Example 6a: Configure the Windows Vista VPN Client

This is the same configuration as in Example 6, except that the configuration is for Windows Vista VPN clients instead of Windows 2000/XP.

 

TMS zl Module

Windows Vista VPN Client

  1. Create the L2TP user group.

  1. Select Network > Authentication > Local Users.

  2. Click Add Group.

  3. For Group Name, type L2TPuserGP and click OK.

  1. Create the IKEv1 policy.

  2. Select VPN > IPsec > IKEv1 Policies.

  3. Click Add IKE Policy.

  4. For IKE Policy Name, type remoteL2TP.

  5. For IKE Policy Type, select  Client-to-Site (Responder).

  6. For Local Gateway, select Use VLAN IP Address and select VLAN22.

  7. For Local ID, select IP Address from the Type list, then type 172.24.22.99 in the box.

  8. For Remote ID, select IP Address from the Type list, then type 0.0.0.0 in the box. This wildcard address permits multiple clients to use the policy.

  9. Click Next.

  1. Under IKE Authentication, configure these settings:

  1. For Key Exchange Mode, select Main Mode.

  2. For Authentication Method, select Preshared Key.

  3. For Preshared Key and Confirm Preshared Key, type WindowsL2tpKEY.

  1. Under Security Parameters Proposal, configure the security settings that will be proposed by the Threat Management Services (TMS) zl Module for the IKE SA:

  1. For Diffie-Hellman (DH) Group, select the size of the prime number that is used in DH key agreement. For this example, select Group 2 (1024).

  1. For Encryption Algorithm, select 3DES.

  1. For Authentication Algorithm, select MD5.

  1. For SA Lifetime in seconds, type 28800 seconds (8 hours).

  1. Click Next.

  1. Accept the default: Disable XAUTH.

  2. Click Finish. The IKE policy is displayed in VPN > IPsec > IKEv1 Policies.

  1. Create the named objects.

  1. Select Firewall > Access Policies > Addresses.

  2. Click Add an Address.

  3. Create a single-entry IP address object for the local gateway:

  1. For Name type localVPNgate.

  2. For Type, select IP.

  3. Select Single-entry and type 172.24.22.99.

  4. Click Apply.

  1. Create a single-entry network address object for VLAN44:

  1. For Name, type VLAN44.

  2. For Type, select Network.

  3. Select Single-entry and type 10.1.44.0/24.

  4. Click Apply.

  1. Create a single-entry network address object for the remote clients' public IP addresses:

  1. For Name, type L2TPclients.

  2. For Type, select Network.

  3. Select Single-entry and type 192.168.33.0/24.

  4. Click Apply.

  1. Create a single-entry network address object for the remote clients' local (virtual)IP addresses:

  1. For Name, type L2TPclientsVIR.

  2. For Type, select Network.

  3. Select Single-entry and type 5.5.5.0/24.

  4. Click Apply.

  1. Click Close.

  1. Create the IPsec proposal.

  1. Select VPN > IPsec > IPsec Proposals.

  2. Click Add IPsec Proposal.

  3. For Proposal Name, type TResp3Dmd5.

  4. For Encapsulation Mode, select Transport Mode.

  5. For Security Protocol, select ESP.

  6. For Encryption Algorithm, select 3DES.

  7. For Authentication Algorithm, select MD5.

  8. Click OK.

  1. Create the IPsec policy.

  1. Click the IPsec Policies tab.

  2. Click Add IPsec Policy.

  3. For Policy Name, type L2TPoverIPsec.

  4. For Action, select Apply.

  5. For Position, type 1.

  6. For Traffic Selector, configure these settings:

  1. For Protocol, select UDP.

  1. For Local Address, select localVPNgate.

  2. For Local Port, type 1701.

  1. For Remote Address, select L2TPclients.

  2. For Remote Port, type 1701.

You cannot select (115) L2TP for the traffic selector in this case, because you need L2TP to operate at Layer 4 instead of Layer 3.

