FireBrick Road Warrior Windows 10: Difference between revisions

Back up to the FireBrick Road Warrior Category Page
From AAISP Support Site
mNo edit summary
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick_IPsec_Road_Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick IPsec Road Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>
== Windows 10 ==
== Windows 10 ==


Line 5: Line 5:
dialogs and messages seen may not be exactly as shown here.
dialogs and messages seen may not be exactly as shown here.


===Download the Certificate===


=Configure the VPN=
The CA certificate needs to be installed on the Windows machine using an account with administrator privileges.

First, download the CA certificate in DER format to the Windows machine. The easiest way to do this is to@
#Use a browser (ed 'Edge') to visit your FireBrick
##Go to: Config - Certificates to reach the certificate management page
##Click on the Download DER link corresponding to the CA certificate.
##Save it in a suitable location on the Windows machine. Note that you must download the certificate in DER format - windows machines do not recognize PEM format. The file will be given the <tt>.crt</tt> extension.
#If using the 'Edge' Browser, then click the Open button once the file as downloaded

==Install the certificate==
#You have downloaded the CA certifcate in DER format, and you'll have a file ending in .crt
#Double click on the file to open it, you may get a Warning (see screenshot)
#The certificate will be opened, Click install certificate
#The 'Welcome to the Certificate Import Wizard' screen opens, select '''Local Machine''', then '''Next''' (see screenshot)
#You will be prompted allow this action and maybe asked to enter in the Administrator password of the computer, do this.
#Select ''''Place all certificates in the following store'''' (see screenshot)
#Click '''Browse'''
#Select ''''Trusted Root Certification Authorities'''', click OK. (see screenshot)
#You'll now be back at the screen you were on previously, Click '''Next''' (see screenshot)
# The 'Completing the Certificate Import Wizard' screen shows, Click '''Finish''' (see screenshot)
#A little window pops up saying 'The import was successful', click '''OK''' (see screenshot)
#You can now click OK on the original ''''Certificate'''' window to close it

<gallery heights=149 mode="packed" caption="Screenshots of installing the certificate on Windows 10">
IPsec-Win10-1-OpenCert.PNG|Click on the file, you may get a Warning
IPsec-Win10-2-ReviewCert.PNG|The certificate will be opened, Click install certificate
IPsec-Win10-3-InstallCert.PNG|The 'Welcome to the Certificate Import Wizard' screen opens, select Local Machine, then Next
IPsec-Win10-4-InstallCert-store.PNG|Select ' Place all certificates in the following store', Click Browse
IPsec-Win10-5-InstallCert-trusted.PNG|Select 'Trusted Root Certification Authorities', click OK.
IPsec-Win10-6-InstallCert-finished.PNG|The 'Completing the Certificate Import Wizard' screen shows
IPsec-Win10-7-InstallCert-success.PNG|A little window pops up saying 'The import was successful'
</gallery>

==Configure the VPN==
#Click the Start/Windows icon
#Click the Start/Windows icon
#Go to Settings (see screenshot)
#Go to Settings (see screenshot)
Line 46: Line 12:
#Click VPN (see screenshot)
#Click VPN (see screenshot)
#Click 'Add a VPN connection'
#Click 'Add a VPN connection'
#Enter in the VPN settings eg: (see screenshot)
#Enter in the VPN settings e.g.: (see screenshot)
#*VPN Provider: Windows (built in)
#*VPN Provider: Windows (built in)
#*Connection name: (What ever you like, eg Office)
#*Connection name: (What ever you like, e.g. Office)
#*Server name or address: The IP or host name of your FireBrick. (the Server name needs to match the name in the generated certificate, this is usually a hostname rather than an IP address)
#*Server name or address: The IP or host name of your FireBrick. (the Server name needs to match the name in the generated certificate, this is usually a hostname rather than an IP address)
#*VPN type: IKEv2
#*VPN type: IKEv2
Line 76: Line 42:


==Windows not setting the VPN as the gatweway?==
==Windows not setting the VPN as the gatweway?==
On our Windows 10 machine, the VPN connected, but traffic was still going out via our normal network connection and not over the IPsec VPN. eg, a tracert shows traffic going via our local router and not over the VPN.
On our Windows 10 machine, the VPN connected, but traffic was still going out via our normal network connection and not over the IPsec VPN. e.g., a tracert shows traffic going via our local router and not over the VPN.


