其實現在要在 Windows Server 上安裝設定 CA 已經比以前簡單許多了, 所以用 rsa-sig (certificate) 來做 phase I 的 authentication 會比較安全一些, 為什麼還要回頭來用 pre-shared key 呢?
在管理企業內的電腦時, 通常會加入AD, 只要有 join AD, 要 deploy computer or user 的 certificate 就可以透過 AD 來做大量佈署了。 一旦有了 certificate 要連線 VPN 就可以透過 rsa-sig 來做 authentication 了。不過就是這個"要先加入 AD"的前提遇到了一個困難。
有一些長期在外的 mobile user 或 home worker, 因為很久才會進一次公司, 所以產生了下列的問題
- new laptop provisioning to remote user.
- re-image remote user’s laptop.
- AD password aging.
第 1 和 2 的情況會比較類似, user 的 laptop 會是沒有加入 AD 的狀態, 因此需要先 VPN 連上公司網路, 再 Join 至 AD, 如果用 RSA-sig 的方式來認證, 則必需先加入 AD 取得 certificate, 形成了 catch-22 的情況。
第 3 種則是 user 的 behavior 使然, password 在 aged out 之前通常 AD 就會 warning 要 change 了, 但是 User 通常會繼續使用直到過期, 這個時候就會發生無法連線 VPN 的問題了。
就算 user 發現密碼是過期了, 要改密碼還會遇到 password complexity policy 的問題而一直改不成功, network team 的人也會覺得很無奈!@#$#。
所以還是再開個後門來用 pre-shared key auth 來解決吧。
以下節錄自 Cisco configuration example http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00807213a7.shtml
This document describes how to configure Layer 2 Tunneling Protocol (L2TP) over IP Security (IPsec) from remote Microsoft Windows 2000/2003 and XP clients to a PIX Security Appliance corporate office using pre-shared keys with Microsoft Windows 2003 Internet Authentication Service (IAS) RADIUS Server for user authentication. Refer to Microsoft - Checklist: Configuring IAS for dial-up and VPN access for further information on IAS.
The primary benefit of configuring L2TP with IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line. This enables remote access from virtually any place with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows 2000 with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN Client software, is required.
This document also describes how to use the Cisco Adaptive Security Device Manager (ASDM) in order to configure the PIX 500 Series Security Appliance for L2TP over IPsec.
Note: Layer 2 Tunneling Protocol (L2TP) over IPsec is supported on Cisco Secure PIX Firewall Software Release 6.x and later.
In order to configure L2TP Over IPsec between the PIX 6.x and Windows 2000, refer to Configuring L2TP Over IPsec Between PIX Firewall and Windows 2000 PC Using Certificates.
In order to configure L2TP over IPsec from remote Microsoft Windows 2000 and XP clients to a corporate site using an encrypted method, refer to Configuring L2TP over IPsec from a Windows 2000 or XP Client to a Cisco VPN 3000 Series Concentrator Using Pre-Shared Keys.
Before the secure tunnel establishment, IP connectivity needs to exist between the peers.
Make sure that UDP port 1701 is not blocked anywhere along the path of the connection.
Use only the default tunnel group and default group policy on the Cisco PIX/ASA. User-defined policies and groups do not work.
Note: The security appliance does not establish an L2TP/IPsec tunnel with Windows 2000 if either Cisco VPN Client 3.x or Cisco VPN 3000 Client 2.5 is installed. Disable the Cisco VPN service for Cisco VPN Client 3.x, or the ANetIKE service for Cisco VPN 3000 Client 2.5 from the Services panel in Windows 2000. In order to do this choose Start > Programs > Administrative Tools > Services, restart the IPsec Policy Agent Service from the Services panel, and reboot the machine.
The information in this document is based on these software and hardware versions:
PIX Security Appliance 515E with software version 7.2(1) or later (mine is 8.0(4))
Adaptive Security Device Manager 5.2(1) or later
Microsoft Windows 2000 Server
Microsoft Windows XP Professional with SP2 (mine is WinXP w/sp3 & Win7)
Windows 2003 Server with IAS
Note: If you upgrade the PIX 6.3 to version 7.x, make sure that you have installed SP2 in Windows XP (L2TP Client).
Note: The information in the document is also valid for ASA security appliance.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This configuration can also be used with Cisco ASA 5500 Series Security Appliance 7.2(1) or later.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Complete these steps in order to configure L2TP over IPsec.
Configure IPsec transport mode in order to enable IPsec with L2TP.
Windows 2000 L2TP/IPsec client uses IPsec transport mode—Only the IP payload is encrypted, and the original IP headers are left intact. The advantages of this mode are that it adds only a few bytes to each packet and allows devices on the public network to see the final source and destination of the packet. Therefore, in order for Windows 2000 L2TP/IPsec clients to connect to the security appliance, you must configure IPsec transport mode for a transform (see step 2 in the ASDM configuration). With this capability (transport), you can enable special processing (for example, QoS) on the intermediate network based on the information in the IP header. However, the Layer 4 header is encrypted, which limits the examination of the packet. Unfortunately, the transmission of the IP header in clear text, transport mode allows an attacker to perform some traffic analysis.
