Using a Linux server with the Microsoft L2TP/IPSec VPN Client

Last update: Feb 26, 2008



1.1 Introduction

I have made the following webpages on using L2TP/IPsec with Linux:

The page you are now reading describes how you can use the "Microsoft L2TP/IPSec VPN Client" for Windows 95/98/Me/NT4ws with Openswan. It assumes you are already familiar with setting up Openswan with L2TP/IPsec. If you are not, it's probably a good idea to start with reading this page (the first one in the list). It includes information on setting up the Linux side. The other pages contain specifics on several L2TP/IPsec clients which are available for Windows and Mac OS X.

Microsoft released a free IPsec client for older Windows versions in July 2002. You can find more information on this Microsoft webpage. The executable can be downloaded directly from this location. There is also an "Administrator's Guide to Microsoft L2TP/IPSec VPN Client" (MS Word document). Officially, the client is known as the "Microsoft L2TP/IPSec VPN Client". But for brevity, I'm calling it the "MSL2TP client" below. (The executable is called MSL2TP.EXE so I thought it was appropriate).

The page on the Microsoft website claims that the MSL2TP client does not support Windows 95, but in fact it installed without a problem on my Windows 95 machine and it seems to work fine. The client's license agreement (EULA) also mentions Windows 95.

The MSL2TP client is basically a version 1.0 client, although it's based on the existing SafeNet SoftRemote client. There will not be any updates by Microsoft (except perhaps if a major security flaw is found) because the client is for Windows versions in 'non-supported phase'.

1.2 Author

The author of this document is Jacco de Leeuw. Corrections, additions, extra information etc. are much appreciated.



2. Contents

3. Background information

The MSL2TP client was actually developed for Microsoft by SafeNet. According to an article in Network World the Microsoft client is a stripped down version of SafeNet's full client. It only supports transport mode, not tunnel mode and "...it lacks a configuration wizard, certain icons that would otherwise appear in the task bar and SafeNet's policy management".

Some Microsoft articles on this client are available:

TechNet article by the "Cable Guy"
Q325158 Default Encryption Settings for the Microsoft L2TP/IPSec Virtual Private Network Client
Q325035 Limitations and Compatibility Issues of Microsoft L2TP/IPSec VPN
Q325032 Using the Microsoft L2TP/IPSec VPN Client with Windows 98, Windows Millennium Edition, and Windows NT 4.0
Q325033 Configuring Microsoft L2TP/IPSec VPN for Earlier Clients
Q325034 Troubleshooting Microsoft L2TP/IPSec VPN Client Connection
Q323311 How to Disable IPsec for Clients That Are Running an Earlier Version of Windows
Back to Contents


4. Features of the client See also the L2TP/IPsec pros and cons in general.

Back to Contents



5. Preshared keys

I have tested the MSL2TP client with certificates (see below) and Preshared Keys (PSK). A limitation of the MSL2TP client is that you can use only one PSK at a time. This single PSK is shared by all L2TP/IPsec connections on the Windows machine. Of course you could change it every time you need a different PSK, but this is a bit of a hassle.

Back to Contents



6. Certificates

The MSL2TP client can also use certificates instead of a PSK. Creating these certificates is explained elsewhere. You import these certificates (PKCS#12 files) into Internet Explorer (see instructions below). Once imported, the MSL2TP client will have access to them.

Note that Windows 2000/XP use the Microsoft Management Console (MMC) to import certificates. Windows NT 4 ServicePack 4+ also has an MMC.

The certificates on both sides have to be signed by the same Certificate Authority (CA) if you want to use them with the MSL2TP client. This is also true for the Windows 2000/XP client.

Multiple certificates can be imported but only one certificate can be used at a time, unless you set "Automatically select a certificate for IPSec authentication". With this setting, the MSL2TP client will automatically choose the correct certificate based on the certificate request sent by the remote server. If you use Windows NT, certificates are shared by all users because they are essentially machine certificates. On Windows 9x/ME there is no security between users so all certificates are shared as well.

Back to Contents



7. Installation (Linux)


For the installation and configuration of the Linux side, I refer to my other page. One point is worth repeating, though.

If you want to use FreeS/WAN 2.x instead of Openswan, get version 2.03 or higher but not version 2.06. That's because versions 2.0, 2.01 and 2.02 contain a bug in the SHA-1 hashing algorithm. The MSL2TP client uses SHA-1 by default, so this problem occurs when you use these particular FreeS/WAN 2.x versions.

