HOWTO connect from a road warrior (Windows 2000+) to a Windows 2000 VPN server behind a Linux NAT router with L2TP and IPSec 21 April 2003 Martin Koeppe < mkoeppe (at) gmx (dot) de > Motivation ---------- You have - a private network with a Windows 2000 server? - a Linux router with NAT to connect to the Internet? - a "road warrior" machine with Windows 2000+? You want to dial in your private network via a VPN connection and IPSec? Then this HOWTO is for you. Since it is not possible that easy to get an IPSec connection through a NAT router, this HOWTO describes the following scenario: <------ Internet --------------><---------- private net ----------> 1.1.1.1 2.2.2.2 192.168.1.1 192.168.1.2 road warrior ----------- Linux router ------------ Windows server L2TP/IPSec L2TP/plain after DNAT So the road warrior thinks he connects with IPsec to the server, but only the IPsec tunnel is build to the router, there IPsec is stripped off and the plain L2TP packets are forwarded with the help of DNAT to the real Windows server, which accepts the plain L2TP connection. The local net should be considered safe, so disabling IPSec here should not be a problem. 0. Preparation: Create necessary Certificates --------------------------------------------- This HOWTO is not about details on creating certificates, however here are some hints: I could think of 4 possible ways on creating certificates for this scenario: a) You only use Linux and openssl to manage all certificates. Details on that you can find here (among others): http://www.natecarlson.com/linux/ipsec-x509.php b) You only use Windows (>= 2000) with Certificate Services installed and IIS running. You can find a HOWTO on that in the Microsoft Knowledge Base, article 253498. c) You use openssl for Linux machines and Windows Certificate Services for the Windows machines. Then you have to trust both CAs' root certs on all involved machines. d) You use openssl for the Linux machines and Windows Certificate Services for the Windows machines with the same root certificate: You backup/export your root CA including the private key from Windows Certificate Services and reuse those together with openssl to sign certificates for the Linux machines. 1. Setting up VPN server and client ----------------------------------- On your Windows server you enable the Routing and RAS service and configure it as VPN server. Be sure to have some L2TP ports enabled for RAS. On the Windows client, create a new dial-in connection of type VPN, enter the address of your VPN server, then change Properties -> Network -> Type of server from "Automatic" to "L2TP". Test the connection from within your local network to see if certificates are correctly installed, at least on server and client. 2. Configure IPSec (FreeS/WAN) on the Linux router -------------------------------------------------- Here are my settings: # /etc/ipsec.conf - FreeS/WAN IPsec configuration file config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert leftcert=/etc/x509cert.der leftid="CN=router.bogus.domain" left=%defaultroute conn laptop-l2tp # only L2TP type=transport pfs=no leftprotoport=udp/0 rightprotoport=udp/1701 right=%any rightid="CN=laptop.bogus.domain" auto=add 3. Testing IPSec connectivity ----------------------------- Now you can test if all certificate stuff is right on Linux as well. Bring your outbound connection up, start FreeSWAN, and try to connect from your road warrior via the outbound connection to your Linux router. You can use the same dial-in connection created for testing (type of VPN server: L2TP), only change the address to the address of your Linux router now and connect. On the Linux side, you should see after invoking "ipsec barf": "laptop-l2tp"[1] #1: responding to Main Mode from unknown peer "laptop-l2tp"[1] #1: Peer ID is ID_DER_ASN1_DN: 'CN=laptop.bogus.domain' "laptop-l2tp"[1] #1: Issuer CRL not found "laptop-l2tp"[1] #1: Issuer CRL not found "laptop-l2tp"[1] #1: sent MR3, ISAKMP SA established "laptop-l2tp"[1] #2: responding to Quick Mode "laptop-l2tp"[1] #2: IPsec SA established On the Windows side you can start ipsecmon.exe to see wheather an IPsec connection gets established. If so, all is fine for now. Your dial-in connection will likely timeout with error 678. This is ok for now. 4. Disable IPSec on VPN server for L2TP connections --------------------------------------------------- This is documented in Microsoft Knowledge Base, article 310109. In short: Create the following Registry entry on the VPN server: HKLM\System\CurrentControlSet\Services\Rasman\Parameters\ ProhibitIpSec REG_DWORD 1 Restart the machine. Enable unencrypted incoming connections on the VPN server as well: Open "Routing and RAS", then "RAS Policies" and modify the standard profile to allow unencrypted connections, too. 5. Enable port forwarding (DNAT) on the Linux router ---------------------------------------------------- I use the following script after bringing up the outbound connection: # start IPSec service /etc/init.d/ipsec start # make VPN server reachable /sbin/iptables -t nat -A PREROUTING -i ipsec0 \ -p udp --sport 1701 --dport 1701 \ -j DNAT --to-destination and on closing the connection: # make VPN server unreachable /sbin/iptables -t nat -D PREROUTING -i ipsec0 \ -p udp --sport 1701 --dport 1701 \ -j DNAT --to-destination # stop IPSec service /etc/init.d/ipsec stop 6. Troubleshooting ------------------ All should work well now, if not execute "ipsec barf" on Linux and try to debug.