[vpn] Netscreen 5XP as a L2TP server?

Riccardo Valente riccardo at thevalentes.net
Wed Nov 21 15:28:33 EST 2001 

Any particular tips for Windows 2000?
I normally follow the exact same procedure you outlined, which works with
Win98 and (with some fiddling) with WinME; however, I didn't have any
success with Windows 2000, where NS Remote does not install the L2TP
component, relying on the MS native implementation.
In particular, L2TP brings the tunnel up, but no L2TP session is
established. I've managed to use L2TP without IPSec, but not the two at the
same time.

Regards,
Riccardo


> At 03:29 PM 11/19/2001 -0800, Thierry Blanchard wrote:
>> Can I use a Netscreen 5XP as a VPN (L2TP) server with W2K clients and Win98
>> clients using Netscreen-Remote?
> 
> If you have NetScreen 2.6, you can use L2TP over IPsec with
> these client OSs.
> 
> On the NS5XP, create a new L2TP tunnel, a gateway for Dialup Users
> that uses IKE Aggressive mode, and an AutoKey IKE object for this gateway
> that specifies transport mode IPsec. Create an incoming policy with
> source=Dialup VPN, Action=tunnel, VPN Tunnel=your AutoKey IKE, and
> L2TP=your L2TP tunnel. This permits incoming L2TP tunnels over an
> IPsec transport mode SA.
> 
> On the NS5XP, you'll also need to create IKE/L2TP users that specify
> both the IKE ID and the L2TP username/password.  Add these users to the
> Dialup Group associated with the gateway you created above.
> 
> On PCs with NS-Remote, create a SafeNet policy that encrypts
> UDP 1701 sent to the NS5XP - this policy will bring up the IPsec
> transport mode SA when the PC tries to send L2TP to the NS5XP.
> The IKE ID, secret, and transforms in this policy must match the
> values you configured in the NS5XP.
> 
> Finally, you need one more thing on the client PC - a VPN dial-up
> networking entry to initiate the L2TP tunnel to the NS5XP.  The
> username and password must match the values configured in the
> NS5XP IKE/L2TP user account.  How you create DUN entries is a
> little different on W2K and W98, but concept is the same.
> 
> If you run into problems getting IPsec SA up, check that:
> - both ends have transport mode IPsec selected
> - both ends are using same IKE ID and secret
> - you aren't sending IP traffic without launching DUN first
> 
> If you run into problems getting DUN authenticated, check that:
> - your DUN username matches the L2TP username (not the IKE ID)
> - your DUN password matches the L2TP password (not the IKE secret)
> - you're supplying a valid inside IP for the IKE/L2TP user
>  (set in the user account or in IP Pool for L2TP tunnel)
> 
> Good luck!
> Lisa
> 
> 
> 
> 
> VPN is sponsored by SecurityFocus.com


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list