Implement an L2TP / IPsec VPN server using standard Windows 7/8 tools for connecting Windows / iOS / Android systems to an internal network
Recently, I was puzzled by the search for the possibility of creating an encrypted connection to my office using the L2TP / IPsec protocol. The task became more complicated when, apart from Windows clients, there was a need to launch more iOS and Android clients into the network. There are many articles on the Internet on how to do this on a Windows server with an “external” IP address. But I want to offer the community a standard implementation of the Windows 7/8 encrypted L2TP tunnel in the local network with a popular, in my opinion, topology.
A small network of ten Windows 7/8 clients with a dedicated server based on Windows Server 2008 Std (we don’t pay attention to it yet) and with access to the Internet using a simple router. For the VPN server, I selected one of the machines on Windows 7 Pro. Next will be described two ways to raise the L2TP / IPsec server on Windows 7 Pro.
For Windows clients, this is a good way to implement L2TP / IPsec, but when it comes to iOS clients, the task expands. The problem is that iOS can connect via L2TP only with encryption using a Pre-prepared Key Phrase (Preshared Key), and the certificate can connect only to Cisco VPN. The second way will tell how to solve this problem.
On the router, I used the service Dynamic DNS, because external ip dynamic. To be able to connect, it is necessary to do port forwarding (Port Forwarding) for UDP ports 1701 UDP 4500 UDP 500 to our VPN server. We got to the finish stage, where another big problem awaits us. The fact is that Windows 7/8 has a limit on the maximum number of connections for remote access, and it is equal to 1. There is no such restriction on Windows Server. Here the phrase “suggests why did you write all this here ?!” There are two ways to solve it. First: one good person did some big work and wrote a patch that removes the restriction for Windows 7 Pro SP1. Here the process of finding a solution is described in detail and a patch is present. Second: use Windows Server. But to use not in the way described in most articles, where it is said about assigning the Role “Routing and Remote Access” to the server and using special snap-ins in which the devil breaks his leg, but use the method described above. It works fine on Windows Server without assigning special roles and without restrictions on the number of connections.
')
Network structure
A small network of ten Windows 7/8 clients with a dedicated server based on Windows Server 2008 Std (we don’t pay attention to it yet) and with access to the Internet using a simple router. For the VPN server, I selected one of the machines on Windows 7 Pro. Next will be described two ways to raise the L2TP / IPsec server on Windows 7 Pro.
Windows 7 L2TP / IPsec AES 128-bit using certificate
- The first step is to generate a computer and user certificate on the VPN server.
To do this, we use the free utility Simple Authority .
Install, run. Immediately the program will offer to generate a computer certificate. Fill in the fields. We randomly click on the keyboard, thereby generating a random number. Enter the password (preferably longer than 8 characters, otherwise there may be glitches) Computer Certificate (CA) is ready. If the user is not added, then add. On the right, fill in the required fields. Click "New certificate". After this, two certificate files with * .cer and * .p12 extensions will appear on the desktop. - Install certificates on our VPN server.
To do this, we do Win + R (“Run”), enter mmc, press Enter. The console will open.
Add a snap (File-> Add remove snap-in). Choose "Certificates". Click "Add". Select the item "computer account" when it comes to the question of where this snap-in will manage the certificates. Next, “Personal” -> Right-click-> All Tasks-> Import-> Select the certificate file with the extension * .p12 (exactly it). Enter the password, put a checkmark "Mark this key as exported." Two certificates will appear in the “Personal” category. The certificate for which the “To whom is issued” and “By whom issued” fields are the same should be moved to the “Trusted Root Certification Authorities” category. - You need to make sure that the parameter ProhibitIpSec = 1 is not present .
Go to the registry (Win + R -> regedit). We are looking for the HKLM \ System \ CurrentControlSet \ Services \ Rasman \ Parameters branch. If the above parameter is not there or it is 0, then all is well. Otherwise, fix it. - Create an incoming connection .
Go to the "Network and Sharing Center" -> "Change the parameters of adapters." Hit the Alt key, the menu will pop up. Next File -> "New incoming connection". We select the right users, put a checkbox "Via the Internet ... VPN". We select the necessary protocols. On TCP / IP v4-> Put the checkbox "Allow access to the local network" and be sure to set the pool of addresses issued to the client. After creating a connection, be sure to open its properties and in the "Users" tab, check the presence of the checkbox "Users must keep passwords secret" - Check if the ports we need are open. Open the command prompt and use the netstat / a / p udp command to see if UDP 1701 UDP 4500 UDP 500 has opened.
