Beruflich Dokumente
Kultur Dokumente
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Corelan Team
:: Knowledge is not an object, it's a flow ::
Home Login/Register/Logout Articles Free Tools AD & CS AD Disable Users Certificate List Utility PVE Find AD User Exchange Transport Agents Attachment filter Attachment rename Networking Cisco switch backup utility Network monitoring with powershell TCP Ping PVE POP3 Collector PVE POP3 Collector on the net Security Related Tools All downloads on this blog Forum Security Corelan Team Members Corelan Team Membership Corelan Team Security Advisories Corelan Training "Corelan Live Exploit writing forum Exploit writing tutorials Metasploit FTP Client fuzzer HTTP Form field fuzzer Simple FTP Fuzzer Metasploit Nessus/Openvas ike-scan wrapper Vulnerability Disclosure Policy mona.py PyCommand for Immunity Debugger Download mona.py Mona.py documentation Corelan ROPdb Mirror for BoBs Immunity Debugger
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/ 1/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Terms of use Donate About About Corelan Team About me Antivirus/antimalware Corelan public keys Sitemap
IPSec VPN between Windows Server 2008 and Juniper ScreenOS Exchange 2007 : Powershell script to select optimal database for a new mailbox Corelan Team 001_Security Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates 8,505 views
This page as PDF (Login first !)
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates
Published January 11, 2009 | By Corelan Team (corelanc0d3r)
Before looking at the various configuration steps, well have to take the following assumptions into account : - We dont want to use the Netscreen Remote client, but we want to use the Windows XP built-in dialup VPN technology that allows us to build PPTP or L2TP/IPSec connections. Juniper screenOS does not support PPTP (which is not as safe as IPSec anyway) - The XP clients will have dynamic IPs. They are either directly connected to the internet, or connected behind a firewall/router that is capable of forwarding ESP packets. Keep in mind that nat-traversal cannot be used. (So if the client is behind a NAT router, it will not work out of the box (because it will try to send fqdn as peer ID instead of IP address). There is a fix, but it requires you to edit a dll file. You can read more about this at http://www.juniperforum.com/index.php?topic=7706.new;topicseen - Because the client IP addresses can be dynamic, authentication needs to happen using certificates. (After all, identification is based on IP address or ASN1-DN peer IDs. Juniper screenOS also supports fqdn and u-fqdn ID types, but this is not support on XP) Since you will be using certificates, you may want to set up your own PKI. You can find more information on how to set up a Windows 2008 based PKI in this post. Keep in mind that the reachability of the CRL will be very important.
Network layout
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/ 2/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
The remote client has IP 192.168.0.101. It will be connecting to the public IP of the Juniper firewall, which, in my testlab, is 192.168.0.30. When connected, the client will receive an IP in the 192.168.20.1 100 range. The network it needs to have access to is 192.168.2.0 The internet facing interface on the ssg5 is in zone Public, the internal (private) interface is in zone LAN
Next, go to the certificate server website and request a new IPSec certificate. Youll need to submit an advanced request in order to be able to select the IPSec Certificate template On Windows XP, the request should look like this :
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
3/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
(note that with IE7 you cannot set the certificate to be stored in the local machine store. This is why I enabled the private key to be exportable, so you can export it, and import it manually in the local machine store) In both cases, make sure the Email address is filled out, because this will be used as peer ID When the certificate has been installed, Export it to a file (including the private key) and import it back into the local machine store : IE Options Content Certificates Personal
Export (including the private key). Feel free to delete the private key if the export is successfull.
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
4/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Open a mmc, select the certificates snap-in and select Computer account
Verify that it was installed properly and that it includes the private key :
Either way, make sure - the root certificate is installed in the Trust Root Certificate Authorities
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/ 5/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Click the browse button and locate the .cer file Click load to load the CA certificate. Set show to CA and verify that the root cert was loaded properly
Click the new button to create a new certificate Fill out the Name, Organization, fqdn Set the type to RSA
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
6/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Set the length to 1024 Click Generate to create a new request and wait until the request string is shown. This can take a couple of minutes.
