Microsoft L2TP Clients

Configuring FireWall-1 to work with L2TP clients[1] is fairly straightforward. First, you must set up Office Mode as described in the previous section. Additionally, make sure that the L2TP-specific options are configured accordingly. This is configured in the gateway object in the Remote Access frame. The L2TP Support checkbox allows you to use L2TP clients in place of SecureClient. Specify the authentication method for the user-based portion of the authentication and the certificate FireWall-1 will present to the clients. MD5 Challenge uses a username and password for authentication purposes versus a certificate. If MD5 Challenge is used, make sure that users are configured with IKE pre-shared secrets. The IKE pre-shared secret is the password the user enters when prompted by the client. In your rulebase, ensure that the L2TP service is permitted to the firewall.

[1] They are also commonly referred to as PPTP (Point-to-Point Tunneling Protocol) clients. However, Check Point does not support PPTP mode. FireWall-1 requires the use of IPSec over L2TP.

L2TP also requires machine-level authentication, which is always done with a certificate. This means each L2TP client machine requires its own certificate. The Check Point documentation is unclear about how to create a certificate for these machines, though it seems to suggest two different users be created?one for the machine and one for the user. In practice, you only need one user and one certificate, though you end up needing to install the certificate in two different locations if you use certificate-based authentication, only one with MD5 Challenge.

Before any client certificates are issued, an adjustment needs to be made to how FireWall-1 generates certificates. This is necessary because Windows requires that specific attributes be set in the certificates, and FireWall-1 does not set these by default. On the management console, if using the ICA to generate L2TP certificates, perform the following steps.

  1. Type cpstop.

  2. Edit $FWDIR/conf/InternalCA.C by adding the following lines:

    :ike_cert_extended_key_usage (1)
    :user_cert_extended_key_usage (2)

    The first line tells the ICA to generate IKE certificates for gateways with the Server Authentication purpose. The second line says to generate user-certificates with the Client Authentication purpose.

  3. Type cpstart.

If you're using an OPSEC CA instead, log into the management station with dbedit (or use Database Tool) and issue the following commands:

dbedit> modify properties firewall_properties
               cert_req_ext_key_usage 1
dbedit> update properties firewall_properties

Now restart the management console with cprestart.

Client certificates can be issued with the correct attributes. Go into the appropriate user(s), then generate and save the certificate to your local system. You then have to somehow give the certificate and the associated passphrase to the end user. The end user installs this certificate into his or her platform. To install the certificate into Windows 2000 and XP, follow these steps.

  1. Log into the desired platform as a user with local administrator privileges.

  2. Copy the certificate onto the desired platform into a known location. For the purposes of these steps, let's assume the certificate file is copied to the path c:\data\fish.p12.

  3. From the command prompt (or from the Start menu, select Run), run the command mmc (i.e., the Microsoft Management Console).

  4. From the Console menu, select Add/Remove Snap-in.

  5. In the Add/Remove Snap-in window, click on Add.

  6. In the Add Standalone Snap-in window, select Certificates and click on Add.

  7. In the Certificates Snap-in window, select Computer Account and click on Next.

  8. In the Select Computer window, select Local Computer and click on the Finish button. If you are using MD5 Challenge for authentication, skip to step 11.

  9. In the Add/Remove Snap-in window, click on Add.

  10. In the Add Standalone Snap-in window, select My user account and click on Finish.

  11. Click on Close in the Add Standalone Snap-in window

  12. Click on Close in the Add/Remove Snap-in window.

  13. Double-click on Certificates (Local Computer) and you will see a list of certificate types in the Logical Store Name frame.

  14. Double-click on Personal in the Logical Store Name frame. That frame should be replaced with one called Object Type.

  15. Right-click in the Object Type frame and select All Tasks, then Import.

  16. Click on Next in the resulting Certificate Import Wizard screen.

  17. Specify the path to the certificate file, which in this case is c:\data\fish.p12.

  18. In the next screen, type in the passphrase used by the administrator to protect the certificate. Check the Mark Private Key as Exportable checkbox. Click on Next.

  19. When prompted for a certificate store, select Automatically, then click on Next, then Finish. Click on OK in the dialog that notifies you the import was successful. If you are using MD5 Challenge for authentication, skip to step 22.

  20. Double-click on Certificates?Current User and you will see a list of certificate types in the Logical Store Name frame.

  21. Repeat steps 14 through 19.

  22. From the Console menu, select Save.

  23. Specify a file with a .msc extension, e.g., Console1.msc. Click Save.

  24. Exit the Microsoft Management Console.

The client will now have the ability to use the certificate for authenticating the L2TP session. The next step is to ensure that the IPSec policy agent is running, which can easily be checked by typing the command net start "IPSEC Policy Agent" into a command prompt to see if it says the policy agent is already started. If it is, chances are it is enabled by default as well. If this command starts up the IPSec policy agent, you will need to go into Services (under the Administrative Tools section of the Control Panel) and set the IPSec policy agent to start automatically.

Now you will create a new connection for the L2TP connection. Perform the following steps.

  1. Right-click on My Network places on the Windows desktop and choose Properties. The Network and Dial-up Connections window should be displayed.

  2. Double-click on the Make New Connection icon and click Next.

  3. Choose "Connect to a private network through the Internet" and click Next.

  4. Choose whether or not to dial up an initial connection. You would do this if you needed to use dial-up to establish an Internet connection.

  5. Enter the gateway's DNS resolvable name or IP address and click Next.

  6. Choose whether you wish to make this connection available to all users or not and click Next.

  7. Enter a name for this connection and click Finish.

  8. Right-click on the connection icon just created and select Properties.

  9. Click on the Networking tab. Specify the VPN server type as L2TP.

  10. Click on the Security tab, choose Advanced security options and click on Settings.

  11. Under Logon Security, select Use Extensible Authentication Protocol (EAP). Under the pull-down menu, select Certificate or MD5 Challenge depending on what was specified on the gateway.

  12. If you chose Certificate, click on Properties and Certificate. Uncheck Validate Server Certificate unless you wish to export the ICA key and import it into the workstation. Click OK.

  13. Click OK two more times.

Now your client should be able to connect using this new network connection profile. When it is activated, you will either enter your username and IKE pre-shared secret or select your certificate and click OK. Assuming everything was configured correctly, the connection should come up.



Microsoft's L2TP Client appears to not work correctly in a NAT environment. Microsoft has issued an update for the L2TP clients on Windows 2000 and Windows XP. Refer to Microsoft Knowledge Base Article 818043. The update is also available through Windows Update.