mirror of
https://github.com/opnsense/docs
synced 2024-11-09 01:10:33 +00:00
64 lines
2.3 KiB
ReStructuredText
64 lines
2.3 KiB
ReStructuredText
|
==================================
|
||
|
IPsec: Setup Windows Remote Access
|
||
|
==================================
|
||
|
|
||
|
.. contents:: Index
|
||
|
|
||
|
Here you can see the configuration options for all compatible VPN types.
|
||
|
We assume that you are familiar with adding a new VPN connection.
|
||
|
|
||
|
The tests were done with Windows 7 and 10.
|
||
|
|
||
|
All screenshot were taken from **Network and Sharing Center->Change adapter settings**.
|
||
|
|
||
|
---------------------------
|
||
|
Step 1 - Install Certificte
|
||
|
---------------------------
|
||
|
|
||
|
Since Windows 7 also supports IKEv2 we need to install your Root Certificate Authority.
|
||
|
Hit the Windows Start button and type *mmc* in search box. Go to **File->Add/Remove Snap-In**.
|
||
|
Choose **Certificates->Add->Computer account**.
|
||
|
Open **Certificate** and navigate to **Trusted Root Certificate Authorities**, right click,
|
||
|
**All taks** and import. Select the Root CA and install.
|
||
|
|
||
|
If you are using client certificates for authentication (e.g EAP-TLS) use a PKCS12/PFX and install
|
||
|
it under **Personal** instead of **Trusted Root Certificate Authorities**. All included certificates
|
||
|
will be installed in the correct folders.
|
||
|
|
||
|
.. image:: images/ipsec-rw-w7-cert.png
|
||
|
:width: 60%
|
||
|
|
||
|
---------------------------
|
||
|
Step 2 - Add VPN Connection
|
||
|
---------------------------
|
||
|
|
||
|
Add a new VPN connection via **Network and Sharing Center** and choose as **Internet Address**
|
||
|
the correct FQDN. This is imporatant when using certificates since the FQDN of your connection
|
||
|
and the one in the certificate has to match!
|
||
|
Then set a **Username** and **Password** and leave **Domain** emtpy.
|
||
|
|
||
|
-------------------
|
||
|
Step 3 - Finetuning
|
||
|
-------------------
|
||
|
|
||
|
Via **Network and Sharing Center** go to **Change adapter settings** and open the properties
|
||
|
of your newly created adapter. Check that the FQDN is correct:
|
||
|
|
||
|
.. image:: images/ipsec-rw-w7-1.png
|
||
|
:width: 60%
|
||
|
|
||
|
On tab **Networking** in IPv4 configuration under **Advanced** is the option **Use defaut gateway on remote network**.
|
||
|
If this option is enabled, all traffic will be sent through the VPN (if IPsec SA matches). When unchecked, you have
|
||
|
to set specific routes sent via VPN.
|
||
|
|
||
|
.. image:: images/ipsec-rw-w7-2.png
|
||
|
:width: 60%
|
||
|
|
||
|
----------------------------------
|
||
|
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
|
||
|
----------------------------------
|
||
|
|
||
|
.. image:: images/ipsec-rw-w7-eapmschap.png
|
||
|
:width: 60%
|
||
|
|