FireBrick Road Warrior Windows 7: Difference between revisions

← Older edit

FireBrick Road Warrior Windows 7 (view source)

Revision as of 00:00, 15 March 2017

740 bytes removed , 15 March 2017

m

clean up, typos fixed: eg → e.g. (2)

Reedy

editor

699

edits

Revision as of 09:07, 5 August 2015 (view source) AA-Andrew (talk \| contribs) m (→‎Install the certificate) ← Older edit		Latest revision as of 00:00, 15 March 2017 (view source) Reedy (talk \| contribs) m (clean up, typos fixed: eg → e.g. (2))
(15 intermediate revisions by one other user not shown)
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg\|link=:Category:~~FireBrick_IPsec_Road_Warrior~~FireBrick IPsec Road Warrior\|30px\|Back up to the FireBrick Road Warrior Category Page]]</indicator> == Windows setup == The CA certificate needs to be installed on the Windows machine using an account with administrator privileges. First, download the CA certificate in DER format to the Windows machine. The easiest way to do this is to▼ ===Download the Certificate=== ~~use a browser to visit your FireBrick certificate management page, and click on the Download DER link corresponding~~ ~~to the CA certificate. Save it in a suitable location on the Windows machine. Do not attempt to execute it or~~ The CA certificate needs to be installed on the Windows machine using an account with administrator privileges. install it just yet. Note that you must download the certificate in DER format - windows machines do not▼ ~~recognize PEM format. The file will be given the <tt>.crt</tt> extension.~~ ▲First, download the CA certificate in DER format to the Windows machine. The easiest way to do this is to@ #Use a browser (ed 'Edge') to visit your FireBrick ##Go to: Config - Certificates to reach the certificate management page ##Click on the Download DER link corresponding to the CA certificate. ▲~~install~~##Save it ~~just~~in a suitable location on the Windows ~~yet~~machine. Note that you must download the certificate in DER format - windows machines do not recognize PEM format. The file will be given the <tt>.crt</tt> extension. ===Start the Windows Certificate Manager=== The Windows certificate manager should now be started up as follows: # Using a command window, or the '''Start\|Run''' box, execute the command <tt>'''mmc'''</tt> (and answer Yes when asked if you want to allow changes). # Select '''Add/Remove Snap-in''' from the File menu, choose the '''Certificates''' snap-in and add it to selected snap-ins. # A dialog will ask if you want to manage certificates for the user account, a service account or computer account. You must select <tt>'''Computer Account'''</tt> here in order to manage the system certificates. If you do not select this, or you start up the certificate manager in some other way (ege.g. using <tt>certmgr.msc</tt>, you will not be able to install the certificate system-wide, and the Windows IPsec subsystem will not find it. Click '''Next'''. # Another dialog will ask which computer to manage. Choose <tt>'''Local computer'''</tt>. Click '''Finish''' # Finally click on <tt>'''OK'''</tt> to start the certificate manger snap-in. ===Install the CA certificate=== To install the certificate: # Double-click on <tt>'''Certificates (Local Computer)'''</tt> in the left pane, to open the certificate store names~~, and then right-click on <tt>Trusted Root Certification Authorities</tt> in the centre pane.~~ #~~Select~~then right-click on <tt>'''Trusted Root Certification Authorities',''</tt> ~~click~~in ~~OK.~~the ~~(see~~centre ~~screenshot)~~pane.▼ # Select <tt>'''All Tasks'''</tt> and then <tt>'''Import...'''</tt> ~~# Click <tt>Next</tt> and browse to where you saved the CA .crt file.~~ # Click <tt>'''Next'''</tt> and ~~check~~'''browse''' ~~that~~to where you saved the ~~certificate~~CA ~~will~~.crt befile. ~~placed~~(Usually in ~~the~~your ~~trusted~~Downloads ~~root store.~~folder) #Select the .crt file and click '''Open''' # Click <tt>Next</tt> again, and then <tt>Finish</tt>.