Configure L2TP with a virtual private dial-up network (VPDN) group.
The configuration of L2TP with IPsec supports certificates that use the pre-shared keys or RSA signature methods, and the use of dynamic (as opposed to static) crypto maps. Pre-shared key is used as an authentication to establish the L2TP over IPsec tunnel.
In this section, you are presented with the information to configure the features described in this document.
Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which have been used in a lab environment.
This document uses this network setup:
This document uses these configurations:
Complete these steps in order to configure L2TP over IPsec on Windows 2000. For Windows XP skip steps 1 and 2 and start from step 3:
Add this registry value to your Windows 2000 machine:
Add this registry value to this key:
Value Name: ProhibitIpSec
Data Type: REG_DWORD
Note: In some cases (Windows XP Sp2), the addition of this key (Value: 1) appears to break the connection as it makes the XP box negotiate L2TP only rather than an L2TP with IPsec connection. It is mandatory to add an IPsec policy in conjunction with that registry key. If you receive an error 800 when you try to establish a connection, remove the key (Value: 1) in order to get the connection to work.
Note: You must restart Windows 2000/2003 or XP machine in order for the changes to take effect. By default the Windows client attempts to use IPsec with a Certificate Authority (CA). The configuration of this registry key prevents this from occurring. Now you can configure an IPsec policy on the Windows station to match the parameters that you want on the PIX/ASA. Refer to How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication (Q240262) for a step-by-step configuration of the Windows IPsec policy.
Refer to Configure a Preshared Key for Use with Layer 2 Tunneling Protocol Connections in Windows XP (Q281555)\ for more information.
Create your connection.
Under Network and Dial-up Connections, right-click on the connection and choose Properties.
Go to the Security tab and click Advanced. Choose the protocols as this image shows.
Note: This step is applicable only for Windows XP.
Click IPSec Settings, check Use pre-shared key for authentication and type in the pre-shared key in order to set the pre-shared key.
In this example, test is used as the pre-shared key.
PIX Version 7.2(1)
enable password 8Ry2YjIyt7RRXU24 encrypted
!--- Configures the outside and inside interfaces.
ip address 172.16.1.1 255.255.255.0
ip address 10.4.4.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
access-list nonat extended permit ip 10.4.4.0 255.255.255.0 10.4.5.0 255.255.255.0
nat (inside) 0 access-list nonat
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
!--- Creates a pool of addresses from which IP addresses are assigned
!--- dynamically to the remote VPN Clients.
ip local pool clientVPNpool 10.4.5.10-10.4.5.20 mask 255.255.255.0
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
!--- The global and nat command enable
!--- the Port Address Translation (PAT) using an outside interface IP
!--- address for all outgoing traffic.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
!--- Create the AAA server group "vpn" and specify its protocol as RADIUS.
!--- Specify the IAS server as a member of the "vpn" group and provide its
!--- location and key.
aaa-server vpn protocol radius
aaa-server vpn host 10.4.4.2
!--- Identifies the group policy as internal.
group-policy DefaultRAGroup internal
!--- Instructs the security appliance to send DNS and
!--- WINS server IP addresses to the client.
group-policy DefaultRAGroup attributes
wins-server value 10.4.4.99
dns-server value 10.4.4.99
!--- Configures L2TP over IPsec as a valid VPN tunneling protocol for a group.
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value cisco.com
!--- Configure usernames and passwords on the device
!--- in addition to using AAA.
!--- If the user is an L2TP client that uses Microsoft CHAP version 1 or
!--- version 2, and the security appliance is configured
!--- to authenticate against the local
!--- database, you must include the mschap keyword.
!--- For example, username <username> password <password> mschap.
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!--- Identifies the IPsec encryption and hash algorithms
!--- to be used by the transform set.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
!--- Since the Windows 2000 L2TP/IPsec client uses IPsec transport mode,
!--- set the mode to transport.
!--- The default is tunnel mode.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
!--- Specifies the transform sets to use in a dynamic crypto map entry.
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
!--- Requires a given crypto map entry to refer to a pre-existing
!--- dynamic crypto map.
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
!--- Applies a previously defined crypto map set to an outside interface.
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal 20
!--- Specifies the IKE Phase I policy parameters.
crypto isakmp policy 10
!--- Creates a tunnel group with the tunnel-group command, and specifies the local
!--- address pool name used to allocate the IP address to the client.
!--- Associate the AAA server group (VPN) with the tunnel group.
tunnel-group DefaultRAGroup general-attributes
!--- Link the name of the group policy to the default tunnel
!--- group from tunnel group general-attributes mode.
!--- Use the tunnel-group ipsec-attributes command
!--- in order to enter the ipsec-attribute configuration mode.
!--- Set the pre-shared key.
!--- This key should be the same as the key configured on the Windows machine.
tunnel-group DefaultRAGroup ipsec-attributes
!--- Configures the PPP authentication protocol with the authentication type
!--- command from tunnel group ppp-attributes mode.
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
telnet timeout 5
ssh timeout 5
console timeout 0
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context