VPN Clients Using Certificates: Difference between revisions

From help.computerisms.ca
Jump to navigation Jump to search
No edit summary
 
(20 intermediate revisions by 3 users not shown)
Line 1: Line 1:
BEFORE YOU BEGIN: you need the following items:<br>
BEFORE YOU BEGIN: you need the following items:<br>
*A P12 Certificate with a password
*A P12 Certificate with a password
*A username/password combination for L2TP
*If your company firewall uses L2TP or IKEv2
*The Hostname or IP Address of your company firewall
*The Hostname or IP Address of your company firewall
**Note: if using IKEv2 you will be required to know and use the DNS name of your company firewall
*If you are using L2TP, you need a username/password combination




*<b>NOTE:</b>Actions Listed in {Curly Braces} may *not* be present, depending on the existing configuration of your computer
*<b>NOTE:</b>Actions Listed in {Curly Braces} may *not* be present, depending on the existing configuration of your computer


==Using Windows 7 (Adaptable to Windows 8)==
==Installing the Certificate - Windows 7/8/10==


#Press Windows Key+R to open a run window=>Enter mmc in the only available field=>click OK
#Press Windows Key+R to open a run window=>Enter mmc in the only available field=>click OK
Line 17: Line 19:
#Click Next=>Enter your Certificate Password=>click Next=>Select "Automatically Select ..."=>Click Next=>Click Finish
#Click Next=>Enter your Certificate Password=>click Next=>Select "Automatically Select ..."=>Click Next=>Click Finish
#Close this window=>Select No when prompted to save
#Close this window=>Select No when prompted to save
==Setup L2TP on Windows 7/8/10==
*<b>NOTE:</b> For windows 8/10, the settings are the same, but they aren't all in the same place.  Please contact Computerisms for assistance.
#Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Set up a new connection or network"
#Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Set up a new connection or network"
#Select "Connect to a workplace"=>Next=>{Select "No, Create a new connection"}=>Select "Use my Internet connection (VPN)"
#Select "Connect to a workplace"=>Next=>{Select "No, Create a new connection"}=>Select "Use my Internet connection (VPN)"
#In the "Internet Address" field, enter the hostname or IP address of your company firewall provided to you by your company
#In the "Internet Address" field, enter the hostname or IP address of your company firewall provided to you by your company
#The "Destination Name" field requires an arbitrary value that identifies what you are connecting too (IE put anything that identifies to you personally what you are connecting too)
#The "Destination Name" field requires an arbitrary value that identifies what you are connecting to (IE put anything that identifies to you personally what you are connecting to)
##If you are unsure what to put in this field, use your Company's Name
##If you are unsure what to put in this field, use your Company's Name
#Select "Don't connect now, just set it up so I can connect later"
#Click Next=>Enter the L2TP Username provided to you=>Enter the L2TP Password provided to you
#Click Next=>Enter the L2TP Username provided to you=>Enter the L2TP Password provided to you
#Click Connect=>Let the connection fail (this may take a while)=>Click "Set up the connection anyway"
#In the lower-right corner of your screen by the clock, click the network icon
#In the lower-right corner of your screen by the clock, click the network icon
#The value you entered for "Destination Name" above will be listed here=>right click it=>Choose properties=>Select the "Security" tab
#The value you entered for "Destination Name" above will be listed here=>right click it=>Choose properties=>Select the "Security" tab
Line 29: Line 35:
#Click the button called "Advanced"=>Deselect "Verify the Name and Usage attributes for the server's certificate"=>Click OK
#Click the button called "Advanced"=>Deselect "Verify the Name and Usage attributes for the server's certificate"=>Click OK
#Set "Data encryption" to "Optional encryption (connect even if no encryption)"
#Set "Data encryption" to "Optional encryption (connect even if no encryption)"
#Under "Authentication", ensure "Allow these protocols is selected=>Ensure "Unencrypted Password (PAP) is deselected=>Ensure "Challenge Handshaek Authentication Protocol (CHAP)" is selected
#Under "Authentication", ensure "Allow these protocols" is selected=>Ensure "Unencrypted Password (PAP)" is deselected=>Ensure "Challenge Handshake Authentication Protocol (CHAP)" is selected
##"Microsoft CHAP Version 2 (MSCHAP v2)" can be selected or deselected, but "Automatically use any Windows logon name and password" should not be selected
##"Microsoft CHAP Version 2 (MSCHAP v2)" can be selected or deselected, but "Automatically use any Windows logon name and password" should not be selected
#Click OK
#Click OK
#In the lower-right corner of your screen by the clock, click the network icon=>Select the same connection=>Click Connect=>{Click Connect}
#In the lower-right corner of your screen by the clock, click the network icon=>Select the same connection=>Click Connect=>{Click Connect}
##A Note on saving passwords: do not save the password unless you are the only one using this computer, instead enter it every time you connect
##A Note on saving passwords: do not save the password unless you are the only one using this computer, instead enter it every time you connect
==Using IKEv2 on Windows 7(Legacy)==
#Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Set up a new connection or network"
#Select "Connect to a workplace"=>Next=>{Select "No, Create a new connection"}=>Select "Use my Internet connection (VPN)"
#In the "Internet Address" field, enter the DNS hostname of your company firewall provided to you by your company
##Note that using the IP address of the firewall will probably fail.
#The "Destination Name" field requires an arbitrary value that identifies what you are connecting too (IE put anything that identifies to you personally what you are connecting too)
##If you are unsure what to put in this field, use your Company's Name
#Select "Don't connect now, just set it up so I can connect later"
#Click Next=>Leave all Fields Blank and Click Create=>Click Close
#In the lower-right corner of your screen by the clock, click the network icon
#The value you entered for "Destination Name" above will be listed here=>right click it=>Choose properties=>Select the "Security" tab
##If you don't have a properties button, in the control panel under Network and Sharing Center, on the left side will be a "Manage Network Connections" link.  In there, you will find your VPN connection.  Right-click that, choose properties, and select the "Security" tab.
#Set "type of VPN" to IKEv2
#Click Advanced Settings=>ensure Mobility is checked and Network outage time is set to 30 minutes=>click OK
#Set Data Encryption to Require Encryption
#Select the radio button for "Use Machine Certificates"
#Click OK
==Using IKEv2 on Windows 10/11==
#Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Set up a new connection or network"
#Select "Connect to a workplace"=>Next=>{Select "No, Create a new connection"}=>Select "Use my Internet connection (VPN)"
#In the "Internet Address" field, enter the DNS hostname of your company firewall provided to you by your company
##Note that using the IP address of the firewall will probably fail.
#The "Destination Name" field requires an arbitrary value that identifies what you are connecting too (IE put anything that identifies to you personally what you are connecting too)
##If you are unsure what to put in this field, use your Company's Name
#Leave all fields default and Click Create
#Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Change adapter settings"
##Right click on the VPN connection you created in step 4 =>Goto Properties
##Under Security change type of VPN to "IKEV2", Data encryption to "Require Encryption" and Authentication to "Use Machine Certificates"
#Your VPN connection is ready. Connect to VPN by going to the right bottom corner and click the network icon labeled "Destination Name" above and click "Connect"


