- /
- /
- /
Add the Client VPN Connection
With the certificates properly imported, now it is time to create the client VPN connection. There are several ways to add such a connection, depending on the version of Windows being used. Adapt as needed.
- Open Network and Sharing Center on the client PC
- Click Set up a new connection or network
- Select Connect to a workplace
- Click Next
- Select No, create a new connection
- Click Next
- Click Use my Internet Connection (VPN)
- Enter the IP address or hostname of the server into the Internet address field
Note: This MUST match what is in the server certificate Common Name or a configured Subject Alternative Name!
- Enter a Destination Name to identify the connection
- Click Create
The connection has been added but with several undesirable defaults. For example the type defaults to automatic and it will latch onto a PPTP connection if one exists, which is very bad. So a few settings should be set by hand first:
- In Network Connection / Adapter Settings in Windows, find the connection created above
- Right click the connection
- Click Properties
- Click the Security tab
- Set Type of VPN to IKEv2
- Set Data Encryption to Require Encryption (disconnect if server declines)
- Set Authentication / Use Extensible Authentication Protocol to Microsoft: Smart Card or other certificate (encryption enabled)
- Click Properties
- Select Use a certificate on this computer
- Click Advanced
- Check Certificate Issuer
- Choose the imported CA Certificate (e.g. myca)
- Check Extended Key Usage
- Check Client Authentication
- Click OK
- Check Verify the servers identity by validating the certificate
- Check Connect to these servers
- Enter the AZTCO-FW hostname (same as in the CN of the server certificate!)
- Select the imported CA certificate (e.g. myca) in the Trusted Root Certificate Authorities box
- Uncheck Use a different user name for the connection
- Click OK