L2TP VPN Server. Secure Computing SG570, SG300, SG560, SG565, SG550, SG530, SG580, SG575

Enter a user name and password added in the Configuring user accounts for VPN server section and click Connect.

L2TP VPN Server

To setup an L2TP/IPSec connection from a remote Windows XP client to your SnapGear unit and local network:

Enable and configure the L2TP VPN server.

Configure IPSec tunnel settings.

Set up VPN user accounts on the SnapGear unit and enable the appropriate authentication security.

Configure the VPN clients at the remote sites. The client does not require special software — the SG L2TP Server supports the standard L2TP and IPSec client software included with Windows XP.

Connect the remote VPN client.

L2TP server setup

Select L2TP VPN Server from the VPN section of the main menu.

Virtual Private Networking

202

Check Enable L2TP Server.

Enter the IP addresses to give to remote hosts. This must be a free IP address, or a range of free IP addresses, from the network (typically the LAN) that the remote users are assigned while connected to the SnapGear unit.

If you have configured several network connections, select the one that you want to connect remote users to from the IP Address to Assign VPN Server pull-down menu.

This is typically a LAN interface or alias.

Select the weakest Authentication Scheme to accept — access is denied to remote users attempting to connect using an authentication scheme weaker than this. They are described below, from strongest to weakest:

Encrypted Authentication (MS-CHAP v2): The strongest type of authentication to use. This is the recommended option.

Encrypted Authentication (MS-CHAP): This is not a recommended encryption type and should only be used for older dial-in clients that do not support MS-CHAP v2.

Weakly Encrypted Authentication (CHAP): This is the weakest type of encrypted password authentication to use. It is not recommended that clients connect using this as it provides very little password protection. Also note that clients connecting using

CHAP are unable to encrypt traffic.

Unencrypted Authentication (PAP): This is plain text password authentication.

When using this type of authentication, the client password is transmitted unencrypted.

Virtual Private Networking

203

Select the Required Encryption Level — access is denied to remote users attempting to connect not using this encryption level. Using Strong Encryption (MPPE 128 Bit) is recommended.

Select the Authentication Database. This allows you to indicate where the list of valid clients can be found. You can select from the following options:

Local: Use the local database defined on the Local Users tab of the Users page.

You must enable the Dial-in Access option for the individual users that are allowed dial-in access.

RADIUS: Use an external RADIUS server as defined on the RADIUS tab of the

Users page.

TACACS+: Use an external TACACS+ server as defined on the TACACS+ tab of the

Users page.

Note

See the Users section of the chapter entitled System for details on adding user accounts for PPTP access, and configuring the SnapGear unit to enable authentication against a

RADIUS or TACACS+ server.

Click Submit.

Add an IPSec tunnel

Select L2TP VPN Server from the VPN section of the main menu and click the L2TP

IPSec Configuration tab. Any existing L2TP IPSec tunnels are displayed, alongside icons to Modify and Delete them.

Authentication is performed using x.509 certificates or a pre-shared secret. You may add a single shared secret tunnel for all remote clients authenticating using shared secrets, an x.509 certificate tunnel for each remote client authenticating using certificates, or both. shared between the SnapGear unit and the remote client. This authentication method is relatively simple to configure, and relatively secure.

Virtual Private Networking

204

Note

Only one shared secret tunnel may be added. The one shared secret is used by all remote clients to authenticate. remote client against a Certificate Authority's (CA) certificate. The CA certificate must have signed the local certificates that are used for tunnel authentication.

Certificates need to be uploaded to the SnapGear unit before a tunnel can be configured to use them (see Certificate Management in the IPSec section later in this chapter). This authentication method is more difficult to configure, but very secure.

Creating and adding x.509 certificates is detailed in Certificate Management in the

IPSec section later in this chapter.

Note

Multiple x.509 certificate tunnels may be added. A separate x.509 certificate tunnel is required for each remote client to authenticate.

Click New.

Enter a Tunnel Name to identify this connection. It may not be the same as any other

L2TP/IPSec or regular IPSec tunnel names.

If adding a Shared Secret Tunnel, enter the Shared Secret. Ensure it is something hard to guess. Keep note of the shared secret, as it is used in configuring the remote client.

Virtual Private Networking

205

If adding an x.509 Certificate Tunnel, select the Local Certificate that you have uploaded to the SnapGear unit. Enter the Client Distinguished Name; it must match exactly the distinguished name of the remote party's local certificate to successfully authenticate the tunnel. Distinguished name fields are listed

Note

Certificates need to be uploaded to the SnapGear unit before a tunnel can be configured

to use them (see Certificate Management in the IPSec section later in this chapter).

Add an L2TP user account

Select Users under System from the main menu, click Local Users and a New user with

PPTP Access. Keep note of the User name and Password, as these are required in configuring the remote PPTP client.

Refer to the the Users section of the chapter entitled System for a more detailed account of adding a new local user.

Configure the remote L2TP client

The following instructions are for Windows XP.

Login as Administrator or with Administrator privileges. From the Start menu, select

Settings and then Network Connections.

Click Create New Connection from the Network Tasks menu to the left.

Virtual Private Networking

206

Select Connect to the network at my workplace and click Next. Select Virtual Private

Network connection and click Next.

Choose a Connection Name for the VPN connection, such as your company name or simply Office. Click Next.

Virtual Private Networking

207

If you have set up your computer to connect to your ISP using dial up, select

Automatically dial this initial connection and your dial up account from the pull-down menu. If not, or you wish to manually establish your ISP connection before the VPN connection, select Do not dial the initial connection. Click Next.

Enter the SG PPTP appliance’s Internet IP address or fully qualified domain name and click Next. Select whether you wish make this connection available to all users and whether you wish to add a shortcut to your desktop and click Finish.

To authenticate using a Shared Secret Tunnel, click Properties on the Connect

Connection Name dialog.

Click Security > IPSec Settings, check Use pre-shared key for authenticate and in Key enter the Shared Secret you selected when configuring the shared secret tunnel on the SnapGear unit.

Virtual Private Networking

208