L2TP Remote Access

Setting Up the VPN Server
After you configure CA and IAS, you can set up the VPN server. The server should have two network adapters. Connect one adapter to the intranet and leave the other one disconnected—for security purposes, we won't connect the second adapter to the Internet until after we've locked it down. Install Windows 2003 with default settings (we'll adjust these later), and make sure you enter a long, hard-to-guess password for the local Administrator account. During setup, let the server obtain a DHCP address, then join the computer to your domain. After installation is complete, log on as a domain administrator. Open the Network Connections folder and rename the network adapters so that you can easily distinguish the Internet and intranet connections. Next, configure the intranet connection with a static IP address and the appropriate subnet, DNS, and default gateway. You can use DHCP for your VPN server on the intranet, but the configuration is more complex and Microsoft recommends that you use a static address. Next, configure the Internet connection with the appropriate IP address, subnet, and default gateway as provided from your ISP. If you want, you can connect a hub to the Internet side of the VPN server, then connect another computer to simulate the Internet. If you give the computer an address within the same subnet as your VPN server, you'll be able to use that computer as a test client and run port scans or vulnerability scanners against your VPN server after locking down the server as a final check before connecting it to the Internet.

After you configure the network adapters, you need to set up Routing and Remote Access. Open the Routing and Remote Access snap-in, right-click the server you want to use for Routing and Remote Access, then select Configure and Enable Routing and Remote Access to start the Routing and Remote Access Server Setup Wizard. Select Remote access (dial-up or VPN), then click Next. On the Remote Access screen, select the VPN check box, clear the Dial-up check box, then click Next. On the VPN Connection screen, which Figure 3, page 63, shows, select the Internet connection, select the Enable security on the selected interface by setting up static packet filters check box, then click Next. On the IP Address Assignment screen, specify how the VPN server will assign IP addresses from your intranet to VPN clients. You can choose to have the VPN server lease an address from your DHCP server on your behalf or have the VPN server assign an IP address from a range of addresses you reserve on your network for VPN clients. Using DHCP is the simplest method. However, you might want to consider using a reserved range of addresses for two reasons. First, you'll be able to easily identify any VPN client traffic on your intranet simply by the source IP address (whereas if you use DHCP, your VPN client addresses will be mixed in with your local LAN clients). Second, if you want to provide added protection for sensitive servers in your network that don't need to be accessible to remote users entering the network through the VPN, you can configure packet filters on those computers that block packets from within the VPN client range. That way, if someone uses your VPN server to successfully break into your intranet, the intruder won't be able to attack your sensitive servers directly. After making your choice, click Next.

If you chose an address-range assignment, the wizard will prompt you to enter the range; otherwise, the wizard will ask you whether you want to authenticate using Routing and Remote Access or a RADIUS server. While researching this article, I initially chose to use Routing and Remote Access to avoid adding another component to the mix. However, this selection led to some authentication errors that disappeared when I switched to using a RADIUS server. Choose RADIUS, then click Next. The wizard will ask you for the DNS name of your RADIUS server and the shared secret. In our example, I used the DC name, ad1.ad.local, which is the machine on which I installed IAS, and the shared secret that I entered earlier on the IAS server. If you want to guard against VPN outages that can result when a DC goes down, you can install and configure IAS on another DC and specify the DC here as the Alternate RADIUS server. Click Next and review the wizard summary. When you click Finish, Win2K will start Routing and Remote Access.

Locking Down the VPN Server
Although the server is now ready to accept VPN connections, you'll want to lock it down before you connect to the Internet. In the Routing and Remote Access console, open the VPN server's Properties dialog box and clear the Router check box. Select the Security tab, then click Configure next to the Authentication provider drop-down list. When you see the RADIUS Authentication dialog box, select your RADIUS server and click Edit. The VPN server will be configured to use the RADIUS server, but the Always use message authenticator check box isn't selected by default. As Figure 4 shows, I've selected this check box. Because this check box isn't selected by default, Windows might not use the shared secret that you entered earlier when you set up RADIUS on this server and IAS on the DC. For maximum protection against someone tampering with your VPN and IAS traffic, select this check box. Next, select the Logging tab from the Properties dialog box and enable logging for all events so that you can track VPN usage. Click OK and let Routing and Remote Access restart. Right-click the Ports folder in the Routing and Remote Access snap-in, then select Properties from the context menu to open the Ports Properties dialog box, which Figure 5 shows.

Next, you need to shut down any outgoing or incoming VPN connections except for incoming L2TP remote access. Open the properties for WAN Miniport (PPPOE) in the Ports Properties dialog box, clear the Demand-dial routing connections (outbound only) check box, then click OK. Next, open WAN Miniport (PPTP), clear the Demand-dial routing connections (outbound only) check box, clear the Remote access connections (inbound only) check box, then click OK. Perform the same actions for Direct Parallel.