  1. For Proposal, select TResp3Dmd5.

  2. Click Next.

  3. For Key Exchange Method, accept the default: Auto (with IKEv1).

  4. For IKEv1 Policy, select remoteL2TP.

  5. Accept the remaining default values and click Next.

  6. Clear the Enable IP Address Pool for IRAS (Mode Config) check box and click Next.

  7. Accept the default settings in the Advanced Settings (Optional) section.

  8. Click Finish. The IPsec policy is displayed in the VPN > IPsec > IPsec Policies window.

  1. Create the L2TP remote access policy.

  1. Click the L2TP Remote Access tab.

  2. Click Add L2TP Policy.

  3. For Policy Name, type Windows.

  4. Select the Enable this policy check box.

  5. For IKE Policy, select remoteL2TP.

  6. Click Next.

  7. For Proposal, select TResp3Dmd5.

  8. Accept the remaining default values and click Finish.

  1. Create the dial-in user policies for the two clients.

  1. Click Add Dial-In User.

  2. For Dial-In User Name, type L2TPuser.

  3. For Server IP Address/Subnet Mask, type 5.5.5.5/24.

  4. For User IP Address, type 5.5.5.50.

  5. For Authentication, select No Authentication and click Next.

  6. For Policy Group Name, select L2TPuserGP.

  7. For Authentication Protocol, select Any.

  8. For User, type user101.

  9. For Password, type 1234$ and click Next.

  10. For Default Gateway, type 5.5.5.5.

  11. For Primary DNS Server, type 10.1.44.222.

  12. Click Finish.

  13. Click Add Dial-In User again.

  14. For Dial-In User Name, type L2TPuser.

  15. For Server IP Address/Subnet Mask, type 5.5.5.5/24.

  16. For User IP Address, type 5.5.5.51.

  17. For Authentication, select No Authentication and click Next.

  18. For Policy Group Name, select L2TPuserGP.

  19. For Authentication Protocol, select Any.

  20. For User, type user102.

  21. For Password, type 1234$ and click Next.

  22. For Default Gateway, type 5.5.5.5.

  23. For Primary DNS Server, type 10.1.44.222.

  24. Click Finish.

  1. Create the firewall access policies.

  1. Select Firewall > Access Policies > Unicast.

  2. Select the L2TPuserGP user group.

  3. Click Add a Policy.

  4. Permit IKE traffic from the remote clients to the TMS zl Module:

  1. For Action, accept the default: Permit Traffic.

  2. For From, select EXTERNAL.

  3. For To, select SELF.

  4. For Service, select isakmp.

  5. For Source, select L2TPclients.

  6. For Destination, select localVPNgate.

  7. Select the Enable logging on this Policy check box.

  8. Click Apply.

  1. Permit L2TP traffic from the remote clients to the TMS zl Module:

  1. For Action, accept the default: Permit Traffic.

  2. For From, select EXTERNAL.

  3. For To, select SELF.

  4. For Service, select l2tp-udp.

  5. For Source, select L2TPclients.

  6. For Destination, select localVPNgate.

  7. Click Apply.

  1. Permit L2TP traffic from the TMS zl Module to the remote clients:

  1. For Action, accept the default: Permit Traffic.

  2. For From, select SELF.

  3. For To, select EXTERNAL.

  4. For Service, select l2tp-udp.

  5. For Source, select localVPNgate.

  6. For Destination, select L2TPclients.

  7. Click Apply.

  1. Permit IKE traffic from the TMS zl Module to the remote clients.

  1. For Action, accept the default: Permit Traffic.

  2. For From, select SELF.

  3. For To, select EXTERNAL.

  4. For Service, select isakmp.

  5. For Source, select localVPNgate.

  6. For Destination, select L2TPclients.

  7. Click Apply.

  1. Permit traffic from the remote clients to VLAN44.

  1. For Action, accept the default: Permit Traffic.

  2. For From, select EXTERNAL.

  3. For To, select INTERNAL.

  4. For Service, select Any Service.

  5. For Source, select L2TPclientsVIR.

  6. For Destination, select VLAN44.

  7. Click Apply.

  1. Permit traffic from VLAN44 to the remote clients.

  1. For Action, accept the default: Permit Traffic.

  2. For From, select INTERNAL.

  3. For To, select EXTERNAL.

  4. For Service, select Any Service.

  5. For Source, select VLAN44.

  6. For Destination, select L2TPclientsVIR.

  7. Click Apply.

  1. Click Close.

  1. Create the static route.

  1. Select Network > Routing > Static Routes.

  2. Click Add Static Route.

  3. For Destination Type, select Default Gateway.

  4. For Gateway Address, type 172.24.22.1.

  5. For Metric, accept the default: 0.

  6. Click OK.

  1. Click Save.

  1. Follow the instructions to edit the Vista registry. Do not forget to restart the client before performing the next step.

