Anchor Windows IPSec/L2TP VPN Setup

Anchor extensively makes use of IPSec for our VPN offerings and Windows is no different. This article describes the setup process.

Contents

IPSec/L2TP vs PPTP vs ...

Why do we use IPSec/L2TP on Windows?

IPSec is an industry standard security protocol, and we can leverage our existing infrastructure which already supports it.
Unfortunately Windows support isn't the best for roadwarriors (users logging in from changing IP addresses) so we need to use L2TP in combination with IPSec
PPTP is a proprietary protocol, and thus not supported.
OpenVPN support may be added in future, but is not currently supported.

These instructions are for Windows XP, but may work similarly on later versions.

Windows XP Service Pack 2
We will send you your x509 certificate (in P12-format) and the Anchor CA certificate

Start the Microsoft Management Console (Start -> Run -> mmc).
Got to File -> Add/Remove Snap-in.
A window Add/Remove Snap-in will appear. Under the tab Standalone, click on the button Add...
A dialog Snap-in selection will appear. Select the Snap-in IP Security Policy Management and click Add.
A dialog Select Computer or Domain will appear. Select Local computer and click Finish.
Repeat steps 4 and 5 for the Snap-in Certificates. You will want to manage certificates for the Computer account.

Expand the Certificates (Local Computer) management snap-in.
Right click on Personal, hover over All Tasks and select Import...
Click next, Browse to where you stored the AnchorCA_crt file that we have sent you (you may need to activate the All Files (*.*) filetype mask), and open that file.
Click next, then select Automatically select the certificate store based on the type of certificate. Click next, then Finish.
Repeat steps 2 to 5 for the your P12-format certificate file.
- The P12-format certificate is encrypted with a passphrase. We will give you a call and give you the passphrase over the phone.

Right click on IP Security Policies on Local Computer in the management console
Select Create IP Security Policy
Click Next
Set name: Anchor VPN, description is optional
Click Next
Uncheck Activate the default response rule
Click Next
Leaving Edit Properties ticked, click Finish then proceed to the next section.

Click Advanced Under window Key Exchange Settings
Check Master key perfect forward secrecy (PFS)
Click on button Methods...
Under window Key Exchange Security Methods, select methods with only DES and click Remove
Click OK
Click OK

Click Add.., the Security Rule Wizard will come up.
Click Next Select The tunnel endpoint is specified by this IP address
Enter 202.4.235.107
Click Next, then select All network connections
Click Next, then for authentication method, select Use a certificate from this certification authority (CA)
Select Anchor Systems Pty Ltd CA, click OK and click Next
Select All IP Traffic on IP Filter List and click Next
Select Require Security on Filter Action and click Next
Finish

Go to network connections
Click on new connection, and click Next
Select Connect to the network at my workplace and click Next
Select Virtual Private Network connection and click Next
In Company Name type Anchor Systems and click Next
Host name or IP address: ipsec.anchor.net.au
Click Next and Finish
Open the properties of the VPN connection:
In the Security tab, click Advanced and click the Settings button
Allow ONLY these protocols: CHAP, MS-CHAP, MS-CHAP v2
- Ignore any warnings about lack of encryption when using CHAP protocol.
Click OK
In the Networking tab, choose L2TP IPSec VPN from the Type of VPN drop-down menu.
Select Internet Protocol (TCP/IP) from the bottom window and click Properties
Click Advanced
Untick Use default gateway on remote network and click OK. Click OK again.
Click OK.

From the Network Connections control panel, double-click on the Anchor Systems VPN connection.
Enter the username and password we have provided to you and click on Connect.
After a few seconds of connection establishment, the VPN should come up and you will have access to your services on the Anchor network.