==Using a Mac==
==Using a Mac==
*I would generally discourage trying to get certificates working on a Mac. if it can be made to work, it is certainly a dauntingly technical task that seems to get harder with every release of the Mac OS X operating system.
*Mac setups require the use of a mobile.config, please request assistance from us for help in getting this setup working.

Latest revision as of 15:53, 2 January 2024

BEFORE YOU BEGIN: you need the following items:

  • A P12 Certificate with a password
  • If your company firewall uses L2TP or IKEv2
  • The Hostname or IP Address of your company firewall
    • Note: if using IKEv2 you will be required to know and use the DNS name of your company firewall
  • If you are using L2TP, you need a username/password combination


  • NOTE:Actions Listed in {Curly Braces} may *not* be present, depending on the existing configuration of your computer

Installing the Certificate - Windows 7/8/10

  1. Press Windows Key+R to open a run window=>Enter mmc in the only available field=>click OK
  2. In the window the opens, click file=>Add/Remove Snapin
  3. Double-Click Certificates=>Select Computer Account and click Next=>Select Local Computer and click Finish=>Click OK
  4. In the left pane, expand Certificates=>right click Personal=>Select All tasks=>Click Import
  5. Click Next=>Click Browse=>navigate to the location of your P12 file
  6. At the bottom right of the window, use the drop down menu to select Personal Information Exchange=>Double click your P12 file
  7. Click Next=>Enter your Certificate Password=>click Next=>Select "Automatically Select ..."=>Click Next=>Click Finish
  8. Close this window=>Select No when prompted to save

