Anchor Windows IPSec/L2TP VPN Setup

Anchor extensively makes use of IPSec for our VPN offerings and Windows is no different. This article describes the setup process.

IPSec/L2TP vs PPTP vs ...

Why do we use IPSec/L2TP on Windows?

  • IPSec is an industry standard security protocol, and we can leverage our existing infrastructure which already supports it.
  • Unfortunately Windows support isn't the best for roadwarriors (users logging in from changing IP addresses) so we need to use L2TP in combination with IPSec
  • PPTP is a proprietary protocol, and thus not supported.
  • OpenVPN support may be added in future, but is not currently supported.

Setting up

These instructions are for Windows XP, but may work similarly on later versions.

Requirements

  • Windows XP Service Pack 2
  • We will send you your x509 certificate (in P12-format) and the Anchor CA certificate

Configuration

Microsoft Management Console snap-ins

  1. Start the Microsoft Management Console (Start -> Run -> mmc).

  2. Got to File -> Add/Remove Snap-in.

  3. A window Add/Remove Snap-in will appear. Under the tab Standalone, click on the button Add...

  4. A dialog Snap-in selection will appear. Select the Snap-in IP Security Policy Management and click Add.

  5. A dialog Select Computer or Domain will appear. Select Local computer and click Finish.

  6. Repeat steps 4 and 5 for the Snap-in Certificates. You will want to manage certificates for the Computer account.

Add Anchor certificate to your certificate store

  1. Expand the Certificates (Local Computer) management snap-in.

  2. Right click on Personal, hover over All Tasks and select Import...

  3. Click next, Browse to where you stored the AnchorCA_crt file that we have sent you (you may need to activate the All Files (*.*) filetype mask), and open that file.

  4. Click next, then select Automatically select the certificate store based on the type of certificate. Click next, then Finish.

  5. Repeat steps 2 to 5 for the your P12-format certificate file.
    • The P12-format certificate is encrypted with a passphrase. We will give you a call and give you the passphrase over the phone.

Configuring IPSec

  1. Right click on IP Security Policies on Local Computer in the management console

  2. Select Create IP Security Policy

  3. Click Next
  4. Set name: Anchor VPN, description is optional

  5. Click Next
  6. Uncheck Activate the default response rule

  7. Click Next
  8. Leaving Edit Properties ticked, click Finish then proceed to the next section.

IPSec Policy Properties, General Tab
  1. Click Advanced Under window Key Exchange Settings

  2. Check Master key perfect forward secrecy (PFS)

  3. Click on button Methods...

  4. Under window Key Exchange Security Methods, select methods with only DES and click Remove

  5. Click OK
  6. Click OK

IPSec Policy Properties, Rules Tab
  1. Click Add.., the Security Rule Wizard will come up.

  2. Click Next Select The tunnel endpoint is specified by this IP address

  3. Enter 202.4.235.107

  4. Click Next, then select All network connections

  5. Click Next, then for authentication method, select Use a certificate from this certification authority (CA)

  6. Select Anchor Systems Pty Ltd CA, click OK and click Next

  7. Select All IP Traffic on IP Filter List and click Next

  8. Select Require Security on Filter Action and click Next

  9. Finish

L2TP

  1. Go to network connections
  2. Click on new connection, and click Next
  3. Select Connect to the network at my workplace and click Next

  4. Select Virtual Private Network connection and click Next

  5. In Company Name type Anchor Systems and click Next

  6. Host name or IP address: ipsec.anchor.net.au

  7. Click Next and Finish
  8. Open the properties of the VPN connection:
  9. In the Security tab, click Advanced and click the Settings button

  10. Allow ONLY these protocols: CHAP, MS-CHAP, MS-CHAP v2

    • Ignore any warnings about lack of encryption when using CHAP protocol.
  11. Click OK
  12. In the Networking tab, choose L2TP IPSec VPN from the Type of VPN drop-down menu.

  13. Select Internet Protocol (TCP/IP) from the bottom window and click Properties

  14. Click Advanced
  15. Untick Use default gateway on remote network and click OK. Click OK again.

  16. Click OK.

Starting the VPN

  1. From the Network Connections control panel, double-click on the Anchor Systems VPN connection.

  2. Enter the username and password we have provided to you and click on Connect.

  3. After a few seconds of connection establishment, the VPN should come up and you will have access to your services on the Anchor network.