Virtual Private Networking |
L2TP over IPSec offers user authentication, mutual computer authentication, encryption, data authentication, and data integrity.
Authentication of the VPN client occurs at two different levels: the computer is authenticated, and then the user is authenticated.
Mutual computer authentication of the VPN client and the VPN server is performed when you establish an IPSec ESP security association (SA) through the exchange of computer certificates. IPSec Phase I and Phase II negotiation occurs, and an IPSec SA is established with an agreed encryption algorithm, hash algorithm, and encryption keys.
To use L2TP over IPSec, a computer certificate must be installed on both the VPN client and the VPN server. You can obtain computer certificates automatically by configuring an auto-enrollment Windows 2000 Group Policy or manually using the Certificates snap-in. For more information, see Windows 2000 Server Help.
The user attempting the L2TP connection is authenticated using PPP-based user authentication protocols such as EAP,
L2TP also provides a way to authenticate the endpoints of an L2TP tunnel during the tunnel establishment process known as L2TP tunnel authentication. By default, Windows 2000 does not perform L2TP tunnel authentication. For more information about configuring Windows 2000 for L2TP tunnel authentication, see the Microsoft Knowledge Base link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.
Encryption is determined by the establishment of the IPSec SA. The available encryption algorithms include:
Because IPSec was designed for IP internetworks where packets could be lost and arrive out of order, each IPSec packet is decrypted independent of other IPSec packets.
The initial encryption keys are derived from the IPSec authentication process. For DES-encrypted connections, new encryption keys are generated after every 5 minutes or 250 megabytes of data transferred. For 3DES-encrypted connections, new encryption keys are generated after every hour or 2 gigabytes of data transferred. For AH-protected connections, new hash keys are generated after every hour or 2 gigabytes of data transferred. For more information about IPSec, see "Internet Protocol Security" in the TCP/IP Core Networking Guide.
Data authentication and integrity is provided by one of the following:
Just as in PPTP-based VPN connections, the enabling of forwarding between the interfaces on the public or shared network and the intranet causes the VPN server to route all IP traffic from the shared or public network to the intranet. To protect the intranet from all traffic not sent by a VPN client, you must configure L2TP over IPSec packet filtering so that the VPN server only performs routing between VPN clients and the intranet and not between potentially malicious users on the shared or public network and the intranet.
L2TP over IPSec packet filtering can be configured on either the VPN server or on an intermediate firewall. For more information, see "VPNs and Firewalls" later in this chapter.