Copy the text in the certificate request to the clipboard Go to the PKI certsrv website, Submit a new request. Choose advanced request. Click Submit a certificate request by using a base-64-encoded
Paste the request string in the Saved Request box and click Submit
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
7/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Go back to the Juniper device, under certificates, browse to the new .cer file, and load it
Look at the details of this new certificate and verify that it contains the correct data
Next, import the CRL from your CA. Go to the PKI website again, and download the CRL file to disk
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
8/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Use browse to locate the crl file and click load to load it
Set the L2TP defaults : assign the IP pool to l2tp, set authentication, DNS and WINS options : (VPNs L2TP Default Settings)
s e tl 2 t pd e f a u l ti p p o o l" L 2 T P _ V P N _ P o o l " s e tl 2 t pd e f a u l td n s 11 9 2 . 1 6 8 . 0 . 1 s e tl 2 t pd e f a u l td n s 21 9 2 . 1 6 8 . 0 . 6
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
9/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Make sure the CN , E-Mail, Organization, Location, etc match with the certificate that was created for the client computer earlier. You will have to create an IKE user configuration for each user.
(Click advanced)
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
10/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Click Advanced
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Pick a name and set the outgoing interface to the public interface (eth0/1 in our case)
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Finish and save the new connection. The connect dialog will open. Enter the l2tp username and password
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
13/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Click Properties and open the Security tabsheet and set the Security Options to Advanced (custom settings)
Click settings Under Data Encryption, choose Optional encryption. Protocols : allow PAP and CHAP. Juniper does not support MS-CHAP. Accept the warning about passwords being sent in the clear when you only use PAP/CHAP. That is ok, because the IPSec connection will be up first, and then the L2TP (and then PPP) session will be activated. So dont worry about your password being sent in the clear.
Click OK Go to the Networking tab and set the Type to L2TP IPSec VPN
Click OK to save
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
14/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Access to resources in the 192.168.2.0 network should work, as long as they have a route back to 192.168.20.x
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
15/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
I K E v 2S A-A c t i v e :0 ,D e a d :0 ,T o t a l0
P I Dv s y s 70 10
g e tl 2 t pa l la c t i v e L 2 T PN a m e T u n n e lI dP e e rA d d r e s s P o r tP e e rH o s t C a l l sS t a t e t _ i n f o -------H E X L 2 T P _ W i n d o w s _ T u(8 9 / 1 )1 9 2 . 1 6 8 . 0 . 1 0 1 1 7 0 1x p t e s t 1 1e s t b l s h8 0 0 0 8 0 5 9 L 2 T P _ W i n d o w s _ T u( 0 / 0 )0 . 0 . 0 . 0 0 0 i d l e8 0 0 0 0 0 0 1
Troubleshooting
The L2TP connection attempt failed because there is no valid machine certificaet on your computer for security authentication
- verify that the IPSec certificate is installed in the Computer store - verify that the root certificate is installed in the Trusted Root Certificate Authorities
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/ 16/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
What if I want to use Radius to authenticate the users, in conjunction with the certificate ?
No problem. In the step-by-step above, I have created one user that is used as IKE (Phase1) and L2TP (authentication after IPSec tunnel is up) at the same time. You can of course create an IKE-only user (so the certificate would still be validated), and use an auth server (Radius) to validate the L2TP users This is how it works First, create an IKE user. If you want to validate certificates, you will always need an IKE user for each user account. In this scenarion, the user name is not that important. Just make sure to enable the user, select IKE only, set the number of logins to 1, and set to use the DN for ID. Fill out the properties to they match with the certificate. Do NOT select L2TP user. Just save this new user. This will make sure any Phase1 connection with this certificate is accepted. Again, you can only have one simultaneous connection per ike user/certificate combination, so youll have to create an IKE user for each certificate if you want to use certificates. I agree, it does not scale very well, but hey it works.
Next, create a new auth server for L2TP. Ill use a Windows based IAS for this, so I can use Active Directory accounts for user authentication. Set a good name, set the IP address of the IAS server. Set Account Type to L2TP. Select Radius and set the shared secret.
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
17/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
In Active Directory, create your l2tp user accounts, put them in a L2TP.User group, and create an IAS policy to authenticate users when they are member of this group. (If you dont know how to set up the IAS server Radius Client and IAS Policy, check out this post). Make sure, in the authentication page of the IAS Policy, to only select PAP as accepted authentication method. Next, on the Juniper firewall, go to the L2TP Default settings. Set the default authentication server to your newly created auth user. Set PPP Authentication to use PAP.
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
18/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
The Phase2 settings, L2TP Tunnel and the policy will remain the same as explained earlier in this post. In the properties of the dialup connection on the XP client, make sure the logon domain is displayed. THe other settings can remain the same. Enter the username, password and domain of a user account in your active directory, that will match the IAS policy for authentication L2TP users.