Back to Contents


8. Installation and configuration (Windows)

The MSL2TP client is fairly easy to install. It requires Internet Explorer 5.01 or later, possibly because the client uses the updated certificate and cryptographics support included with IE. Note that the MSL2TP is incompatible with Internet Connection Sharing (ICS). If you use ICS, you will have to disable it. If you have Windows 95/98, you will also need Dial-Up Networking 1.4 (DUN 1.4), otherwise the MSL2TP client will refuse to install.

Here is how to install the MSL2TP client:

Back to Contents


9. Importing a certificate

If you want to use certificates, you will have to import one into Internet Explorer's certificate store. If you want to use a PSK, you can skip this step.

After the installation of the client, you will find that a folder "Microsoft L2TP/IPSec VPN Client" is available in Start Menu. One of the objects in that folder is L2TPConfig.exe ("Microsoft IPSec VPN Configuration").

The next step is to import your certificate (the PKCS#12 file) into Internet Explorer. The certificate will then become available to the MSL2TP client as well. If don't have a certificate yet, read my other webpage.

Back to Contents


10. Selecting a certificate or PSK

Determine what kind of authentication you want to use: a certificate or a Preshared Key (PSK):

Back to Contents


11. Configuring a VPN connection

At this point it is time to actually configure one or more L2TP/IPsec VPN connections. If you are familiar with PPTP, you will find that this part is very similar to creating a PPTP VPN connection.

Back to Contents


12. Troubleshooting: Perfect Forward Secrecy (PFS)

If you see the following Openswan error in /var/log/secure:

   "we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION"

... you know that Openswan and the MSL2TP client disagree about PFS. This has been discussed on my other webpage. MSL2TP defaults to PFS disabled. The simplest way to solve this is to explicitly disable PFS at the Openswan side as well. You do this by adding "pfs=no" to the Openswan configuration file. The alternative, of course, is to enable PFS at all MSL2TP clients you use. See below for that.

Back to Contents



13. Troubleshooting: disconnect error

Sometimes I got the following error in /var/log/secure:

Dec  3 17:47:08 JACCO: #1: received Delete SA payload: deleting IPSEC State #4
Dec  3 17:47:08 JACCO: #1: ignoring Delete SA payload: IPSEC SA not found
Dec  3 17:47:08 JACCO: #1: received Delete SA payload: deleting ISAKMP State #1
Dec  3 17:47:09 JACCO: #6: initiating Main Mode
Dec  3 17:47:09 JACCO: #6: not enough room in input packet for ISAKMP Vendor ID Payload
Dec  3 17:47:09 JACCO: #6: malformed payload in packet
Dec  3 17:47:09 JACCO: #6: sending notification PAYLOAD_MALFORMED to x.x.x.x:500

These are actually two problems. The first problem is that FreeS/WAN tries to reestablish the connection immediately after the MSL2TP client disconnects. This is due to a bug in the MSL2TP client, the Call IDs and Tunnel IDs are swapped by mistake. A patch for l2tpd is available which works around the problem. This patch has been included in versions 13jdl and higher of my l2tpd RPM.

The other problem is that some packets sent by the MSL2TP client are not according to the IPsec specifications ("not enough room" etc.). JuanJo Ciarlante has a patch for FreeS/WAN's pluto daemon which works around this problem. This patch is included in Openswan and strongSwan. I am not sure if the SafeNet SoftRemote client (on which the MSL2TP client was based) has the same problem.

The following workaround may also work. When you change any setting in L2TPConfig.exe ("Microsoft IPSec VPN Configuration") and restore it to its previous value, the SA will be dropped. For example, you could toggle "Enable IPSec logging", exit the program by clicking "OK", start the program again, click "Enable IPSec logging" and then click "OK" again. The MSL2TP client then drops the IPSEC SA.

Back to Contents



14. Troubleshooting: protocol tunnelling

Jason A. Pattie reported a different problem. An IPSEC SA could not be set up because of the error:

 "peer client ID payload ID_IPV4_ADDR specifies protocol 17; we only support 0"

The MSL2TP client wants to restrict the IPsec tunnel to UDP (=IP protocol 17). This is discussed elsewhere. In a nutshell it means you will need to install the X.509 patch to FreeS/WAN.

