I have made the following webpages on using L2TP/IPsec with Linux:
Microsoft released a free IPsec client for older Windows versions in July 2002. You can find more information on this Microsoft webpage. The executable can be downloaded directly from this location. There is also an "Administrator's Guide to Microsoft L2TP/IPSec VPN Client" (MS Word document). Officially, the client is known as the "Microsoft L2TP/IPSec VPN Client". But for brevity, I'm calling it the "MSL2TP client" below. (The executable is called MSL2TP.EXE so I thought it was appropriate).
The page on the Microsoft website claims that the MSL2TP client does
not support Windows 95, but in fact it installed without a problem on
my
Windows
95 machine and it seems to work fine. The client's license agreement
(EULA) also mentions Windows 95.
The MSL2TP client is basically a version 1.0 client, although it's
based on the existing SafeNet SoftRemote client. There will not
be any updates by Microsoft (except perhaps if a major security flaw is
found) because the client is for Windows versions in 'non-supported
phase'.
1.2 Author
The author of this document is Jacco de Leeuw.
Corrections, additions, extra information etc. are much appreciated.
The MSL2TP client was actually developed for Microsoft by SafeNet. According to an article in Network World the Microsoft client is a stripped down version of SafeNet's full client. It only supports transport mode, not tunnel mode and "...it lacks a configuration wizard, certain icons that would otherwise appear in the task bar and SafeNet's policy management".
Some Microsoft articles on this client are available:
TechNet article by the "Cable Guy"Back to Contents
Q325158 Default Encryption Settings for the Microsoft L2TP/IPSec Virtual Private Network Client
Q325035 Limitations and Compatibility Issues of Microsoft L2TP/IPSec VPN
Q325032 Using the Microsoft L2TP/IPSec VPN Client with Windows 98, Windows Millennium Edition, and Windows NT 4.0
Q325033 Configuring Microsoft L2TP/IPSec VPN for Earlier Clients
Q325034 Troubleshooting Microsoft L2TP/IPSec VPN Client Connection
Q323311 How to Disable IPsec for Clients That Are Running an Earlier Version of Windows
I have tested the MSL2TP client with certificates (see below) and Preshared Keys (PSK). A limitation of the MSL2TP client is that you can use only one PSK at a time. This single PSK is shared by all L2TP/IPsec connections on the Windows machine. Of course you could change it every time you need a different PSK, but this is a bit of a hassle.
The MSL2TP client can also use certificates instead of a PSK.
Creating these certificates is explained elsewhere. You import these
certificates (PKCS#12 files) into Internet Explorer (see instructions
below). Once imported, the MSL2TP client will have access to them.
The certificates on both sides have to be signed by the same Certificate Authority (CA) if you want to use them with the MSL2TP client. This is also true for the Windows 2000/XP client.
Multiple certificates can be imported but only one certificate can
be used at a time, unless you set "Automatically
select a
certificate for IPSec authentication". With this setting, the
MSL2TP client
will automatically choose the correct certificate based on the
certificate request sent by the remote server. If you use Windows NT,
certificates are shared by all users because they are essentially
machine certificates. On Windows 9x/ME there is no security between
users so all certificates are shared as well.
The MSL2TP client is fairly easy to install. It requires Internet
Explorer 5.01 or later, possibly because the client uses the
updated
certificate and cryptographics support included with IE. Note that the
MSL2TP is incompatible with Internet Connection Sharing (ICS). If you use
ICS, you will have to disable it. If you have Windows 95/98, you will
also need Dial-Up
Networking 1.4 (DUN 1.4), otherwise the MSL2TP client will refuse to install.
Here is how to install the MSL2TP client:
If you want to use certificates, you will have to import one into Internet Explorer's certificate store. If you want to use a PSK, you can skip this step.
After the installation of the client, you will find that a folder "Microsoft L2TP/IPSec VPN Client" is available in Start Menu. One of the objects in that folder is L2TPConfig.exe ("Microsoft IPSec VPN Configuration").
The next step is to import your certificate (the PKCS#12 file) into Internet Explorer. The certificate will then become available to the MSL2TP client as well. If don't have a certificate yet, read my other webpage.
Determine what kind of authentication you want to use: a certificate or a Preshared Key (PSK):
At this point it is time to actually configure one or more L2TP/IPsec VPN connections. If you are familiar with PPTP, you will find that this part is very similar to creating a PPTP VPN connection.