We were also unable to open the TCP/IP properties of the VPN connection. Others seem to have the problem, eg [http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/pptp-vpn-cant-open-tcpip-propities/130425bc-7997-4b50-b535-6c590805df9d here] and [https://social.technet.microsoft.com/Forums/en-US/af1cce20-ae21-4e89-bebc-11dc17becea5/no-access-to-internet-protocol-v4-or-v6-in-10049 here], but those post are about preview releases and our Windows 10 is the final release. The button isn't grayed out on our case, it just does nothing when clicked!
We were also unable to open the TCP/IP properties of the VPN connection. Others seem to have the problem, e.g. [http://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_web/pptp-vpn-cant-open-tcpip-propities/130425bc-7997-4b50-b535-6c590805df9d here] and [https://social.technet.microsoft.com/Forums/en-US/af1cce20-ae21-4e89-bebc-11dc17becea5/no-access-to-internet-protocol-v4-or-v6-in-10049 here], but those post are about preview releases and our Windows 10 is the final release. The button isn't grayed out on our case, it just does nothing when clicked!


The problem with the routing, is that the VPN connection is set up by default for 'SplitTunneling', which is not supported by the FireBrick. The way to disable SplitTunneling is via the command-line tool 'PowerShell' which is included with Windows 10, here is how:
The problem with the routing, is that the VPN connection is set up by default for 'SplitTunneling', which is not supported by the FireBrick. The way to disable SplitTunneling is via the command-line tool 'PowerShell' which is included with Windows 10, here is how:
Line 98: Line 64:


=Help=
=Help=


==Not using Lets Encrypt?==
If you using the built-in ACME system for managing a Lets Encrypt certificate then you can skip this Certificate section and jump to the sectoion below to just set up the VPN credentials.

===Download the Certificate===
'''This is not needed if you are using Lets Encrypt on the FireBrick'''

The CA certificate needs to be installed on the Windows machine using an account with administrator privileges.

First, download the CA certificate in DER format to the Windows machine. The easiest way to do this is to@
#Use a browser (e.g. 'Edge') to visit your FireBrick
##Go to: Config - Certificates to reach the certificate management page
##Click on the Download DER link corresponding to the CA certificate.
##Save it in a suitable location on the Windows machine. Note that you must download the certificate in DER format - windows machines do not recognize PEM format. The file will be given the <tt>.crt</tt> extension.
#If using the 'Edge' Browser, then click the Open button once the file as downloaded

===Install the certificate===
#You have downloaded the CA certifcate in DER format, and you'll have a file ending in .crt
#Double click on the file to open it, you may get a Warning (see screenshot)
#The certificate will be opened, Click install certificate
#The 'Welcome to the Certificate Import Wizard' screen opens, select '''Local Machine''', then '''Next''' (see screenshot)
#You will be prompted allow this action and maybe asked to enter in the Administrator password of the computer, do this.
#Select ''''Place all certificates in the following store'''' (see screenshot)
#Click '''Browse'''
#Select ''''Trusted Root Certification Authorities'''', click OK. (see screenshot)
#You'll now be back at the screen you were on previously, Click '''Next''' (see screenshot)
# The 'Completing the Certificate Import Wizard' screen shows, Click '''Finish''' (see screenshot)
#A little window pops up saying 'The import was successful', click '''OK''' (see screenshot)
#You can now click OK on the original ''''Certificate'''' window to close it

<gallery heights=149 mode="packed" caption="Screenshots of installing the certificate on Windows 10">
IPsec-Win10-1-OpenCert.PNG|Click on the file, you may get a Warning
IPsec-Win10-2-ReviewCert.PNG|The certificate will be opened, Click install certificate
IPsec-Win10-3-InstallCert.PNG|The 'Welcome to the Certificate Import Wizard' screen opens, select Local Machine, then Next
IPsec-Win10-4-InstallCert-store.PNG|Select ' Place all certificates in the following store', Click Browse
IPsec-Win10-5-InstallCert-trusted.PNG|Select 'Trusted Root Certification Authorities', click OK.
IPsec-Win10-6-InstallCert-finished.PNG|The 'Completing the Certificate Import Wizard' screen shows
IPsec-Win10-7-InstallCert-success.PNG|A little window pops up saying 'The import was successful'
</gallery>


==IKE authentication credentials are unacceptable==
==IKE authentication credentials are unacceptable==
[[File:IKE2-Win10Error-IKEAuth.PNG|none|frame|Error: IKE authentication credentials are unacceptable]]
[[File:IKE2-Win10Error-IKEAuth.PNG|none|frame|Error: IKE authentication credentials are unacceptable]]
Line 105: Line 113:
The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remove access server
The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remove access server
[[File:IKE2-Win10Error-Credentials.PNG|framed|none|The remote connection was denied...]]
[[File:IKE2-Win10Error-Credentials.PNG|framed|none|The remote connection was denied...]]
If all else looks correct then be sure the FireBrick is running software release of 1.36..009 or greater.