  2. Select Start > Run.

  3. Type secpol.msc and click OK.

  4. Select IP Security Policies on Local Computer in the left pane.

  5. Select Action > Create IP Security Policy.

  1. In the IP Security Policy Wizard, click Next.

  2. For Name, type TMS L2TP and click Next.

  3. Clear the Activate the default response rule check box and click Next.

  4. Leave the Edit properties check box selected and click Finish.

  1. On the TMS L2TP Properties window, clear the Use Add Wizard check box and click Add.

  1. In the New Rule Properties window, click Add in the IP Filter Lists section.

  2. In the IP Filter List window, type L2TP Traffic in the Name box.

  3. Clear the Use Add Wizard check box and click Add.  

  1. In the Filter Properties window, select the Addresses tab.

  2. For Source address, leave Any IP Address.

  3. For Destination address, select A specific IP Address or Subnet.

  4. For IP Address or Subnet type 172.24.22.99.

  5. Select the Protocol tab.

  6. For Select a protocol, select UDP.

  7. For Set the IP protocol port, select From this port and type 1701 in the box.

  8. Select To this port and type 1701 in the box.

  9. Click OK to close the Filter Properties window.

  1. Click OK to close the IP Filter List window.

  1. In the IP Filter Lists box, select L2TP Traffic.

  2. Click the Filter Action tab.

  3. Clear the Use Add Wizard check box and click Add.

  1. In the New Filter Action Properties window, click Add.

  2. In the New Security Method window, select Custom.

  3. Click Settings.

  1. In the Custom Security Method Settings window, configure the "IPsec proposal":

  2. Select the Data integrity and encryption (ESP) check box.

  3. For Integrity algorithm select MD5.

  4. For Encryption algorithm select 3DES.

  5. Under Session key settings, select the Generate a new key every check box on the right and type 28800 (seconds).

  1. Click OK to close the Custom Security Settings window.

  1. A message might be displayed, informing you that your choices are not the most secure. Click Yes.

  2. Click OK to close the New Security Method window.

  3. In the New Filter Action Properties window, click the General tab.

  4. For Name, type IPsec Negotiation.

  5. Click OK to close the New Filter Action Properties window.

  6. In the Filter Actions box, select IPsec Negotiation.

  7. Click the Authentication Methods tab.

  8. Click Edit and configure the IKE policy:

  1. Select Use this string (preshared key) and type WindowsL2tpKEY.

  2. Click OK.

  3. Click Close to close the New Rule Properties window.

  4. In the TMS L2TP Properties window, click the General tab.

  5. Click Settings.

  6. Under Authenticate and generate a new key after every, type 480 in the minutes box.

  7. Click Methods.

  8. Remove all of the default security methods by selecting each method and click Remove.

  9. Click Add.

  1. For Integrity algorithm, select MD5.

  2. For Encryption algorithm, select 3DES.

  3. For Diffie-Hellman Group, select Medium (2).

  4. Click OK to close the IKE Security Algorithms window.

  5. A message might be displayed, informing you that your choices are not the most secure. Click Yes.

  1. Click OK to close the Key Exchange Security Methods window.

  1. Click OK to close the Key Exchange Settings window.

  2. Click OK to close the TMS L2TP Properties window.

  3. In the right pane of the Local Security Policy window, right-click Remote Access and select Assign to start enforcing the IPsec policy.

  4. Close the Local Security Policy window.

  5. Click Start > Control Panel.

  6. Double-click Network and Sharing Center.

  7. In the left navigation bar, click Set up a connection or network.

  1. Select Connect to a workplace.

  2. Click Next.

  3. Double-click Use my Internet connection (VPN).

  4. If prompted, select I'll set up an Internet connection later and click Next.

  5. For Internet address, type 172.24.22.99.

  6. For Destination name, type Main Campus.

  7. Select the Don’t connect now; just set it up so I can connect later check box.

  8. Client A only: For User Name, type user101.

  9. Client B only: For User Name, type user102.

  10. For Password, type 1234$.

  11. Select the Remember this password check box.

  12. Click Create.

  1. Close The connection is ready to use page.

  2. Return to the Network and Sharing Center window.

  3. In the left navigation bar, click Manage network connections.

  4. Double-click Main Campus.

  5. Click Properties.

  1. Click the Networking tab.

  2. For Type of VPN, select L2TP IPSec VPN.

  3. Click IPsec Settings. The IPsec Settings window is displayed.

  4. Select the Use preshared key for authentication check box.

  5. For Key, type WindowsL2tpKEY.

  6. Click OK to close the IPsec Settings window.

  1. Select Select Internet Protocol Version 4 (TCP/IPv4) in the This connection uses the following items box and click Properties.

  2. Ensure that Obtain an IP address automatically and Obtain DNS server address automatically are selected so that the TMS zl Module can assign these values while the client is visiting the private network. Click OK to exit.

  3. Click OK to close the Main Campus Properties window.

  4. Select Start > Connect to.

  5. Double-click Main Campus and click Connect.

  6. After a minute or so, you should see a message that informs you that the connection was successful.

<< Return to the Example 6 Start page