FireBrick Road Warrior Windows 7: Difference between revisions

(17 intermediate revisions by one other user not shown)

Line 1:

<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:~~FireBrick_IPsec_Road_Warrior~~|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>

<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick IPsec Road Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>

== Windows setup ==

Line 7:

The CA certificate needs to be installed on the Windows machine using an account with administrator privileges.

⚫

First, download the CA certificate in DER format to the Windows machine. The easiest way to do this is to

===Download the Certificate===

use a browser to visit your FireBrick certificate management page, and click on the Download DER link corresponding

to the CA certificate. Save it in a suitable location on the Windows machine. Do not attempt to execute it or

The CA certificate needs to be installed on the Windows machine using an account with administrator privileges.

⚫

~~install~~ it ~~just~~ ~~yet~~. Note that you must download the certificate in DER format - windows machines do not

recognize PEM format. The file will be given the <tt>.crt</tt> extension.

⚫

First, download the CA certificate in DER format to the Windows machine. The easiest way to do this is to@

#Use a browser (ed 'Edge') to visit your FireBrick

##Go to: Config - Certificates to reach the certificate management page

##Click on the Download DER link corresponding to the CA certificate.

⚫

##Save it in a suitable location on the Windows machine. Note that you must download the certificate in DER format - windows machines do not recognize PEM format. The file will be given the <tt>.crt</tt> extension.

===Start the Windows Certificate Manager===

The Windows certificate manager should now be started up as follows:

# Using a command window, or the Start|Run box, execute the command <tt>mmc</tt> (and answer Yes when asked if you want to allow changes).

# Using a command window, or the '''Start|Run''' box, execute the command <tt>'''mmc'''</tt> (and answer Yes when asked if you want to allow changes).

# Select Add/Remove Snap-in from the File menu, choose the Certificates snap-in and add it to selected snap-ins.

# Select '''Add/Remove Snap-in''' from the File menu, choose the '''Certificates''' snap-in and add it to selected snap-ins.

# A dialog will ask if you want to manage certificates for the user account, a service account or computer account. You must select <tt>Computer Account</tt> here in order to manage the system certificates. If you do not select this, or you start up the certificate manager in some other way (eg using <tt>certmgr.msc</tt>, you will not be able to install the certificate system-wide, and the Windows IPsec subsystem will not find it.

# A dialog will ask if you want to manage certificates for the user account, a service account or computer account. You must select <tt>'''Computer Account'''</tt> here in order to manage the system certificates. If you do not select this, or you start up the certificate manager in some other way (e.g. using <tt>certmgr.msc</tt>, you will not be able to install the certificate system-wide, and the Windows IPsec subsystem will not find it. Click '''Next'''.

# Another dialog will ask which computer to manage. Choose <tt>Local computer</tt>.

# Another dialog will ask which computer to manage. Choose <tt>'''Local computer'''</tt>. Click '''Finish'''

# Finally click on <tt>OK</tt> to start the certificate manger snap-in.

# Finally click on <tt>'''OK'''</tt> to start the certificate manger snap-in.

===Install the CA certificate===

To install the certificate:

# Double-click on <tt>Certificates (Local Computer)</tt> in the left pane, to open the certificate store names~~, and then right-click on <tt>Trusted Root Certification Authorities</tt> in the centre pane.~~

# Double-click on <tt>'''Certificates (Local Computer)'''</tt> in the left pane, to open the certificate store names

⚫

#then right-click on <tt>'''Trusted Root Certification Authorities'''</tt> in the centre pane.

# Select <tt>All Tasks</tt> and then <tt>Import...</tt>

# Select <tt>'''All Tasks'''</tt> and then <tt>'''Import...'''</tt>

# Click <tt>Next</tt> and browse to where you saved the CA .crt file.

# Click <tt>Next</tt> and ~~check~~ ~~that~~ the ~~certificate~~ ~~will~~ be ~~placed~~ in ~~the~~ ~~trusted~~ ~~root store.~~

# Click <tt>'''Next'''</tt> and '''browse''' to where you saved the CA .crt file. (Usually in your Downloads folder)

#Select the .crt file and click '''Open'''

⚫

# Click <tt>Next</tt> again, and then <tt>Finish</tt>.

# Click <tt>'''Next'''</tt> and check that the certificate will be placed in the trusted root store.

⚫

# Click <tt>'''Next'''</tt> again, and then <tt>'''Finish'''</tt>.

⚫

#A window will pop up saying 'The Import was successful. Click '''OK'''

#You can now close the mmc console, File - Exit. No need to save.

There - wasn't that easy! Thank you Microsoft.

Line 35:

Line 44:

Now you need to set up the IPsec network connection details.

# Go to Control Panel and ~~select~~ <tt>Set up a new connection or network</tt>.

# Go to Start - '''Control Panel''' then Network and Internet, then 'View network status and tasks then <tt>'''Set up a new connection or network'''</tt>.

# Select <tt>Connect to a Network</tt> and choose <tt>Connect to a Workplace</tt>.

# Select <tt>Connect to a Network</tt> and choose <tt>'''Connect to a Workplace'''</tt>.

# Click <tt>Next</tt>, select <tt>No, create a new connecton</tt>, <tt>Next</tt>

# Choose <tt>Use my Internet connection</tt>

# Choose <tt>Use my Internet connection (VPN)</tt>

# Insert the server name (eg <tt>server.example.com</tt>), and choose whatever you like to name the connection (Destination name).

# Insert the server name (e.g. <tt>server.example.com</tt>), and choose whatever you like to name the connection (Destination name). (the Server name needs to match the name in the generated certificate, this is usually a hostname rather than an IP address)

# Select <tt>Don't connect now; ...</tt>

# Select <tt>'''Don't connect now; ...'''</tt>

# You don't need to enter User name and password as it will ask again later

# Click on <tt>Create</tt> and then <tt>Close</tt> (Don't connect yet!)

# Click on <tt>'''Create'''</tt> and then <tt>'''Close'''</tt> (Don't connect yet!)

# Back at the Network and Sharing Center dialog, select <tt>Connect to a network</tt>

# Back at the Network and Sharing Center dialog, select <tt>'''Connect to a network'''</tt>

# Right-click the connection you have just created in the pop-up box and select <tt>Properties</tt>

# Select the <tt>Security</tt> tab, and change the Type of VPN to IKEv2.

Line 56:

Line 65:

=Help=

=Windows 10=

#Download DER format

#Click on the file, you may get a Warning (see screenshot)

#The 'Welcome to the Certificate Import Wizard' screen opens, select Local Machine, then Next (see screenshot)

#You will be prompted to enter in the Administrator password of the computer, do this.

#Select ' Place all certificates in the following store' (see screenshot)

#Click Browse

⚫

#~~Select~~ 'Trusted Root Certification Authorities', ~~click~~ ~~OK.~~ ~~(see~~ ~~screenshot)~~

#You'll now be back at the screen you were on previously, Click Next (see screenshot)

# The 'Completing the Certificate Import Wizard' screen shows, Click Finish (see screenshot)

⚫

#A ~~little~~ window ~~pops~~ up saying 'The ~~import~~ was successful' ~~(see~~ ~~screenshot)~~

==Error 13801: IKE authentication credentials are unacceptable==

[[File:Win7-IPsec-error-ike2auth.PNG|framed|none|Error 13801]]

#Check that the hostname as set in the VPN settings matches the server certificate name, or:

#Double check that you selected 'Computer Account' in the steps above for the installing the certificate in the Certificate Manager

[[Category:~~FireBrick_IPsec_Road_Warrior~~|Windows]]

[[Category:FireBrick IPsec Road Warrior|Windows]]