In this video
SCHOOL PROJECT | How to create a L2TP/IPSEC vpn connection with certificates: https://youtu.be/zHacpCxCZAg
SCHOOL PROJECT | How to create a L2TP/IPSEC vpn connection with certificates: https://youtu.be/zHacpCxCZAg
Things I have used:
- VPN01 (Windows 2008 R2 x64, VPN server)
- DC01 (Windows 2008 R2 x64, Domain server and Certificate server)
- WS01 (Windows 7 Ultimate x64, Domain member (this is a choice))
Roles:
- Active Directory Domain Services (with DNS);
- Active Directory Certificate Services (with IIS);
- Network Policy and Access Services.
Steps that you should follow in order:
1. WS01, VPN01 and DC01, configure IP, computer name, MMC
2. DC01, install Active Directory Domain Services (with dcpromo)
3. DC01, install Active Directory Certificate Services
4. DC01, configure IIS (do this before step 10 VPN01, configure RRAS otherwise you get double ip address error)
5. DC01, configure the VPN user
6. DC01, configure AD CS
7. VPN01, add to domain
8. VPN01, install IPSEC certificate
9. VPN01, install Routing and Remote Access Service
10. VPN01, configure RRAS
11. WS01, preparing
a. Install CA certificate (only if not joined to domain)
b. Install IPSEC certificate
12. WS01, connect with L2TP/IPSec
FQDN = Fully Qualified Domain Name
AD DS = Active Directory Domain Services
AD CS = Active Directory Certificate Services
RRASS = Routing and Remote Access Service
Completion time 30 minutes.
Read the text below in the video and pause the screen when needed. Also turn on annotations. For errors, problems and more see the description.
Errors:
Error 810: A network connection between your computer and the VPN server was started, but the VPN connection was not completed. This is typically caused by the use of an incorrect or expired certificate for authentication between the client and the server. Please contact your Administrator to ensure that the certificate being used for authentication is valid.Possible solution: For L2TP/IPsec VPN certificate authentication, please note that the VPN server must also have the appropriate certificates installed. What you can try is to install the IPSec (offline request) template in the Personal folder of the Local Computer (in mmc). Follow step 8 on the VPN server (starting at 08:17), just like the Client.
Problem 1: The page Create and submit a request to this CA is not working.
Possible solution: If this site does not appear, then you need to add the website (company.local) to the Compatibility View Settings list. Sometimes you also need to add the website to the Trusted sites list. My recommendation is using Internet Explorer.
Error 720: A connection to the remote computer could not be established. You might need to change the network setting for this connection.
Possible solution: Try the following. In the settings of the RRAS server, configure a Static address pool voor IPv4. With a range of 192.168.0.80 - 192.168.0.88.
Error 812: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
Possible solution: A simple solution is to go to the user account properties of the VPN user in the AD. Select Allow access under the Dial-in tab. You can also configure NPS, buts it's more thoroughgoing.
Possible solution: If is does not work then start all over again (it worked for me).