Now, the only way into the VPN server is through an L2TP remote access connection. Open WAN Miniport (L2TP) in the Ports Properties dialog box, then clear the Demand-dial routing connections (outbound only) check box. Determine how many concurrent connections you want to support, configure the maximum ports accordingly, then click OK twice. Navigate back to the Routing and Remote Access console, then right-click the IP Routing folder. Next, from the context menu, select Properties to view the properties for the Internet interface. From here, you can explore inbound and outbound filters that prevent unauthorized traffic from being routed through the VPN server.

Configuring the Windows 2003 Basic Firewall
To provide further protection against attacks from the Internet, you might want to enable Windows 2003's basic firewall. After you enable Routing and Remote Access, Internet Connection Firewall (ICF) and Internet Connection Sharing (ICS) will be unavailable. For stateful packet inspection and NAT functionality, Routing and Remote Access provides the NAT/Basic Firewall option instead. To enable this option, right-click the IP Routing folder, select Properties, select the General tab, then select New Routing Protocol. In the New Routing Protocol dialog box, select NAT/Basic Firewall, then click OK. You'll see NAT/Basic Firewall added as a folder under IP Routing. Right-click the NAT/Basic Firewall, then select New Interface. Select the Internet interface from the list, then click OK. The Network Address Translation Properties dialog box appears, as Figure 6 shows; select Basic firewall only because we don't want clients on the intranet to access the Internet through the VPN server. Also, click Inbound Filters and delete all filters referring to protocol 47 (GRE) or TCP port 1723 (PPTP). Both of these ports support PPTP, and even though we've disabled PPTP in Routing and Remote Access, the basic firewall still allows that traffic by default. Click Outbound Filters in the Network Address Translations Properties dialog box, and delete the same entries. Next, select the Services and Ports tab. This tab lets you configure which types of traffic the basic firewall permits. Select the VPN Gateway (L2TP/IPSec – running on this server) check box, then click Edit. In the Edit Service dialog box, enter the address of the VPN server's internal network adapter. After you finish configuring the basic firewall, click OK.

Implementing Domain and Local Computer Security
At this point, your server is tightly locked down against attacks from the Internet; your VPN server should respond only to IPSec-related traffic. You can prove this response by running a port scan such as Insecure.org's Nmap. You're almost ready to connect your VPN server to the Internet. But before doing so, give attention to some domain and local computer-related security measures.

Thankfully, Windows 2003's default security settings are much stronger than Win2K's, but you should still perform a general hardening of the VPN server. Enable auditing and configure your security so that you can track security events. Make sure the local user accounts don't have RAS dial-in access. Also, set a strong account-lockout policy. Use a strong password for the local Administrator account, and disable the Guest account and any other unneeded local accounts. You'll also want to disable any unneeded services. I recommend that you use a GPO rather than a direct configuration to make these changes so that the settings will persist, even if you replace the server or deploy more servers in the event that your VPN needs to grow.

At the domain level, enable RAS dial-in access only for appropriate users who need remote access, and mandate strong password requirements for those users. Because a remote user authenticates to the VPN server with the same account that he or she uses to log on locally at the office, attackers can use Denial of Service (DoS) attacks to lock out one or more accounts through failed logon attempts to the VPN server. With Windows, you can handle remote access–account lockouts separately so that external attackers can't lock out domain accounts for use on the local LAN but instead are locked out from the VPN server. You can enable this special handling for remote access lockouts by configuring the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout registry setting. (For details about configuring this setting, see the Windows documentation at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/datacenter/sag_rras-ch1_74.asp.)

After you connect your VPN server, you can try connecting from various clients. I recommend that you start by connecting from a client that dials in directly to an ISP so that you aren't crossing a NAT device. Remember to update your clients with either the Microsoft L2TP/IPSec VPN client on pre-Win2K computers or the IPSec NAT-T update on Win2K and later computers. Also, make sure that your client has a computer certificate installed and that the CA's certificate is in its Trusted Root Certification Authorities folder. Then, open Network Connections and use the New Connection Wizard to create a connection to your VPN server. Configure the connection to use L2TP and try it out using a domain account that you've enabled for dial-in access. If you can successfully connect, try next to connect from behind a NAT device (e.g., a home network firewall, a business partner's location).

Sharing a Few Troubleshooting Tips
Whenever you make a configuration change to Routing and Remote Access or IAS, I recommend restarting the service to make sure that your change takes effect immediately. You can use the Security and System logs on your client and on the VPN server as well as the IAS log on the IAS server (in the \%winroot%\system32\logfiles directory) to troubleshoot connectivity problems that you might encounter. IAS logs begin with IN and are best viewed using the IASParse tool that comes with the Microsoft Windows 2000 Server Resource Kit. Enjoy setting up dual-factor authentication for a remote access VPN that even survives crossing NAT boundaries.