2018-12-24 11:49:40 +00:00
|
|
|
==================================
|
|
|
|
IPsec: Setup Windows Remote Access
|
|
|
|
==================================
|
|
|
|
|
|
|
|
.. contents:: Index
|
|
|
|
|
|
|
|
Here you can see the configuration options for all compatible VPN types.
|
|
|
|
We assume that you are familiar with adding a new VPN connection.
|
|
|
|
|
|
|
|
The tests were done with Windows 7 and 10.
|
|
|
|
|
2019-03-06 17:27:21 +00:00
|
|
|
All screenshot were taken from :menuselection:`Network and Sharing Center --> Change adapter settings`.
|
2018-12-24 11:49:40 +00:00
|
|
|
|
|
|
|
---------------------------
|
|
|
|
Step 1 - Install Certificte
|
|
|
|
---------------------------
|
|
|
|
|
|
|
|
Since Windows 7 also supports IKEv2 we need to install your Root Certificate Authority.
|
2019-03-06 17:27:21 +00:00
|
|
|
Hit the Windows Start button and type *mmc* in search box. Go to :menuselection:`File --> Add/Remove Snap-In`.
|
|
|
|
Choose :menuselection:`Certificates --> Add --> Computer account`.
|
2018-12-24 11:49:40 +00:00
|
|
|
Open **Certificate** and navigate to **Trusted Root Certificate Authorities**, right click,
|
|
|
|
**All taks** and import. Select the Root CA and install.
|
|
|
|
|
|
|
|
If you are using client certificates for authentication (e.g EAP-TLS) use a PKCS12/PFX and install
|
|
|
|
it under **Personal** instead of **Trusted Root Certificate Authorities**. All included certificates
|
|
|
|
will be installed in the correct folders.
|
|
|
|
|
|
|
|
.. image:: images/ipsec-rw-w7-cert.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
---------------------------
|
|
|
|
Step 2 - Add VPN Connection
|
|
|
|
---------------------------
|
|
|
|
|
|
|
|
Add a new VPN connection via **Network and Sharing Center** and choose as **Internet Address**
|
|
|
|
the correct FQDN. This is imporatant when using certificates since the FQDN of your connection
|
|
|
|
and the one in the certificate has to match!
|
|
|
|
Then set a **Username** and **Password** and leave **Domain** emtpy.
|
|
|
|
|
|
|
|
-------------------
|
|
|
|
Step 3 - Finetuning
|
|
|
|
-------------------
|
|
|
|
|
|
|
|
Via **Network and Sharing Center** go to **Change adapter settings** and open the properties
|
|
|
|
of your newly created adapter. Check that the FQDN is correct:
|
|
|
|
|
|
|
|
.. image:: images/ipsec-rw-w7-1.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
On tab **Networking** in IPv4 configuration under **Advanced** is the option **Use defaut gateway on remote network**.
|
|
|
|
If this option is enabled, all traffic will be sent through the VPN (if IPsec SA matches). When unchecked, you have
|
|
|
|
to set specific routes sent via VPN.
|
|
|
|
|
|
|
|
.. image:: images/ipsec-rw-w7-2.png
|
|
|
|
:width: 60%
|
|
|
|
|
|
|
|
----------------------------------
|
|
|
|
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
|
|
|
|
----------------------------------
|
|
|
|
|
|
|
|
.. image:: images/ipsec-rw-w7-eapmschap.png
|
|
|
|
:width: 60%
|
|
|
|
|