Windows Client Setup
Import the CA to the Client PC
- Download the following zip file extract and note the location for the next step
- https://portal.final-frontier.net/dl.php?type=d&id=47
- Locate the downloaded and extracted file on your PC (e.g. VPN.crt)
- Double click the CA file
- Click?Install Certificate...
- ?Select?Local Machine
- Click?Next
- Click?Yes?at the UAC prompt if it appears
- ?Select?Place all Certificates in the following store
- ?Click?Browse
- ?Click?Trusted Root Certification Authorities
- Click?Next
- Click?Finish
- Click?OK
- Click?OK
Setup the VPN Connection
With the certificates properly imported, now it is time to create the client VPN connection. There are several ways to add such a connection, depending on the version of Windows being used. Adapt as needed.
- Open?Network and Sharing Center?on the client PC
- Click?Set up a new connection or network
- Select?Connect to a workplace
- Click?Next
- Select?No, create a new connection
- Click?Next
- Click?Use my Internet Connection (VPN)
- ?Enter the IP address or hostname of the server into the Internet address field which is vpn.final-frontier.net
- Enter a?Destination Name?to identify the connection for example FF-VPN
- Click?Create
The connection has been added but with several undesirable defaults. For example the type defaults to automatic and it will latch onto a PPTP connection if one exists, which is very bad. So a few settings should be set by hand first:
- In Network Connection / Adapter Settings in Windows, find the connection created above
- Right click the connection
- Click?Properties
- Click the?Security?tab
- Set?Type of VPN?to?IKEv2
- Set?Data Encryption?to?Require Encryption (disconnect if server declines)
- Set?Authentication / Use Extensible Authentication Protocol?to?Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled)
- Click?OK
Disable EKU Check
In some cases it may be necessary to disable the check on Windows for a certificate's Extended Key Usage parameters. Disabling this check also disables validation of the certificate's common name and SAN fields, so it is potentially dangerous. Any certificate from the same CA could be used for the server when this is disabled, so proceed with caution.
To disable the extended key usage checks, open up?Registry Editor?on the Windows client and navigate to the following location in the client registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\
In there, add a new?DWORD?entry named?DisableIKENameEkuCheck?and set it to?1.
A reboot may be required to activate the setting.