If you see the following Openswan error in /var/log/secure:
"we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION"
... you know that Openswan and the MSL2TP client disagree about PFS. This has been discussed on my other webpage. MSL2TP defaults to PFS disabled. The simplest way to solve this is to explicitly disable PFS at the Openswan side as well. You do this by adding "pfs=no" to the Openswan configuration file. The alternative, of course, is to enable PFS at all MSL2TP clients you use. See below for that.
Sometimes I got the following error in /var/log/secure:
Dec 3 17:47:08 JACCO: #1: received Delete SA payload:
deleting IPSEC State #4
Dec 3 17:47:08 JACCO: #1: ignoring Delete SA payload: IPSEC
SA not found
Dec 3 17:47:08 JACCO: #1: received Delete SA payload:
deleting ISAKMP State #1
Dec 3 17:47:09 JACCO: #6: initiating Main Mode
Dec 3 17:47:09 JACCO: #6: not enough room in input packet
for ISAKMP Vendor ID Payload
Dec 3 17:47:09 JACCO: #6: malformed payload in packet
Dec 3 17:47:09 JACCO: #6: sending notification
PAYLOAD_MALFORMED to x.x.x.x:500
These are actually two problems. The first problem is that FreeS/WAN
tries to reestablish the connection immediately after the MSL2TP client
disconnects. This is due to a bug in the MSL2TP client, the Call IDs
and
Tunnel IDs are swapped by mistake. A patch for l2tpd is
available which works around the problem. This patch has
been included in versions 13jdl and higher of my l2tpd RPM.
The other problem is that some packets sent by the MSL2TP client are not according to the IPsec specifications ("not enough room" etc.). JuanJo Ciarlante has a patch for FreeS/WAN's pluto daemon which works around this problem. This patch is included in Openswan and strongSwan. I am not sure if the SafeNet SoftRemote client (on which the MSL2TP client was based) has the same problem.
The following workaround may also work. When you change any setting
in L2TPConfig.exe ("Microsoft IPSec VPN
Configuration") and restore it to its previous value, the SA will
be dropped. For example, you could toggle "Enable IPSec logging",
exit the program by clicking "OK", start the program again, click
"Enable IPSec logging" and then click "OK" again. The MSL2TP
client then drops the IPSEC SA.
Jason A. Pattie reported a different problem. An IPSEC SA could not be set up because of the error:
"peer client ID payload ID_IPV4_ADDR specifies protocol 17; we only support 0"
The MSL2TP client wants to restrict the IPsec tunnel to UDP (=IP
protocol 17). This is discussed elsewhere. In a
nutshell it means you will need to install the X.509 patch to FreeS/WAN.
At first I used Linux kernels without the "Delete SA" patch for FreeS/WAN. It occurred a couple of times that the MSL2TP client thought that it was (still) connected but FreeS/WAN didn't. You get the following error message:
"packet from x.x.x.x:500: Quick Mode message is for a
non-existent
(expired?) ISAKMP SA"
You may want to try the same workaround as mentioned above. The problem did not occur with NETKEY, when right=(fixedIP) instead of right=%any and when the kernel was compiled with the "Delete Notification" patch.
There is a problem when the network connection used by MSL2TP is a
dial-up connection or DHCP. The MSL2TP reports error 629: "You have
been disconnected from the computer you are dialing". l2tpd logs
this error in /var/log/messages: "Specify your hostname".
This patch seems to work
around
the problem. It has been included in my l2tpd RPMS (versions
8jdl
and higher).
The MSL2TP installs a driver in Win9x's network configuration. The vendor name is 'Deterministic Networks' and the name is 'Microsoft L2TP/IPSec VPN adapter'. Note that the 'Microsoft Virtual Private Network adapter' is used by the PPTP protocol, so it has nothing to do with the MSL2TP client!
The MSL2TP client contains bugs, as any other nontrivial program. For instance, sometimes uninstalling and then reinstalling does not work as expected. Normally you uninstall the client by using "Start -> Configuration -> Software" and then selecting the "Microsoft L2TP/IPSec VPN Client Setup". When you later want to reinstall the client, you may get the following error:
* 'SafeNet SoftRemote' must be uninstalled before Microsoft L2TP/IPSec VPN Client can be installed. Use Add/Remove Programs to remove the application.This is of course nonsense. You installed the MSL2TP client, not SafeNet SoftRemote. Apparently the MSL2TP client doesn't really clean up after itself when you uninstall it. When I got the error above, the following procedure seemed to work for me:
As I mentioned above, I had to set pfs=no in Openswan to get the MSL2TP client to work. The alternative is to explicitly enable PFS on the MSL2TP client.
