How to setup the L2TP/IPSec client in Windows XP and 2003 R2 Server

I will guide you in this article through the process of setting up the L2TP/IPSec client in Windows XP and 2003 R2 Server. This document is given here in order to complete the series. The client side setup does not depend on the type of VPN server.

Thanks to the Mikrotik RouterOS and similar platforms, setup for this kind of tunnel is very simple today. Moreover, this tutorial is the client-side part of our IPSec series. We will explain the server side after this mini-series related to client-side configuration.

Keep in mind that support for Windows XP ended on April 8th 2014. In addition, Windows Server 2003 R2 SP2 extended support ended on July 14th 2015. Therefore, I would not recommend you expose these systems to the Internet.

L2TP/IPSec client is supported out-of-the-box in Windows XP and 2003 R2 Server. Although we rarely need VPN on the server platform, we can do it with ease in the same way.

You can find the following tutorials related to the L2TP/IPSec VPN clients on my blog:

 

Our recipe

1) We need to open Control Panel and to search for the icon Network Connections.

clip_image001

2) The new window will be open. We will see all our connections in this window. We will choose the New Connection Wizard.

clip_image002

3) We will run the Wizard by just clicking on the button [ Next> ] on it.

4) We will choose the option Connect to the network at my workplace on this window.

04

5) In the next step select Virtual Private Network connection.

05

6) In the next window, we will just enter the name of the VPN connection. It’s completely free and should be user-friendly, like Contoso VPN.

clip_image005

7) In the next window we need to enter the destination of our connection. The destination can be either an IP address or DNS name (as demonstrated in the screenshot). In case you want to use the DNS (a.k.a. FQDN) name, you must register it in your DNS zone. This option allows you to register multiple IP addresses under the same DNS name and to use so-called round-robin access.

clip_image006

This means that we can have two or more independent Internet links and to allow users to establish the VPN over a random link. In the event that one of the links is unavailable due any problem with the ISP, your VPN concentrator is still up and running.

8) In the next step, we will finish with the Wizard. Our new connection is created.

clip_image007

9) The new connection appears in the Network Connections window.

clip_image008

10) We need to configure a few more settings in this connection before we can use it, right-click on your new connection and from context menu choose the option Properties.

11) The new widows opens. We need the tab named Networking. Here we will change the type of the VPN to L2TP/IPSec.

11

12) Now, we should change the tab and choose the one named Security. We will switch options to Advanced (custom settings).

12

 

13) The next step will be to click on the button [ Settings… ]. The new window appears, where we will define the following settings:

13

 

It is adviced to choose the CHAP authentication protocol too. Other protocols are not recommended, especially PAP protocol.

14) We will click on the button [ OK ] and close the window for Advanced Security Settings. We are returned to the tab Security. Now we will click on the button [ IPSec Settings… ] and a new dialog will open.

clip_image012

Tick the option User pre-shared key for authentication and enter the key in the field below it. As you can see, Windows XP does not support IPSec with certification, which is considered much more secure. This is one more reason to abandon using the Windows XP/2003 platform.

15) Click the two button [ OK ] prompts and close the window for the VPN connection settings.

16) We will open the icon for VPN connection. This will start the connection process. The first step is to enter the username and password. For security reasons, we should not to save the password.

clip_image013

17) Click on the button [ Connect ]. That will initiate the network connection process. During this process, we will see dialog on the screen with status messages. Those messages will change through the connection stages.

clip_image014

clip_image015

clip_image016

18) After a short while (depending on the quality of your link), we should be connected to the remote network. We will see two network icons in the notification area. We can click on the VPN connection and check its status. We will see the parameters in the new window. We should click the tab Details.

18

Here we can see all parameters of the VPN connection. Some interesting parameters are authentication and encryption algorithms, internal IP address of the client and so on.

If you check the field IPSec Encryption, you can see that “old father” Windows XP can only support ancient 3DES algorithm. This algorithm is today considered too weak. Therefore, you have another reason to avoid using the Windows XP platform.

 

Security considerations

Now when you see how easy it is to setup this connection, you should consider replacing those old PPTP VPNs and replacing it with a modern and stronger L2TP/IPSec VPN tunnel. The most vulnerable part here can be the IPSec pre-shared key, as all users on your system must share the same key.

The key should be very complex. However, if you need to share it with other people and give it to them in clear text, then sooner or later the secret key will be leaked. If you’re administering the VPN system, you should configure all of this for your users or customers.

Remember, you can’t consider the idea of additional protection through the certificates, as such mechanism is not supported on this platform.

Stay tuned.

Advertisements

5 thoughts on “How to setup the L2TP/IPSec client in Windows XP and 2003 R2 Server

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s