Configuring Windows 2000/XP for L2TP over IPSec with X.509 certificates ----------------------------------------------------------------------- Author: Stephan Scholz Version: 1.0 Date: 5.7.2004 Abstract -------- This document contains a tutorial how to configure Windows 2000/XP for using X.509 certificates as IPSec authentication for L2TP. Note: this only works if certificates uses X.500 DN as VPN identifier! Tutorial -------- 1. Import the certificate into Windows - Open the management console by launching "Start->Run" and entering "mmc" - From the menu, select "Console->Add/Remote Snap-in" - Click on "Add" - Select "Certificates", then press "Add" - Choose "Computer account" and press "Next" - Select "Local computer (the computer this console is running on)", then click on "Finish" - Click on "Close" - Click on "OK" - In the tree view on the left side, right-click on "Personal" in the category "Certificates (Local Computer)" - From the menu choose "All Tasks->Import". This opens the Certificate Import Wizard. Click on "Next" - Select "Browse" and select the PKCS#12 container file to import. Click on "Next" - Give the PKCS#12 password, then click on "Next" - Select "Automatically select the certificate store based on the type of certificate", then click on "Next" - Press "Finish" - After selecting "Action->Refresh" from the menu, the newly imported certificate should be visible - Close the management console window. You don't need to save it. - Move the CA certificate to the root CA folder, if necessary 2. Configure L2TP connection (network connections) - Open the network connections configuration by starting "Start->Settings->Network and Dial-up Connections" - Double-click on "Make New Connection" - The Network Connection Wizard shows up. Click on "Next" - Select "Connect to a private network through the Internet" and click on "Next" - Select "Do not dial the initial connection" and click on "Next" - Enter the IP address of your VPN gateway and click on "Next" - Select either "For all users" or "Only for myself", at your choice, and click on "Next" - Enter a name of your choice, e.g. "L2TP to office" and click on "Finish" - In the login window, click on "Properties" - Select tab "Security" and disable the option "Require data encryption (disconnect if none)" - Select tab "Networking"and select "Layer-2 Tunneling Protocol (L2TP)" for "Type of VPN server I am calling" - Click on "OK" to close the properties dialog box - Enter your user name and password 3. Initiate connection - Click on the "Connect" button Links ----- "Using FreeS/WAN with Windows L2TP/IPsec": http://www.jacco2.dds.nl/networking/freeswan-l2tp.html NAT-T patches for W2K and WinXP: ftp://support:AstaroSupport04@ftp.astaro.de/IPSec_NAT-T_Patch_818043/