▼ # Click <tt>'''Next'''</tt> and check that the certificate will be placed in the trusted root store. ▲# Click <tt>'''Next'''</tt> again, and then <tt>'''Finish'''</tt>. #A ~~little~~ window ~~pops~~will pop up saying 'The ~~import~~Import was successful'. ~~(see~~Click ~~screenshot)~~'''OK'''▼ #You can now close the mmc console, File - Exit. No need to save. There - wasn't that easy! Thank you Microsoft. Now you need to set up the IPsec network connection details. # Go to Start - '''Control Panel''' then Network and ~~select~~Internet, then 'View network status and tasks then <tt>'''Set up a new connection or network'''</tt>. # Select <tt>Connect to a Network</tt> and choose <tt>'''Connect to a Workplace'''</tt>. # Click <tt>Next</tt>, select <tt>No, create a new connecton</tt>, <tt>Next</tt> # Choose <tt>Use my Internet connection (VPN)</tt> # Insert the server name (ege.g. <tt>server.example.com</tt>), and choose whatever you like to name the connection (Destination name). (the Server name needs to match the name in the generated certificate, this is usually a hostname rather than an IP address) # Select <tt>'''Don't connect now; ...'''</tt> # You don't need to enter User name and password as it will ask again later # Click on <tt>'''Create'''</tt> and then <tt>'''Close'''</tt> (Don't connect yet!) # Back at the Network and Sharing Center dialog, select <tt>'''Connect to a network'''</tt> # Right-click the connection you have just created in the pop-up box and select <tt>Properties</tt> # Select the <tt>Security</tt> tab, and change the Type of VPN to IKEv2. =Help= ~~=Windows 10=~~ ~~==Install the certificate==~~ ~~#Download DER format~~ ~~#Click on the file, you may get a Warning (see screenshot)~~ ~~#The 'Welcome to the Certificate Import Wizard' screen opens, select Local Machine, then Next (see screenshot)~~ ~~#You will be prompted to enter in the Administrator password of the computer, do this.~~ ~~#Select ' Place all certificates in the following store' (see screenshot)~~ ~~#Click Browse~~ ▲#Select 'Trusted Root Certification Authorities', click OK. (see screenshot) ~~#You'll now be back at the screen you were on previously, Click Next (see screenshot)~~ ~~# The 'Completing the Certificate Import Wizard' screen shows, Click Finish (see screenshot)~~ ▲#A little window pops up saying 'The import was successful' (see screenshot) ~~<gallery>~~ ~~IPsec-Win10-1-OpenCert.PNG~~ ~~IPsec-Win10-2-ReviewCert.PNG~~ ~~IPsec-Win10-3-InstallCert.PNG~~ ~~IPsec-Win10-4-InstallCert-store.PNG~~ ~~IPsec-Win10-5-InstallCert-trusted.PNG~~ ~~IPsec-Win10-6-InstallCert-finished.PNG~~ ~~IPsec-Win10-7-InstallCert-success.PNG~~ ~~IPsec-Win10-8-addVPN.PNG~~ ~~IPsec-Win10-9-settings.PNG~~ ~~IPsec-Win10-10-VPNsettings.PNG~~ ~~IPsec-Win10-11-VPNConnect.PNG~~ ~~IPsec-Win10-12-VPNConnected.PNG~~ ~~IPsec-Win10-11-VPNConnect.PNG~~ ~~</gallery>~~ ~~==Configure the VPN==~~ ~~#Click the Start/Windows icon~~ ~~#Go to Settings (see screenshot)~~ ~~#Click 'Network & Internet'~~ ~~#Click VPN (see screenshot)~~ ~~#Click 'Add a VPN connection'~~ ~~#Enter in the VPN settings eg: (see screenshot)~~ ~~#VPN Provider: Windows (built in)~~ ~~#Connection name: (What ever you like, eg Office)~~ ~~#Server name or address: The IP or host name of your FireBrick~~ ~~#VPN type: IKEv2~~ ~~#Type of sign-in info: Username and password~~ ~~#Username & Password (as set up on the FireBrick). This is optional, you can leave blank and Windows will prompt you for this information each tie you connect.~~ *Click OK ~~#Your VPN connection will not be added~~ ~~==Connect==~~ ==Error 13801: IKE authentication credentials are unacceptable== [[File:Win7-IPsec-error-ike2auth.PNG\|framed\|none\|Error 13801]] #Check that the hostname as set in the VPN settings matches the server certificate name, or: #Double check that you selected 'Computer Account' in the steps above for the installing the certificate in the Certificate Manager [[Category:~~FireBrick_IPsec_Road_Warrior~~FireBrick IPsec Road Warrior\|Windows]]