You are right that ASL uses PSK for the "MS Windows L2TP over IPSec" connection. In order to create a certificate-based L2TP connection, use the normal "Roadwarrior" connection, pick "MS_DEFAULT" as policy and enable "L2TP Encapsulation".
Hi Stephan! Now i got it working with NAT too! It's tricky because that NAT-T patch doesnt show up regularly on windowsupdate.com ... I had to go to the catalog and do a manual search for the ID Q818043 to find it at all. Seems to me that Microsoft tries to hide this patch... Actually it is working now and i will try to setup certificates!
I am using ASL 5.004 and in my webconfig there is no MS_DEFAULT-policy! I chose 3DES instead, will it work too or what is MS-DEFAULT? I know that PFS has to be disabled but what algorithms do i have to choose? Thanks in advance!
Concerning MS_DEFAULT: there is a bug in the backup converter for importing ASLv4 backups. The MS_DEFAULT policy gets erased by the import. You can either add it manually afterwards (see my previous post) or wait for the next Up2Date, which contains a fix for this issue.
Hi Simon, here are is a short description of my settings, i got it working with preshared-keys and NAT: - First create a new network-connection on XP - As connection-type choose: Connection with network at work - Then select VPN-connection - Name the connection - Choose if you want to establish a connection to the internet before - Enter the IP for your Gateway, the external IP of your ASL - Now choose for own use - Now do a rightclick on the new connection -->choose Properties - On the tab "Options" activate "Ask for Name,Password,certificate..." -I deactivated "include Windows-domain" -On the tab security i chose under security-options "Advanced(custom settings) and then under -->settings i set encryption to optional (because IPsec encrypts already) I activated as Protocols CHAP,MS-CHAP,MS-CHAP v2. Back on the front tab choose IPsec-settings and activate and enter the PSK you have on the ASL as well Under the tab network make sure that as VPN-Type "L2TP-IPsec-VPN" is selected. That's it on the client side. On the ASL config for Preshared Keys is easy: -Choose a new IPsec-connection -Type: MS L2TP over IPsec -L2TP-Encapsulation is automatically enabled -Enter your PSK L2TP over IPsec-Settings: As Authentication-Method i selected local users , therefore you have to create under ->Definitions ->User your users with proper rights. L2TP over IPsec-IP-Pool: As IP-Pool i selected the default predefined IPsec-Pool L2TP over IPsec client parameters: Enter your WINS and DNS-Server from LAN Finally enable NAT-T under Advanced-IPsec-options For using certificates on the client you just have to import the certificate properly and deactivate PSK-Authentication under IPsec-settings. But on the Astaro there is more to do because you need to configure your connection manually and not to select the predefined type MS-L2TP (it only works with PSKs). So far, Jan