Setup L2TP on Windows 7/8/10

  • NOTE: For windows 8/10, the settings are the same, but they aren't all in the same place. Please contact Computerisms for assistance.
  1. Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Set up a new connection or network"
  2. Select "Connect to a workplace"=>Next=>{Select "No, Create a new connection"}=>Select "Use my Internet connection (VPN)"
  3. In the "Internet Address" field, enter the hostname or IP address of your company firewall provided to you by your company
  4. The "Destination Name" field requires an arbitrary value that identifies what you are connecting to (IE put anything that identifies to you personally what you are connecting to)
    1. If you are unsure what to put in this field, use your Company's Name
  5. Select "Don't connect now, just set it up so I can connect later"
  6. Click Next=>Enter the L2TP Username provided to you=>Enter the L2TP Password provided to you
  7. In the lower-right corner of your screen by the clock, click the network icon
  8. The value you entered for "Destination Name" above will be listed here=>right click it=>Choose properties=>Select the "Security" tab
  9. Set "Type of VPN" to "Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec)"
  10. Click the button called "Advanced"=>Deselect "Verify the Name and Usage attributes for the server's certificate"=>Click OK
  11. Set "Data encryption" to "Optional encryption (connect even if no encryption)"
  12. Under "Authentication", ensure "Allow these protocols" is selected=>Ensure "Unencrypted Password (PAP)" is deselected=>Ensure "Challenge Handshake Authentication Protocol (CHAP)" is selected
    1. "Microsoft CHAP Version 2 (MSCHAP v2)" can be selected or deselected, but "Automatically use any Windows logon name and password" should not be selected
  13. Click OK
  14. In the lower-right corner of your screen by the clock, click the network icon=>Select the same connection=>Click Connect=>{Click Connect}
    1. A Note on saving passwords: do not save the password unless you are the only one using this computer, instead enter it every time you connect

Using IKEv2 on Windows 7(Legacy)

  1. Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Set up a new connection or network"
  2. Select "Connect to a workplace"=>Next=>{Select "No, Create a new connection"}=>Select "Use my Internet connection (VPN)"
  3. In the "Internet Address" field, enter the DNS hostname of your company firewall provided to you by your company
    1. Note that using the IP address of the firewall will probably fail.
  4. The "Destination Name" field requires an arbitrary value that identifies what you are connecting too (IE put anything that identifies to you personally what you are connecting too)
    1. If you are unsure what to put in this field, use your Company's Name
  5. Select "Don't connect now, just set it up so I can connect later"
  6. Click Next=>Leave all Fields Blank and Click Create=>Click Close
  7. In the lower-right corner of your screen by the clock, click the network icon
  8. The value you entered for "Destination Name" above will be listed here=>right click it=>Choose properties=>Select the "Security" tab
    1. If you don't have a properties button, in the control panel under Network and Sharing Center, on the left side will be a "Manage Network Connections" link. In there, you will find your VPN connection. Right-click that, choose properties, and select the "Security" tab.
  9. Set "type of VPN" to IKEv2
  10. Click Advanced Settings=>ensure Mobility is checked and Network outage time is set to 30 minutes=>click OK
  11. Set Data Encryption to Require Encryption
  12. Select the radio button for "Use Machine Certificates"
  13. Click OK

Using IKEv2 on Windows 10/11

  1. Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Set up a new connection or network"
  2. Select "Connect to a workplace"=>Next=>{Select "No, Create a new connection"}=>Select "Use my Internet connection (VPN)"
  3. In the "Internet Address" field, enter the DNS hostname of your company firewall provided to you by your company
    1. Note that using the IP address of the firewall will probably fail.
  4. The "Destination Name" field requires an arbitrary value that identifies what you are connecting too (IE put anything that identifies to you personally what you are connecting too)
    1. If you are unsure what to put in this field, use your Company's Name
  5. Leave all fields default and Click Create
  6. Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Change adapter settings"
    1. Right click on the VPN connection you created in step 4 =>Goto Properties
    2. Under Security change type of VPN to "IKEV2", Data encryption to "Require Encryption" and Authentication to "Use Machine Certificates"
  7. Your VPN connection is ready. Connect to VPN by going to the right bottom corner and click the network icon labeled "Destination Name" above and click "Connect"

Using a Mac

  • Mac setups require the use of a mobile.config, please request assistance from us for help in getting this setup working.