In this lab, you configure an L2TP-based VPN with a Windows Server
2003 and Windows client. This is an in-depth lab that will take some
time to complete. Also, it’s easy to make a mistake or forget
a small detail. In some cases, the entire lab will need to be restarted
to work properly.
The steps are as follows:
Step 1. Install a Certificate Authority on the server.
Even if your client is already set up to make L2TP connections (see
step 4 for more), and you have a basic VPN server working, you would
get a 781 error when attempting to connect. This is because your client
requires an encryption certificate. The client must get that certificate
from the server (or some other authority). Let’s install and configure
the Certificate Authority on the Windows Server 2003 computer now so
that it can dispense certificates to clients:
A. Go to the Windows Server 2003 computer.
B. Click the Start button and select Control Panel.
C. Launch Add/Remove Programs.
D. Select Add/Remove Windows Components.
E. Click the Certificate Services check box to select it. A pop-up window
opens; click Yes.
F. Click Next.
G. When asked what type of Certificate Authority you will be installing,
choose the default option, Enterprise root CA. Then click Next.
H. In the Common Name for This CA field, type test. Leave the rest of
the information as is, and click Next.
I. Leave the Certificate Database Settings window as is and click Next.
J. A pop-up window might ask you about IIS, which needs to be stopped
during the installation of the CA. Click OK. The installation of the
CA will begin.
K. If you are asked for the CD, you can get the necessary information
from X:\i386 (where X is the letter of your disc drive). This could
be from the Windows Server 2003 disc, the Service Pack disc, or the
Server 2003 disc with slipstreamed service pack, it depends on your
NOTE: If IIS is not yet installed, Server 2003 will warn you that Certificate
Services Web Enrollment Support will not work until IIS is installed.
Click OK for this message and be sure to install IIS before continuing
with this lab. This can be done from Add/Remove Windows Components >
Application Server > Internet Information Services (IIS). IIS can
be installed simultaneously with Certificate Services.
L. Click Finish. The Certificate Authority is now installed. You should
see it within your Administrative Tools. A restart is not normally necessary,
but might be a good idea, especially if you have a lot of other services
running on the server.
Step 2. Configure the Certificate Authority (CA)
on the server.
Now you need to set up the CA to hand out certificates automatically
and turn on the IP Security policy:
A. First, though, set up an MMC if you have not already and add the
Certificate Authority snap-in (for the local computer) and the Default
Domain Policy. (Select the Group Policy Object editor snap-in, Browse,
and then Default Domain Policy.)
B. Set up the server to hand out certificates automatically:
i. In the MMC, click the Default Domain Policy entry, select Computer
Configuration, choose Windows Settings, click Security Settings, select
Public Key Policies, and choose Automatic Certificate Request Settings.
ii. Right-click the Automatic Certificate Request Settings entry, select
New, and then select Automatic Certificate Request.
iii. A wizard is launched. Click Next.
iv. When asked what type of auto certificate template you want to install,
select Computer. Then click Next.
v. Click Finish. You should see a certificate template called Computer
on the right side window pane in the MMC.
vi. Save the MMC.
C. Turn on the IP Security Policy.
i. Within the MMC expand the following options in the left window pane:
Default Domain Policy > Computer Configuration > Windows Settings
> Security Settings. Click once on IP Security Policies on Active
ii. This should bring up three policies on the right side. None of these
are yet assigned.
iii. Right-click the Secure Server (require Security) option and select
Assign. This should assign the security policy allowing clients to connect.
iv. Save the MMC and close it.
Step 3. Configure MS-CHAP on the client.
Let’s configure your client to connect to the VPN server using
a more complex level of authentication[md]username and password verification.
This will be MS-CHAP II:
A. Go to the Windows XP computer.
B. Right-click My Network Places and select Properties to find your
VPN adapter. If it is not there, create a new one, and point it toward
your existing VPN server.
C. Right-click the VPN adapter and select Properties.
D. Click the Security tab and select Advanced (Custom Settings).
E. Click the Settings button. This opens the Advanced Security Settings
F. Make sure that Require encryption is selected in the Data encryption
drop-down list and that the Microsoft CHAP (MS-CHAP) and Microsoft CHAP
Version 2 (MS-CHAP v2) checkboxes are selected. MS-CHAPII is already
accepted by the server. MS-CHAPII will now be your challenge authentication
scheme; it will work automatically.
Step 4. Configure L2TP and IPsec on the client:
Connect through L2TP as opposed to PPTP. L2TP is a more secure way of
connecting than PPTP when L2TP is used with IPsec:
A. Click OK to close the Advanced Security Settings dialog box.
B. In the VPN Properties window, click the Networking tab.
C. Open the Type of VPN: Drop-Down List and choose L2TP IPsec VPN.
D. Click OK to close the VPN Properties window.
Step 5. Install a certificate on the client.
In some cases, you have to connect through a custom-made MMC, but in
this scenario you retain your certificate within the browser:
A. Go to the Windows XP computer.
B. Open Internet Explorer and, in the address bar, type http://servername/certsrv
(where servername is the actual hostname of your server). A web page
with information opens.
C. Click the Request a Certificate link.
NOTE: You might need to configure the client so that it has the server’s
IP address as the DNS settings within IP properties. In addition, it
might be necessary to connect the client to the domain that the Certificate
Authority server is a member of. How your client is configured will
all depend on the setup of your particular network. Also, make sure
that all your computers have the latest service packs installed.
D. On the next screen, click User Certificate.
E. On the User Certificate [nd] Identifying Information screen click
F. Click Yes in the pop-up window(s) that appears.
G. The browser should talk to the server and retrieve a certificate.
Choose to install it now by clicking the Install this Certificate link.
H. Click Yes in the pop-up window that appears to add the certificate
to the store. You’ll be informed that the certificate has been
Step 6. Make the new VPN connection.
Now you can connect from your client to the server through the VPN connection
using L2TP and MS-CHAP II. Connect to the VPN the way you normally would
by double-clicking the VPN adapter and logging in with your username
and password. There you have it!
NOTE: This is an in-depth lab, and as such, there are a lot of things
that can go wrong. You might decide to run the various necessary services
on separate servers, for example a Domain Controller, a VPN server,
and a Certificate server. In addition, when it comes to certificates,
there is a lot to talk about! Depending on the order of services you
installed, you might have to install a certificate on the server as
well. Be ready for many different variables when performing this lab.
There are a lot of errors you might encounter as well. For example,
Error 789 is common, but it can be caused by a bunch of different reasons:
key issue, PSK or IPsec settings, IPsec services might need to be restarted,
server settings could be incorrect, firewall NAT settings could be wrong.
Plus, security updates and network adapter drivers could affect the
Here's an article that might help some of the common issues you'll encounter: