2
0
mirror of https://github.com/opnsense/docs synced 2024-11-05 06:00:36 +00:00
opensense-docs/source/manual/how-tos/ipsec-rw-w7.rst

64 lines
2.3 KiB
ReStructuredText
Raw Normal View History

==================================
IPsec: Setup Windows Remote Access
==================================
.. contents:: Index
Here you can see the configuration options for all compatible VPN types.
We assume that you are familiar with adding a new VPN connection.
The tests were done with Windows 7 and 10.
All screenshot were taken from :menuselection:`Network and Sharing Center --> Change adapter settings`.
---------------------------
Step 1 - Install Certificte
---------------------------
Since Windows 7 also supports IKEv2 we need to install your Root Certificate Authority.
Hit the Windows Start button and type *mmc* in search box. Go to :menuselection:`File --> Add/Remove Snap-In`.
Choose :menuselection:`Certificates --> Add --> Computer account`.
Open **Certificate** and navigate to **Trusted Root Certificate Authorities**, right click,
**All taks** and import. Select the Root CA and install.
If you are using client certificates for authentication (e.g EAP-TLS) use a PKCS12/PFX and install
it under **Personal** instead of **Trusted Root Certificate Authorities**. All included certificates
will be installed in the correct folders.
.. image:: images/ipsec-rw-w7-cert.png
:width: 60%
---------------------------
Step 2 - Add VPN Connection
---------------------------
Add a new VPN connection via **Network and Sharing Center** and choose as **Internet Address**
the correct FQDN. This is imporatant when using certificates since the FQDN of your connection
and the one in the certificate has to match!
Then set a **Username** and **Password** and leave **Domain** emtpy.
-------------------
Step 3 - Finetuning
-------------------
Via **Network and Sharing Center** go to **Change adapter settings** and open the properties
of your newly created adapter. Check that the FQDN is correct:
.. image:: images/ipsec-rw-w7-1.png
:width: 60%
On tab **Networking** in IPv4 configuration under **Advanced** is the option **Use defaut gateway on remote network**.
If this option is enabled, all traffic will be sent through the VPN (if IPsec SA matches). When unchecked, you have
to set specific routes sent via VPN.
.. image:: images/ipsec-rw-w7-2.png
:width: 60%
----------------------------------
IKEv2 + EAP-MSCHAPv2 or EAP-RADIUS
----------------------------------
.. image:: images/ipsec-rw-w7-eapmschap.png
:width: 60%