Users page and enter an L2TP user ID and password. - Generate a certificate request from the SystemCertificates page. This request can be transferred to a CA server that issues the certificate. The certificate can then be installed from the same page.
- You must also install the CA server's certificate on the gateway through the SystemCertificates page. If the Windows 2000 certificate is issued by a different CA, you must also install its certificate.
- Configure the Subject DN or Alternate Subject Name of the Windows 2000 certificate on the same page as the L2TP user account. Pull down the Valid Issuer Certificate Authority and select the CA who issued the Windows 2000 certificate. Pull down the Server Certificate and choose the gateway's certificate to be returned to Windows 2000. Windows 2000 checks the issuer's certificate also, so choose a certificate issued by a CA that Windows 2000 knows about. You may also check the Require Own IPSec Credentials now if you want to ensure that this L2TP user always uses this IPSec transport account.
- Go to the SystemCertificates page and select the Enable Allow All Feature check box. For the CA that issued the Windows 2000 certificate, select the Allow All Enabled check box. Select a user group from the Default Group pull-down. Be sure the user group selected has Allow IPSec Transport enabled and configured (not inherited) in its IPSec group properties. This configuration is very useful when L2TP user accounts are in RADIUS, since no L2TP or IPSec transport information needs to be stored in the LDAP server per user.
- Create a separate user that contains the IPSec transport account. Set up the account as described in the first option. Do not check the Require Own IPSec Credentials for either this user or the L2TP user. This configuration is supported mainly for L2TP user accounts that are in RADIUS or compulsory tunneling (many L2TP users sharing an IPSec transport connection). Alternatively (for testing), you could install a single certificate on multiple Windows 2000 PCs, in which case they would be sharing a single IPSec transport account. Windows 2000 does not support compulsory tunneling.
- At a minimum, you must set the desired minimum data protection level for the user. L2TP traffic arriving through an IPSec transport that does not meet this requirement is discarded. This is done in the L2TP properties of the group and therefore applies to all L2TP users under this group. No checking is done to determine whether the selection makes sense. For example, selecting 3DES as the minimum protection level implies that 3DES must be able to be negotiated with the Windows 2000 PC. To do this, DES must be enabled in the Services... IPSec page, must be enabled in the IPSec properties of the group containing the IPSec transport account, and must be configured on the Windows 2000 machine as an acceptable encryption type. Table 1 describes the mapping of minimum data protection levels.
Table 1 Mapping minimum data protection levels to encryption levels 128-bit AES
ESP-AES with SHA1 Integrity
Triple DES
ESP-Triple DES with SHA1 Integrity
ESP-Triple DES with MD5 Integrity
56-bit DES
ESP-Triple DES with SHA1 Integrity
ESP-Triple DES with MD5 Integrity
ESP-56-bit DES with SHA1 Integrity
ESP-56-bit DES with MD5 Integrity
40-bit DES
ESP-Triple DES with SHA1 Integrity
ESP-Triple DES with MD5 Integrity
ESP-56-bit DES with SHA1 Integrity
ESP-56-bit DES with MD5 Integrity
ESP-40-bit DES with SHA1 Integrity
ESP-40-bit DES with MD5 Integrity
Authentication only
ESP-Triple DES with SHA1 Integrity
ESP-Triple DES with MD5 Integrity
ESP-56-bit DES with SHA1 Integrity
ESP-56-bit DES with MD5 Integrity
ESP-40-bit DES with MD5 Integrity
ESP-40-bit DES with SHA1 Integrity
ESP-NULL (Authentication Only) with SHA1 Integrity
ESP-NULL (Authentication Only) with MD5 Integrity
AH-Authentication Only (HMAC-SHA1)
AH-Authentication Only (HMAC-MD5)
Not required
ESP-Triple DES with SHA1 Integrity
ESP-Triple DES with MD5 Integrity
ESP-56-bit DES with SHA1 Integrity
ESP-56-bit DES with MD5 Integrity
ESP-40-bit DES with SHA1 Integrity
ESP-40-bit DES with MD5 Integrity
ESP-NULL (Authentication Only) with SHA1 Integrity
ESP-NULL (Authentication Only) with MD5 Integrity
AH-Authentication Only (HMAC-SHA1)
AH-Authentication Only (HMAC-MD5)
Data is allowed through even if it does not come through an IPSec transport with this data protection level.
- If the Require Own IPSec Credentials check box is not selected on the L2TP user page, Require IPSec Credentials from Group must select a user group that contains a set of allowed IPSec transport accounts. These IPSec transport accounts may be contained at any level below this group. L2TP traffic that arrives through an IPSec transport not contained in this group is discarded.
- Turn on compression in the L2TP group properties if compression is desired. Compression for the PPP traffic is done if both the gateway and Windows 2000 agree that compression is enabled. Windows 2000 does not support compression at the IPSec transport level.
- Authentication may be MSCHAPV1, MSCHAPV2, CHAP, or PAP. Of these, Windows 2000 prefers to perform MSCHAPV2 followed by MSCHAPV1 followed by CHAP followed by PAP. Windows 2000 does sure the Not Encrypted check box is also enabled.