Since the MSL2TP client is a stripped version of the SafeNet client,
there is no PFS setting to configure. But I went through the registry,
found a couple of settings, changed them and got PFS working:
[HKEY_LOCAL_MACHINE\Software\IRE\SafeNet/Soft-PK\ACL\1]
"USEPFS"=dword:00000000
(change to dword:00000001)
"P2GROUPDESC"=dword:00000001
(change to dword:00000002)
JuanJo Ciarlante has made a registry patch.
If you download the file and double click on it, it will change the
parameters automatically. Thanks, JuanJo!
Fortunately, even if you set pfs=no in your Openswan
configuration, Openswan will still use PFS if the client supports PFS.
So with pfs=no you support clients with and without PFS.
JuanJo has also made a registry patch which enables IPsec compression (IPCOMP). If you need compression, you will also have the enable it at the Openswan side with compress=yes. Openswan uses the patent-free Deflate algorithm.
[HKEY_LOCAL_MACHINE\Software\IRE\SafeNet/Soft-PK\ACL\1\PH2PROPOSAL_0]
"IPCOMP"=dword:00000000
(change to dword:00000001)
"IPCOMPTRANSFORM"=dword:00000000 (change
to dword:00000002)
The MSL2TP client can only be used for tunnelling L2TP. Would it be possible to hack the Microsoft client to get rid of the L2TP protocol? And/or enable features from the original full SafeNet client? There are certainly entries in the Windows registry which look promising: USESGW (use security gateway?), SGWOPTIONS, REMOTEADDRESS and changing PROTOCOL / PORT / PORTNAME to "All" instead of just UDP 1701. It would perhaps be interesting to compare these registry settings with the ones of the full SafeNet client. I have not done this due to time constraints (any volunteers?). The problem is though that you never know if hacking the registry will be enough. The SafeNet people could have removed the host-to-LAN code from the client completely. Another problem is that the user interface will also have to be modified otherwise the user will still see the L2TP/PPP parts. Yet another problem is that in most cases you want the client to obtain a "virtual IP address" from your internal network. If you somehow remove the L2TP protocol, you will need to use another mechanism to get an internal IP address (manual configuration, Mode-Config, DHCP-over-IPsec). I don't know if the MSL2TP client can be tricked into this. If it's not possible, hacking the registry does not make much sense.
Dec 15, 2004: Q323311
turns out to be online again.
Nov 23, 2003: Possible bug due to confusion about Call ID /
Tunnel ID.
Oct 21, 2003: Reminder: if you want to use FreeS/WAN 2.x, get at
least version 2.03.
Aug 26, 2003: No updates of the MSL2TP client to be expected.
Aug 22, 2003: Better DUN 1.4 link for Win95. Install
instructions
for NT4.
Aug 8, 2003: Patch for "Specify your hostname" problem added to
my l2tpd RPMs.
Jul 31, 2003: Different versions of DUN 1.4 available.
Jul 16, 2003: JuanJo's MSL2TP workaround is now included
with SuperFreeS/WAN 1.99.8.
Jun 24, 2003: NAT-T works, after a bit of tweaking of the Linux
side.
May 5, 2003: Added JuanJo's registry patches and 'malformed
packet' workaround.
Apr 13, 2003: Couldn't get NAT-T to work. Added KB info.
Apr 10, 2003: Incompatible with ICS. Does not seem to work on a
486.
Mar 1, 2003: Corrected typos.
Feb 27, 2003: Added uninstall information.
Feb 24, 2003: Modified left/rightproto information.
Dec 26, 2002: Added KB references.
Dec 15, 2002: Split into four webpages.
Sep 23, 2002: Slightly redesigned.
Sep 15, 2002: Let's call this the MSL2TP client.
July 22, 2002: PSK works, as expected.
July 22, 2002: Added reference to proxy arp.
July 20, 2002: Added report of preliminary l2tpd success.
July 15, 2002: Changed <h4> headings since Opera does not
display them. Added PSK remarks.