Connect, and it should work. (If not, then maybe Phase1 of the old L2TP tunnel is still active. Remove all Phase1 sas using clear ike-cookie all) You can troubleshoot the Radius authentication process using debug auth radius 2009, Corelan Team (corelanc0d3r). All rights reserved.
Share this: Twitter Reddit Facebook 1 Digg Google +1 LinkedIn
StumbleUpon
Related Posts:
Juniper : Netscreen Remote Dial-UP VPN with AD Radius Authentication and route based VPN / tunnel interface IPSec VPN between Windows Server 2008 and Juniper ScreenOS Juniper ScreenOS Admin authentication using Windows based IAS (Radius)
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/ 19/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Building IPSec VPN with Juniper Netscreen ScreenOS (CJFV) Juniper : Setting up an IPSec VPN tunnel between a Juniper Netscreen firewall/vpn device and a Cisco VPN device Using Active Directory and IAS based Radius for Netscreen WebAuth authentication Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR Juniper ScreenOS : Active/Passive clustering Juniper ScreenOS : default route manipulations and redistributions Juniper ScreenOS : defeating iBGP full mesh requirement using route reflectors and confederations Posted in 001_Security, Juniper, Networking, Windows Client OS, Windows Server | Tagged auth, certificate, dialup, dynamic-vpn-pptp-juniper, ias, ipsec, Juniper, juniper-l2tp-vpn, juniper-ssg-active-directory-2008, juniper-ssg-vpn-howto-corelan, l2tp, nessus-over-l2tp, radius, screen-os-ssg20, screenos, vista, vpn, window, windows-7-screenos-vpn-ikev2, xp 5 Responses to Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates
Peter Van Eeckhoutte says: December 25, 2009 at 15:46 Update : check out http://www.corelan.be:8800/index.php/forum/screenos-vpn-1/windows-xp-l2tp-overipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates-problem/ for more info on how to make this work when clients are behind a NAT device (you basically have to modify oakley.dll and enable NAT traversal)
mike says: March 3, 2010 at 16:13 Hi Peter , Nice blog , Thanx . I have setuped L2TP/IPSEC with Juniper firewall ,Its OK and everything is fine. As you know for this solution certificate must be installed locally on the XP, Now I want to use a certificate carrier token like Aladdin or Authenex and install certificate on it , In this case ,when I insert the token into the USB port of XP , certificate must be loaded and I need to start l2tp connection from xp ,If I remove the token ,certificate must be cleared from XP, As you know when a certificate is installed on a token , when you insert the token to the USB of computer , its certificate will be inserted on the IE ,but I dont how it is possible to use this certificate in L2TP connection. Any sugesstion please , Regards , Mike
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
20/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Peter Van Eeckhoutte says: March 3, 2010 at 16:19 Hi Mike, I dont have any practical experience with certificate token, but I think the issue here is that the certificate for L2TP/IPSec is a machine certificate, not a user certificate. So my guess is that this is not possible (unless there is a way to configure the token to insert the certificate into the local machine store). If you can do that, then it should work
mike says: March 3, 2010 at 16:25 Hi again , Hey very fast reply , Only 6 second difference :D How certificates can be loaded from token to IE? Based on that it is not possible for L2TP/IPSec? BR , Mike
Peter Van Eeckhoutte says: March 3, 2010 at 16:30 6 seconds, and I even had to approve the comment first :-) The only way I can think of making it work is if the token has an option to load the certificate into the local machine store. Normally, the certificate on a token is bound to a user (so its added into the local user store). L2TP/IPSec uses a machine certificate, not a user certificate Im afraid it wont work but then again, I dont have any experience with tokens Perhaps you should ask the vendor if they can load a certificate into the local machine store (and remove it again when the token is removed)
Stay posted
Subscribe to posts via email Follow me on twitter
Search
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/ 21/22
09/04/13
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates | Corelan Team
Corelan on IRC
You can chat with us and our friends on #corelan (freenode IRC)
Actions
Register Log in Entries RSS Comments RSS WordPress.org
Categories
Select Category
Copyright Peter Van Eeckhoutte 2007 - 2013 | All Rights Reserved | Terms of use
https://www.corelan.be/index.php/2009/01/11/windows-xp-l2tp-over-ipsec-dialup-client-vpn-to-a-juniper-screenos-firewall-using-certificates/
22/22