Creating a client connection for this method
- Install certificates on our VPN client. We copy the certificates that we created earlier from the VPN server. Install them in exactly the same way as on the server.
- Let's create a VPN connection. Go to the "Network and Sharing Center" -> Set up a new connection or network. Further “Connection to the workplace” -> Use my Internet connection. Enter the address of our VPN server. Connection is ready.
- Let's configure our VPN connection. Username and password, I think, do not cause questions. In the "Security" tab, select the type of VPN L2TP / IPsec and in the advanced settings select "Use certificate" and uncheck the "Check certificate name attribute" checkbox. Encryption set Mandatory and "Permit the following protocols" authentication: MS-CHAPv2. Next, the Network tab -> TCP / IPv4 properties -> Advanced -> Remove the checkbox “Use default gateway”.
- If the connection does not rise. Then on Windows 8 it is worth trying this registry key HKLM \ SYSTEM \ CurrentControlSet \ Services \ IPsec create a DWORD value with the name AssumeUDPEncapsulationContextOnSendRule and value 2. For Windows 7 / Vista, this parameter must be created in HKLM \ SYSTEM \ CurrentControlSet \ Services \ PolicyAgent
The results of this method
For Windows clients, this is a good way to implement L2TP / IPsec, but when it comes to iOS clients, the task expands. The problem is that iOS can connect via L2TP only with encryption using a Pre-prepared Key Phrase (Preshared Key), and the certificate can connect only to Cisco VPN. The second way will tell how to solve this problem.
Windows 7 L2TP / IPsec Preshared Key with ESP 3DES encryption and integrity control
- Let's return to the miracle parameter ProhibitIpSec = 1 . Go to the Registry, to the HKLM \ System \ CurrentControlSet \ Services \ Rasman \ Parameters branch and create a DWORD parameter with the name ProhibitIpSec and assign it a value of 1. Then you must either reboot the OS or restart the RemoteAccess and RasMan services. By this action, we disable the default IP local security policy for IPsec.
- Now let's create a new IP security policy . “Run” -> mmc -> Add snap-in -> “Manage IP Security Policy” and select Local computer. Further "Create IP Security Policy". “Next” -> Enter the name -> checkbox “Use default rule” is not set -> Next -> “Edit properties” leave the checkbox. The properties of the new policy will open. Here, remove the checkbox "use the master" and "Add." Now in order of each tab:
- List of IP filters. Enter the name, remove the checkbox "Isp. master "," Add. " Source Address: "Any." Destination: "Any." Tab protocol. In the drop-down list, select UDP. Packages FROM this port: 1701. Packages ON any port. OK, OK and return to the list of IP-filters. Here, the newly created filter is marked with a “dot” and go to the next tab.
- Filter action Similarly. Name, daw about the master, "Add". Choose "Agree on security", "Add". Choose “Encryption and Ensuring Integrity. (ESP) ". OK. We look, so that there are no daws below the list of security methods. OK. Similarly, mark the point and go to the next tab.
- Type of connection. All network connections.
- The parameters of the tunnel. This rule does not indicate an IPsec tunnel.
- Authentication methods. Do not pay attention to Kerberos, click "Add". Select "Use this line (Pre-key)" and enter our pre-created Key. OK. And now you can remove Kerberos. In the same tab, you can add certificate authentication. The process of generating and installing a certificate is described in the first method.
- Be sure to assign a new IP security policy. Right click on it, "Assign".
Creating a client connection for this method
- It differs from the creation of a client connection for the first method only by the Additional L2TP / IPsec properties, where instead of using the certificate, select "... use the common key".
VPN server access
On the router, I used the service Dynamic DNS, because external ip dynamic. To be able to connect, it is necessary to do port forwarding (Port Forwarding) for UDP ports 1701 UDP 4500 UDP 500 to our VPN server. We got to the finish stage, where another big problem awaits us. The fact is that Windows 7/8 has a limit on the maximum number of connections for remote access, and it is equal to 1. There is no such restriction on Windows Server. Here the phrase “suggests why did you write all this here ?!” There are two ways to solve it. First: one good person did some big work and wrote a patch that removes the restriction for Windows 7 Pro SP1. Here the process of finding a solution is described in detail and a patch is present. Second: use Windows Server. But to use not in the way described in most articles, where it is said about assigning the Role “Routing and Remote Access” to the server and using special snap-ins in which the devil breaks his leg, but use the method described above. It works fine on Windows Server without assigning special roles and without restrictions on the number of connections.
')
Recycled material:
Source: https://habr.com/ru/post/210410/
All Articles