation List (CRL)

Using CRL lists can depending on the scenario be a good idea for increased security. It can also be the opposite if the CA server is not secured and protected. Some scenarios require that the CA server is only used when issuing or renewing Certificates, when it is not in use it is powered down.

Advantages of using Certificate Revocation List:
  • • Ability to revoke a Certificate from the CA server, which automatically causes the user with the Certificate to be unable to use the VPN connection. Very useful for users with temporary access.
    • Adds another layer of authentication where the client or SGW needs to verify that the Certificate is valid towards the CA server.
Disadvantages of using Certificate Revocation List:
  • • If all client (And/or gateway) certificates are configured to fetch the CRL list, the CA server (or CRL placeholder) needs to be placed on a network and (CRL distribution path) the client(s) can reach. This usually means placing it on a public network exposing the CA server and/or placeholder.
    • The CRL distribution path / server must be reachable at all times, if the server goes down no clients are able to authenticate their VPN connections.
There are also differences between the different Windows versions whenever the client per default tries to verify the Certificate towards the CA server. Windows XP does not perform this verification per default but Vista and Windows 7 does. It is possible to use the Connection Manager Administration Kit to include in the package that the certificate should or should not be verified towards the CA server.

It is also important that the CRL distribution path attribute in the Certificate is correct and that the client or SGW is able to resolve the path to the CRL/CA server.

13. Troubleshooting

If something goes wrong and the VPN tunnel is not properly established, there are a few things that should be checked:
  • First of all, check that the IP address of the remote gateway is what it should be (your Clavister Security Gateway).
  • Make sure that the IPsec service on the client is started.
  • Verify that correct certificate is selected in the IPsec tunnel.
  • Verify that the proposal list on the Security Gateway is correct.
  • Make sure a valid DNS server is specified in section System / DNS. The security gateway needs to resolve the CRL distribution path found in the certificate to be able to download the CRL revocation list from the CA server. To verify that the Security Gateway can communicate with the CA server you can check the IIS log file on the CA server.
  • Make sure that you don't have two Roaming Clients connecting from the same NAT’ing device using different authentication methods (PSK/Cert).
  • Make sure that correct date and time is set in the Security Gateway to match the certificate field "Valid from" and "Valid to".
  • A useful diagnostic tool is running ikesnoop verbose from a Console on the Security Gateway during VPN client initializing. The IPsec tunnel is established before the L2TP authentication takes place, so if you can see, with the command "IpsecTunnels", during VPN client initializing that the IPsec tunnel is established, there is something wrong with the L2TP configuation. For more information about troubleshooting IPsec tunnel, see the “Troubleshooting IPsec tunnels” How-To article.

Locked