If you're looking for a VPN connection that's more secure than PPTP, we've got the answer. Learn how to certify your VPN, get configured and request your certificate.
Much has been written on the merits of using a virtual private network (VPN) connection for remote access and how Windows 2000's Routing and Remote Access (RRAS) service has greatly simplified the process.
The main benefit of a VPN is cost savings, since it allows corporations to use a persistent Internet connection rather than a bank of modems, and calls are cheaper for users because they incur only local charges to their ISP rather than long-distance costs.
Many of us have mastered the use of PPTP connections for a VPN. However, Windows 2000 (and Windows XP) natively supports the more secure form of VPN, L2TP/IPSec (see Tech Tips).
Unfortunately, little has been written about how to configure L2TP/IPSec beyond saying, -It's more complicated."
So here are some first steps on how to get Windows 2000 Professional to make an L2TP/IPSec connection to a Windows 2000 VPN server, as well as how to customise and maintain that connection.
In this article, we'll explain how to use the Windows 2000 Certification Authority service to achieve a connection.
It all starts with the certificates
The most likely reason that L2TP/IPSec connections fail is because of problems with certificates. In its default configuration, a valid computer certificate is required on both the client and the server.
There are various ways of obtaining a computer certificate for a L2TP/IPSec connection, such as using a third-party Certification Authority like VeriSign (which should provide its own instructions on this) or using Windows 2000 Active Directory automatic certificate deployment.
However, this article will describe how to use L2TP/IPSec connections by issuing your own certificatesâ€"without Active Directoryâ€"using the Windows 2000 Certification Authority service in Standalone mode.
This mode allows anyone with a Windows 2000 Server to benefit from L2TP/IPSec connections regardless of whether they're running Active Directory or they have an NT 4.0 domain or even a simple Windows Workgroup.
These instructions also hold good for using just IPSec on your network, outside the VPN environment, although we won't describe the IPSec policy configuration.
Preliminary configuration steps
Make the following checks before we begin: first, ensure your Windows 2000 Professional can successfully connect to your Windows 2000 RRAS server using PPTP with TCP/IP.
This will verify that the basics of RRAS are working, that associated hardware (modem, router, cable modem, etc.) is working, that the user is allowed remote access, that remote access policies aren't preventing a successful connection, and that IP address assignment is handled correctly.
Second, ensure that your client's Internet connection is not going through a network address translation (NAT) server. Microsoft's IPSec implementation has known problems with NAT. If all your clients' Internet connections must go through NAT (as opposed to having static IP addresses), Microsoft's L2TP/IPSec implementation is probably not for you.
Third, if you have a firewall between the client and server, you may need to reconfigure it to allow the L2TP/IPSec connection through. Open UDP port 500 and IP port 50.
"Open UDP port 500 and IP port 50."
It is IP Protocol 50 (ESP), not a port.
TCP is Protocol 6 and UDP 17, they have ports available them (i.e. UDP 500 for IKE key exchanges)