Configuring branch office for L2TP over IPSec

Windows 2000 Server or Advanced Server may act as a Windows 2000 L2TP/IPSec gateway to a gateway. Both static routing and dynamic (RIP and OSPF) routing are possible through this branch connection.

To configure the gateway:

1. Configure an L2TP branch connection on the gateway. Go to ProfilesBranch Office.
2. Enter the IP address of the Windows 2000 server as the remote endpoint. Select L2TP as the tunnel type.
3. Choose MS-CHAPV2 unencrypted as the authentication type.
4. Enter a local UID for the gateway.
5. Enter a peer UID for Windows 2000.
6. Enter a shared password.
7. Select L2TP if you want compression. As with remote access, compression is not supported on Windows 2000 for the IPSec transport connection.
8. If you want L2TP tunnel authentication supported, you must provide an L2TP Access Concentrator definition. Windows 2000 does not support L2TP tunnel authentication.
9. Select the minimum data protection level. If you select anything other than Not Required, you must set up an IPSec account. Mappings of data protection levels to encryption levels are exactly as shown in Table 1.
10. As with remote access, the IPSec transport account must be set up. By default, Windows 2000 supports only certificate authentication, so a process exactly like that described for remote access must be performed. The CA Allow All authentication option is not available for branch office connections. The L2TP branch office must use the IPSec transport account specified in the connection if data protection is required.
11. You can set up routing as either static or dynamic.

To configure Windows 2000:

1. You must install a certificate for Windows 2000 and the CA certificates as described above.
2. Start the Routing and Remote Access administrative tool.
3. Right-click on Routing Interfaces and choose New Demand-dial Interface.
4. Choose the name of the branch connection. This name becomes the L2TP user ID of the gateway. MSCHAPV2 is case sensitive for user IDs. To ensure interoperability with the gateway, use lowercase user IDs.
5. Select Connect using VPN.
6. Select L2TP as the VPN type.
7. Enter the interface address of the gateway.
8. Select Route IP packets on this interface and select Add a user account so a remote router can dial in.
9. Select a password for the gateway L2TP user ID. If the gateway initiates branch office connections to Windows 2000, this password must match that entered on the gateway Branch Office Connection page. If not, then this password does not matter.
10. Choose the Windows 2000 L2TP user ID and the shared password. If the Windows 2000 initiates branch office connections to the gateway, this password must match that entered on the gateway Branch Office Connection page. The Domain field may be left blank.
11. The gateway supports only MSCHAPV2 as a branch office L2TP authentication method, so be sure you enable this method in the properties (it is by default).
12. If you want static routes to demand dial on this connection, expand IP RoutingStatic Routes and right-click on New Static Route. Select the interface just created and enter the subnet information. Be sure you enable Use this route to initiate demand-dial connections. Alternatively, you can dial the connection by right-clicking on it and selecting Connect.