Back to Contents



15. Troubleshooting: restarting the IPsec connection

At first I used Linux kernels without the "Delete SA" patch for FreeS/WAN. It occurred a couple of times that the MSL2TP client thought that it was (still) connected but FreeS/WAN didn't. You get the following error message:

  "packet from x.x.x.x:500: Quick Mode message is for a non-existent
 (expired?) ISAKMP SA"

You may want to try the same workaround as mentioned above. The problem did not occur with NETKEY, when right=(fixedIP) instead of right=%any and when the kernel was compiled with the "Delete Notification" patch.

Back to Contents



16. Troubleshooting: "Specify your hostname"

There is a problem when the network connection used by MSL2TP is a dial-up connection or DHCP. The MSL2TP reports error 629: "You have been disconnected from the computer you are dialing". l2tpd logs this error in /var/log/messages: "Specify your hostname". This patch seems to work around the problem. It has been included in my l2tpd RPMS (versions 8jdl and higher).

The same error also occurred one time when I did use a static IP address but I had not filled in a default gateway and DNS/hostname details in the Windows TCP/IP settings. As a result, l2tpd complained in /var/log/messages about  "Specify your hostname". Since it was an l2tpd error message, I thought that perhaps l2tpd could not determine the hostname of the Linux server. Once I specified the hostname of the Windows client in the TCP/IP settings, the problem at that time was solved.

The problem seems to be caused by a bug in the MSL2TP client. During the L2TP negotiations it sends an empty string as its hostname when a non-static network connection is used. The workstation does have a hostname, as winipcfg.exe clearly shows (composed of the NetBIOS hostname concatenated with the domain name obtained through DHCP or IPCP) but the client does not use it. The other Win9x/Me clients (SSH and SoftRemote) send hostnames in cases where the MSL2TP client does not, so it must be an MSL2TP problem.

Back to Contents



17. MSL2TP network driver name

The MSL2TP installs a driver in Win9x's network configuration. The vendor name is 'Deterministic Networks' and the name is 'Microsoft L2TP/IPSec VPN adapter'. Note that the 'Microsoft Virtual Private Network adapter' is used by the PPTP protocol, so it has nothing to do with the MSL2TP client!

Back to Contents



18. Troubleshooting: Uninstalling the MSL2TP client

The MSL2TP client contains bugs, as any other nontrivial program. For instance, sometimes uninstalling and then reinstalling does not work as expected. Normally you uninstall the client by using "Start -> Configuration -> Software" and then selecting the "Microsoft L2TP/IPSec VPN Client Setup". When you later want to reinstall the client, you may get the following error:

* 'SafeNet SoftRemote' must be uninstalled before Microsoft L2TP/IPSec VPN Client can be installed. Use Add/Remove Programs to remove the application.
This is of course nonsense. You installed the MSL2TP client, not SafeNet SoftRemote. Apparently the MSL2TP client doesn't really clean up after itself when you uninstall it. When I got the error above, the following procedure seemed to work for me: (By the way, the reason why I wanted to try this alternative install method was that I was curious if it would turn up with more features than the standard MSL2TP install. Unfortunately, after the installation the client did not seem to work at all, so I could only uninstall it and install it the normal way).

Back to Contents



19. Enabling Perfect Forward Secrecy (PFS)

As I mentioned above, I had to set pfs=no in Openswan to get the MSL2TP client to work. The alternative is to explicitly enable PFS on the MSL2TP client.

Since the MSL2TP client is a stripped version of the SafeNet client, there is no PFS setting to configure. But I went through the registry, found a couple of settings, changed them and got PFS working:

  [HKEY_LOCAL_MACHINE\Software\IRE\SafeNet/Soft-PK\ACL\1]
  "USEPFS"=dword:00000000           (change to    dword:00000001)
  "P2GROUPDESC"=dword:00000001      (change to    dword:00000002)

JuanJo Ciarlante has made a registry patch. If you download the file and double click on it, it will change the parameters automatically. Thanks, JuanJo!

Fortunately, even if you set pfs=no in your Openswan configuration, Openswan will still use PFS if the client supports PFS. So with pfs=no you support clients with and without PFS.

Back to Contents



20. Enabling IPsec compression (IPCOMP)

JuanJo has also made a registry patch which enables IPsec compression (IPCOMP). If you need compression, you will also have the enable it at the Openswan side with compress=yes. Openswan uses the patent-free Deflate algorithm.

