VPN Clients Using Certificates
BEFORE YOU BEGIN: you need the following items:
- A P12 Certificate with a password
- If your company firewall uses L2TP or IKEv2
- The Hostname or IP Address of your company firewall
- Note: if using IKEv2 you will be required to know and use the DNS name of your company firewall
- If you are using L2TP, you need a username/password combination
- NOTE:Actions Listed in {Curly Braces} may *not* be present, depending on the existing configuration of your computer
Installing the Certificate - Windows 7/8/10
- Press Windows Key+R to open a run window=>Enter mmc in the only available field=>click OK
- In the window the opens, click file=>Add/Remove Snapin
- Double-Click Certificates=>Select Computer Account and click Next=>Select Local Computer and click Finish=>Click OK
- In the left pane, expand Certificates=>right click Personal=>Select All tasks=>Click Import
- Click Next=>Click Browse=>navigate to the location of your P12 file
- At the bottom right of the window, use the drop down menu to select Personal Information Exchange=>Double click your P12 file
- Click Next=>Enter your Certificate Password=>click Next=>Select "Automatically Select ..."=>Click Next=>Click Finish
- Close this window=>Select No when prompted to save
Setup L2TP on Windows 7/8/10
- NOTE: For windows 8/10, the settings are the same, but they aren't all in the same place. Please contact Computerisms for assistance.
- Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Set up a new connection or network"
- Select "Connect to a workplace"=>Next=>{Select "No, Create a new connection"}=>Select "Use my Internet connection (VPN)"
- In the "Internet Address" field, enter the hostname or IP address of your company firewall provided to you by your company
- The "Destination Name" field requires an arbitrary value that identifies what you are connecting to (IE put anything that identifies to you personally what you are connecting to)
- If you are unsure what to put in this field, use your Company's Name
- Select "Don't connect now, just set it up so I can connect later"
- Click Next=>Enter the L2TP Username provided to you=>Enter the L2TP Password provided to you
- In the lower-right corner of your screen by the clock, click the network icon
- The value you entered for "Destination Name" above will be listed here=>right click it=>Choose properties=>Select the "Security" tab
- Set "Type of VPN" to "Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec)"
- Click the button called "Advanced"=>Deselect "Verify the Name and Usage attributes for the server's certificate"=>Click OK
- Set "Data encryption" to "Optional encryption (connect even if no encryption)"
- Under "Authentication", ensure "Allow these protocols is selected=>Ensure "Unencrypted Password (PAP) is deselected=>Ensure "Challenge Handshake Authentication Protocol (CHAP)" is selected
- "Microsoft CHAP Version 2 (MSCHAP v2)" can be selected or deselected, but "Automatically use any Windows logon name and password" should not be selected
- Click OK
- In the lower-right corner of your screen by the clock, click the network icon=>Select the same connection=>Click Connect=>{Click Connect}
- A Note on saving passwords: do not save the password unless you are the only one using this computer, instead enter it every time you connect
Using IKEv2 on Windows 7/8/10
- Navigate to the Control Panel=>{Network and Internet}=>Network and Sharing Center=>Select "Set up a new connection or network"
- Select "Connect to a workplace"=>Next=>{Select "No, Create a new connection"}=>Select "Use my Internet connection (VPN)"
- In the "Internet Address" field, enter the DNS hostname of your company firewall provided to you by your company
- Note that using the IP address of the firewall will probably fail.
- The "Destination Name" field requires an arbitrary value that identifies what you are connecting too (IE put anything that identifies to you personally what you are connecting too)
- If you are unsure what to put in this field, use your Company's Name
- Select "Don't connect now, just set it up so I can connect later"
- Click Next=>Leave all Fields Blank and Click Create=>Click Close
- In the lower-right corner of your screen by the clock, click the network icon
- The value you entered for "Destination Name" above will be listed here=>right click it=>Choose properties=>Select the "Security" tab
- Set "type of VPN" to IKEv2
- Click Advanced Settings=>ensure Mobility is checked and Network outage time is set to 30 minutes=>click OK
- Set Date Encryption to Require Encryption
- Select the radio button for "Use Machine Certificates"
- Click OK
Using a Mac
- I would generally discourage trying to get certificates working on a Mac. if it can be made to work, it is certainly a dauntingly technical task that seems to get harder with every release of the Mac OS X operating system. Value to cost ratio encourages you to use PSK instead