Anyone use L2TP\IPSEC 2003 server VPN?

[PaulGillespie]

I'm looking to implement a secure VPN solution for access to a network. The network consists of a single 2003 server (for now, exchange 2003/7 to follow soon) running AD, DNS and DHCP. In the past i've used RRAS with PPTP fine but there are some security flaws within PPTP. This client requires the maximum security possible but still allowing them VPN access for roaming users. Their line of business is quite sensitive hence the need for maximum security.

From my research today it seems that an IPSEC based VPN is my best bet but does that mean i have to use a hardware firewall like Cisco or can i use 2003 Server with L2TP\IPSEC?

The solution has to be simple, reliable and with as little maintenance as possible.

So anyone running RRAS with L2TP\IPSEC authentication? Or is there a more secure method that i'm missing?

Please feel free to jump in with any ideas/suggestions.

Thanks

Paul

 

[itsp1965]

To be honest, with the many iterations of RAS/RRAS I have seen in Windows NT, 2000 and 2003, I have yet to see any customer that I support actually run a Windows based solution for VPN and Routing. Not saying it doesn't work.. but they all seem to be more comfortable using an appliance instead. Just my 2 cents

 

[PaulGillespie]

Thanks again! though i'd put up a new thread since i have a little more info and actually gave it a subject this time.

I think i'm swaying that way too, the only drawback i can see is having to buy licenses for the applience client software especially for very occasional users. If there was a good way of doing it via 2003 server then i'd be keen to go down that route.

Thanks

 

[ADB100]

In my experience most appliances will work with the native L2TP/IPSec VPN client in Windows 2000 & later. I currently use a Cisco PIX and have sucessfully tested Windows 2000, XP, Server 2003, Vista and Windows Mobile 5 & 6. It took a little setting up but works flawlessly now. I have previously tested the Cisco VPN 3000 concentrator as well but this was for a customer so I don't have access to one currently.
I have also used RRAS with Windows 2000 & 2003 and this also works just as well and is probably easier to initially setup. In most organisations of any size though servers are usually looked after by the software/server team and routers and appliances are looked after by the network team so many prefer the appliance approach.

HTH

Andy

 

[ADB100]

Edit:

I also have Cisco IOS routers that work with the Native L2TP/IPSec VPN client.

Andy

 

[PaulGillespie]

Thanks Andy,

With appliences, do you have to create an "account" for each VPN client(remote user)? if so, would this mean that they would have a VPN username and password and an active directory username and password? is there anyway to have the router integrate with AD for authentication? (without using ISA server).

I'm leaning alot today!

Thanks

 

[ADB100]

Thanks Andy,

With appliences, do you have to create an "account" for each VPN client(remote user)? if so, would this mean that they would have a VPN username and password and an active directory username and password? is there anyway to have the router integrate with AD for authentication? (without using ISA server).

I'm leaning alot today!

Thanks

No. The PIX or IOS router can use external authentication - RADIUS or TACACS+ (LDAP now I think as well, though I have never tried it?). I have two Radius servers defined on the PIX and these are two Windows 2003 IAS Servers, both with the same IAS configuration (I have a script that exports the config from the 'Master' to a network share each day at 3pm and at 3:01pm the 'Slave' imports it). The IAS Policy checks a few attributes (Windws Group Membership etc) and authenticates the user using MSCHAP.

HTH

Andy

 

[PaulGillespie]

Thanks Andy, that info might come in handy.