  [HKEY_LOCAL_MACHINE\Software\IRE\SafeNet/Soft-PK\ACL\1\PH2PROPOSAL_0]
  "IPCOMP"=dword:00000000           (change to     dword:00000001)
  "IPCOMPTRANSFORM"=dword:00000000  (change to     dword:00000002)

Note that PPP (which is used by L2TP) also supports compression. The L2TP/IPsec clients made by Microsoft support Stac LZS and MPPC. Both are patent encumbered. Do not enable PPP compression and IPsec compression at the same time: compressing the same data twice will not have any effect, except adding more CPU overhead. Should you prefer to use PPP's compression (MPPC) instead of IPsec's compression (IPCOMP), you can find more information here.

Back to Contents



21. Troubleshooting: examining the logs

For detailed troubleshooting information on the MSL2TP client, check out the "Administrator's Guide to Microsoft L2TP/IPSec VPN Client" (MS Word version). An important troubleshooting tool is the MSL2TP client log file. Here is how to enable logging.

A folder called "Microsoft L2TP/IPSec VPN Client" is available in Start Menu. One of the objects in that folder is L2TPConfig.exe ("Microsoft IPSec VPN Configuration"). There is a setting "Enable IPSec logging". A logfile (Isakmp.log) will then be created in the directory C:\Program Files\Microsoft IPSec VPN Client. You can also enable L2TP/PPP logging on the MSL2TP client. The "Cable Guy" over on Microsoft's TechNet also has some troubleshooting tips on this client.

Information about troubleshooting on the Linux side can be found on my main L2TP/IPsec page.

Back to Contents



22. Split tunnelling

If you don't want to send regular Internet traffic through the VPN tunnel you may want to enable split tunnelling. See this section for more details about split tunnelling and its advantages and disadvantages.

On the MSL2TP client, you enable or disable split tunnelling by modifying the 'Advanced' TCP/IP settings of the VPN connection you created. You have to uncheck the box called "Use default gateway on remote network" to enable split tunnelling.

Back to Contents



23. MSL2TP discussion

The MSL2TP client can only be used for tunnelling L2TP. Would it be possible to hack the Microsoft client to get rid of the L2TP protocol? And/or enable features from the original full SafeNet client? There are certainly entries in the Windows registry which look promising: USESGW (use security gateway?), SGWOPTIONS, REMOTEADDRESS and changing PROTOCOL / PORT / PORTNAME to "All" instead of just UDP 1701. It would perhaps be interesting to compare these registry settings with the ones of the full SafeNet client. I have not done this due to time constraints (any volunteers?). The problem is though that you never know if hacking the registry will be enough. The SafeNet people could have removed the host-to-LAN code from the client completely. Another problem is that the user interface will also have to be modified otherwise the user will still see the L2TP/PPP parts. Yet another problem is that in most cases you want the client to obtain a "virtual IP address" from your internal network. If you somehow remove the L2TP protocol, you will need to use another mechanism to get an internal IP address (manual configuration, Mode-Config, DHCP-over-IPsec). I don't know if the MSL2TP client can be tricked into this. If it's not possible, hacking the registry does not make much sense.

Back to Contents



24. Revision history

Dec 15, 2004: Q323311 turns out to be online again.
Nov 23, 2003: Possible bug due to confusion about Call ID / Tunnel ID.
Oct 21, 2003: Reminder: if you want to use FreeS/WAN 2.x, get at least version 2.03.
Aug 26, 2003: No updates of the MSL2TP client to be expected.
Aug 22, 2003: Better DUN 1.4 link for Win95. Install instructions for NT4.
Aug 8, 2003: Patch for "Specify your hostname" problem added to my l2tpd RPMs.
Jul 31, 2003: Different versions of DUN 1.4 available.
Jul 16, 2003: JuanJo's MSL2TP workaround is now included with SuperFreeS/WAN 1.99.8.
Jun 24, 2003: NAT-T works, after a bit of tweaking of the Linux side.
May 5, 2003: Added JuanJo's registry patches and 'malformed packet' workaround.
Apr 13, 2003: Couldn't get NAT-T to work. Added KB info.
Apr 10, 2003: Incompatible with ICS. Does not seem to work on a 486.
Mar 1, 2003: Corrected typos.
Feb 27, 2003: Added uninstall information.
Feb 24, 2003: Modified left/rightproto information.
Dec 26, 2002: Added KB references.
Dec 15, 2002: Split into four webpages.
Sep 23, 2002: Slightly redesigned.
Sep 15, 2002: Let's call this the MSL2TP client.
July 22, 2002: PSK works, as expected.
July 22, 2002: Added reference to proxy arp.
July 20, 2002: Added report of preliminary l2tpd success.
July 15, 2002: Changed <h4> headings since Opera does not display them. Added PSK remarks.

Jacco de Leeuw