In this screencast and ensuing article, I’ll show how to configure a Layer 2 Tunneling Protocol (L2TP) connection on the server side (Windows Server 2003) and client side (Windows XP Pro). The video and step-by-step article are broken into six steps:
- Step 1: Install a Certificate Authority on the server.
- Step 2: Configure the Certificate Authority (CA) on the server.
- Step 3: Configure MS-CHAP on the client.
- Step 4: Configure L2TP and IPsec on the client.
- Step 5: Install a certificate on the client.
- Step 6: Making the new VPN connection.
This screencast assumes that you have IIS running on the server, you know how to set up a basic VPN, and you have a VPN server running. For more information on how to set up a basic VPN, see my website. (Free registration required.).
Step 1: Install a Certificate Authority on the Server
Even if your client is already set up to make L2TP connections (see Step 4 for more), and you have a basic VPN server working, you would get a 781 error when attempting to connect. This is because your client requires an encryption certificate. The client must get that certificate from the server (or some other authority). Let’s install and configure the Certificate Authority on the Windows Server 2003 computer now so that it can dispense certificates to clients.
- Go to the Windows Server 2003 computer.
- Click the Start button and select Control Panel.
- Launch Add/Remove Programs.
- Select Add/Remove Windows Components.
- Click the Certificate Services check box to select it. A pop-up window opens; click Yes.
- Click Next.
- When asked you what type of Certificate Authority you will be installing, choose the default option, Enterprise root CA, as shown in Figure 1. Then click Next.
- In the Common Name for this CA field, type test. Leave the rest of the information as-is, and click Next.
- Leave the Certificate Database Settings window as-is and click Next.
- A pop-up window might ask you about IIS, which needs to be stopped during the installation of the CA. Click OK. The installation of the CA will begin.
- If you are asked for the CD, you can get the necessary information from X:\i386 (where X is the letter of your disc drive). This could be from the Windows Server 2003 disc, the Service Pack disc, or the Server 2003 disc with slipstreamed service packit depends on your setup.
- Click Finish. The Certificate Authority is now installed. You should see it within your Administrative Tools. A restart is not normally necessary, but might be a good idea, especially if you have a lot of other services running on the server.
Figure 1 The Certificate Authority screen.