L2TP Using Ecessa VPN and Windows Client
Ecessa Configuration
On the VPN page, click the VPN Users button. A local database of username and passwords can be created on the Ecessa device or a Radius server may be queried for user authentication.
Back on the VPN page, click the Add IPSec button to create a new security association. Provide the VPN with a unique name and under the Connection Type choose L2TP.
Under the Local Information section, the WAN IP address(es) that will be used to listen for VPN connections on the Ecessa device should be added along with the LAN subnet(s) the remote VPN users should have access to written in CIDR notation.
The Remote Information section will be left blank to allow the remote users to connect from any remote IP address.
Enter in the pre-shared secret the clients must know in order to connect. The DPD Clear option should be selected to allow the deletion of connections if keep-alive testing fails.
The L2TP options include setting a unique IP subnet range to assign the VPN clients when they connect. This IP address range should not belong to any existing LAN or WAN subnets on the Ecessa device to prevent routing or ARP issues. DNS, WINS, and domain names may also be provided to VPN clients if desired.
Finally, a user authentication method should be chosen. In this example, CHAP has been chosen.
Windows 7 VPN Client Configuration
If the VPN connection has already been created but is not connecting, check the configuration settings to ensure they match the following:General Tab will include the WAN IP of the Ecessa device used for the VPN.
The Options Tab will include Display options.
Click the PPP Settings button and ensure the following settings are enabled.
The Security Tab will allow you to select the type of VPN connection. Ensure it is set for Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec):
Click the Advanced Settings button and ensure Pre-shared secret is used instead of certificate authentication:
Disable Internet Protocol Version 6 (TCP/IPv6) on the Networking tab:
When connecting to the VPN, enter the username and password as configured on the Ecessa device's VPN Users page or RADIUS server.
Windows Vista/XP Client Configuration
Windows Vista is very similar to Windows 7 with only a few interface differences which are shown below.- Note that Vista Client may require that users allow the VPN through the software firewall (especially for OneCare Firewall). XP users should not have this issue.
- Note that XP Client has the IPSec Settings in the Security tab, but is otherwise nearly identical.
2 Comments