At my company we recently replaced our Cisco ASA 5505 with a different firewall solution. Before we swapped it out a lot of remote users would use the Cisco VPN client to remote back into the network here. Our new firewall has it's own SSL VPN for remote users, but it's kind of flaky and doesn't work on Mac's. Therefore I decided to setup a Windows VPN server using Routing and Remote Access (RRAS). To me, the Microsoft VPN is the easiest to setup, and use. Plus it doesn't require a third party client. Also, if your users have Windows Vista SP1 or Windows 7 they can use the cool new SSTP VPN protocol, which is secured with SSL.
If they are using Windows XP, or Mac though, they cannot use SSTP. In the past, I would just have users use PPTP, but it's not very secure any more. According to Wikipedia:
PPTP has been the subject of many security analyses and serious security vulnerabilities have been found in the protocol. The known vulnerabilities relate to the underlying PPP authentication protocols used, the design of the MPPE protocol as well as the integration between MPPE and PPP authentication for session key establishment.
Okay, so PPTP is out of the picture, but works with Windows XP users and Mac users. What else can we use that is supported on both, but is more secure than PPTP? How about L2TP over IPSEC? Now we’re cooking! There is a problem with this setup if you’re RRAS is NAT’d though. Your Mac clients will have no problem connecting, but for some reason your Windows clients can’t. This is a known issue from Microsoft, and it can be fixed with a registry edit.
For Windows XP clients do the following:
- Click Start > Run. Type in regedit and click OK
- Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
- Create a new DWORD called AssumeUDPEncapsulationContextOnSendRule and set the value to 2
For Windows Vista/Windows 7 clients (If you don’t like SSTP)
- Press WIN+R, type in regedit and click OK
- Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
- Create a new DWORD value called AssumeUDPEncapsulationContextOnSendRule and set the value to 2.
Now your Windows clients should be able to connect using L2TP over IPSEC without issue.