locked
What is system and network requirements for SSTP VPN and L2TP/IPsec VPN ? RRS feed

  • Question

  • I am setting up win2008R2 VPN server in Azure VM and having VPN connection error.

    So, I would like to know system and network requirements for SSTP VPN and L2TP/IPsec VPN.

    1

    SSTP VPN need CA and DC ?

    2

    SSTP need certificate for both VPN server and client PC ?

    3

    L2TP/IPsec need to install VPN server certificate to client PC ?

    4

    L2TP/IPsec need allow UDP 1701 in Azure VM endpoint ?

    5

    What is the windows server service name required in SSTP VPN and L2TP/IPsec VPN.

    I could not find out which service need to start for listening on UDP 1701 port on Azure VM.

     

    Sunday, October 5, 2014 1:53 PM

Answers

  • Hi,

    1. SSTP VPN needs CA and DC.

    2. The SSTP VPN server needs to install a CA certificate and a Server Authentication certificate. The SSTP VPN client needs to install a CA certificate.

    3. In the client PC, when we select L2TP/IPSec as the type of VPN, click Advanced, we could configure to use preshared key or to use certificate for authentication. If we select Use preshared key for authentication, both server and client don’t need to install certificate. If we select Use certificate for authentication, both server and client need to apply and install computer certificate.

    4. L2TP/IPSec needs to allow UDP 1701.

    5. AD DS, DNS ,RRAS, AD CS.

    Port was listened by application process, when we installed an application, the corresponding port would be listened. We can see if the 1701 port was opened via windows firewall. In the Advanced settings of Windows Firewall, double click Routing and Remote Access(L2TP-In), we can modify the configuration. Or we can use netstat –an command to view the list of listened port.

    The link below is a guide about SSTP deployment,

    http://technet.microsoft.com/en-us/library/cc731352(v=WS.10).aspx

    Best Regards,

    Tina

    • Proposed as answer by Tina_Tan Monday, November 3, 2014 1:07 AM
    • Marked as answer by Tina_Tan Wednesday, November 5, 2014 9:43 AM
    Tuesday, October 7, 2014 1:27 AM

All replies

  • Hi,

    1. SSTP VPN needs CA and DC.

    2. The SSTP VPN server needs to install a CA certificate and a Server Authentication certificate. The SSTP VPN client needs to install a CA certificate.

    3. In the client PC, when we select L2TP/IPSec as the type of VPN, click Advanced, we could configure to use preshared key or to use certificate for authentication. If we select Use preshared key for authentication, both server and client don’t need to install certificate. If we select Use certificate for authentication, both server and client need to apply and install computer certificate.

    4. L2TP/IPSec needs to allow UDP 1701.

    5. AD DS, DNS ,RRAS, AD CS.

    Port was listened by application process, when we installed an application, the corresponding port would be listened. We can see if the 1701 port was opened via windows firewall. In the Advanced settings of Windows Firewall, double click Routing and Remote Access(L2TP-In), we can modify the configuration. Or we can use netstat –an command to view the list of listened port.

    The link below is a guide about SSTP deployment,

    http://technet.microsoft.com/en-us/library/cc731352(v=WS.10).aspx

    Best Regards,

    Tina

    • Proposed as answer by Tina_Tan Monday, November 3, 2014 1:07 AM
    • Marked as answer by Tina_Tan Wednesday, November 5, 2014 9:43 AM
    Tuesday, October 7, 2014 1:27 AM
  • Thank you.

    >1. SSTP VPN needs CA and DC.

    >2. The SSTP VPN server needs to install a CA certificate and a Server Authentication certificate. The SSTP VPN client needs to install a CA certificate.

    I heard about that but I could connect to RRAS VPN by SSTP without setting up CA and DC.
    I only import VPN server certificate to the client PC and could connect to VPN of win2008R2 by SSTP VPN.

    >5. AD DS, DNS ,RRAS, AD CS.

    I could connect to VPN by pre-shared key L2TP/Ipsec and I run netstat -anb but it looks it does not listen UDP 1701 port. If it need UDP 1701 , there will be process or service which is listening UDP 1701.

    Tuesday, October 7, 2014 5:08 AM
  • Hi,

    For SSTP in Windows, the VPN server need to apply a Server Authentication certificate (a computer certificate with the Server Authentication) from CA, the VPN client need to install a CA certificate to trust the computer certificate of VPN server. And also the VPN server need to trust the CA certificate. If we don’t use the AD CS in Windows to set up a CA, we need to apply a computer certificate from a commercial CA.

    DC in here because we stored user accounts in AD database in a domain network. Active Directory user accounts are referred to as security principals. Security principals are directory objects that are automatically assigned security identifiers(SIDs), which can be used to access domain resources. When we use AD user account, if the VPN server joins domain, the VPN server authenticate the user via AD database of DC. If the VPN server doesn’t join domain, the VPN server authenticate user via RADIUS mechanism. When we use local user account, the VPN server authenticate user via local security database.

    About which service manage the VPN connection, the Remote Access Connection Manager services manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks.

    For more details about SSTP in Windows, please refer to the article written by Joseph Davies, a technical writer with Microsoft,

    The Cable Guy--The Secure Socket Tunneling Protocol

    http://technet.microsoft.com/en-us/magazine/2007.06.cableguy.aspx

    Best Regards,

    Tina

    Monday, October 13, 2014 7:46 AM