[[Category:FireBrick IPsec Road Warrior|Windows]]


[[Category:FireBrick_IPsec_Road_Warrior|Windows]]

Latest revision as of 13:37, 9 October 2023

Windows 10

The following instructions were tested on a Windows 10 system. Setup on other versions of Windows will be similar, but the dialogs and messages seen may not be exactly as shown here.


Configure the VPN

  1. Click the Start/Windows icon
  2. Go to Settings (see screenshot)
  3. Click 'Network & Internet'
  4. Click VPN (see screenshot)
  5. Click 'Add a VPN connection'
  6. Enter in the VPN settings e.g.: (see screenshot)
    • VPN Provider: Windows (built in)
    • Connection name: (What ever you like, e.g. Office)
    • Server name or address: The IP or host name of your FireBrick. (the Server name needs to match the name in the generated certificate, this is usually a hostname rather than an IP address)
    • VPN type: IKEv2
    • Type of sign-in info: Username and password
    • Username & Password (as set up on the FireBrick). This is optional, you can leave blank and Windows will prompt you for this information each tie you connect.
  7. Click OK
  8. Your VPN connection will now be added (see screenshot)

Connect

You should now be ready to connect - There are a few ways to connect, the easiest is to click on the Network icon near the clock, and the VPN connection should be at the top of the list. Otherwise, you can connect via:

Start/Windows icon -> Settings -> Network & Internet -> VPN

If not already saved, you'll use the username and password as set up in the EAP Identity on the FireBrick (in this example, we had set up a user of fred with a password)

You probably want to change the type of network to Work Network after the connection establishes.


Windows not setting the VPN as the gatweway?

On our Windows 10 machine, the VPN connected, but traffic was still going out via our normal network connection and not over the IPsec VPN. e.g., a tracert shows traffic going via our local router and not over the VPN.

We were also unable to open the TCP/IP properties of the VPN connection. Others seem to have the problem, e.g. here and here, but those post are about preview releases and our Windows 10 is the final release. The button isn't grayed out on our case, it just does nothing when clicked!

The problem with the routing, is that the VPN connection is set up by default for 'SplitTunneling', which is not supported by the FireBrick. The way to disable SplitTunneling is via the command-line tool 'PowerShell' which is included with Windows 10, here is how:

  1. Load PowerShell via:
    • Start/Windows button -> type: PowerShell -> Click on 'Windows PowerShell Desktop app'
  2. Type the following command to list the VPN connections:
    • Get-VpnConnection
  3. You will notice the Name of the connection as well as the 'SplitTunneling' setting being set to True.
  4. Disable SplitTunneling with the following command:
    • Set-VpnConnection -Name "[vpn name as listed in the above command]" -SplitTunneling $False

(If needed you can re-enable SplitTunneling by changing False to True)


Help

Not using Lets Encrypt?

If you using the built-in ACME system for managing a Lets Encrypt certificate then you can skip this Certificate section and jump to the sectoion below to just set up the VPN credentials.

Download the Certificate

This is not needed if you are using Lets Encrypt on the FireBrick

The CA certificate needs to be installed on the Windows machine using an account with administrator privileges.

First, download the CA certificate in DER format to the Windows machine. The easiest way to do this is to@

  1. Use a browser (e.g. 'Edge') to visit your FireBrick
    1. Go to: Config - Certificates to reach the certificate management page
    2. Click on the Download DER link corresponding to the CA certificate.
    3. Save it in a suitable location on the Windows machine. Note that you must download the certificate in DER format - windows machines do not recognize PEM format. The file will be given the .crt extension.
  2. If using the 'Edge' Browser, then click the Open button once the file as downloaded

Install the certificate

  1. You have downloaded the CA certifcate in DER format, and you'll have a file ending in .crt
  2. Double click on the file to open it, you may get a Warning (see screenshot)
  3. The certificate will be opened, Click install certificate
  4. The 'Welcome to the Certificate Import Wizard' screen opens, select Local Machine, then Next (see screenshot)
  5. You will be prompted allow this action and maybe asked to enter in the Administrator password of the computer, do this.
  6. Select 'Place all certificates in the following store' (see screenshot)
  7. Click Browse
  8. Select 'Trusted Root Certification Authorities', click OK. (see screenshot)
  9. You'll now be back at the screen you were on previously, Click Next (see screenshot)
  10. The 'Completing the Certificate Import Wizard' screen shows, Click Finish (see screenshot)
  11. A little window pops up saying 'The import was successful', click OK (see screenshot)
  12. You can now click OK on the original 'Certificate' window to close it


IKE authentication credentials are unacceptable

Error: IKE authentication credentials are unacceptable

Check that the hostname as set in the VPN settings matches the server certificate name

The remote connection was denied

The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remove access server

The remote connection was denied...

If all else looks correct then be sure the FireBrick is running software release of 1.36..009 or greater.