Configuring VPN1

Applies To: Windows 7, Windows Server 2008 R2

VPN1 is a computer running Windows Server 2008 R2 that provides the following roles and services:

  • Active Directory Certificate Services, a certification authority (CA) that issues the computer certificate to a VPN server required for a remote connection with VPN Reconnect.

  • Certification Authority Web Enrollment, a service that enables the issuing of certificates through a Web browser.

  • Web Server (IIS), which is installed as a required role service for Certification Authority Web Enrollment.

  • Network Policy and Access Services, which provides support for VPN connections through NPS and RRAS.

VPN1 configuration consists of the following steps:

  • Install the operating system

  • Configure TCP/IP

  • Name the computer and join the Contoso domain

  • Install Active Directory Certificate Services and Web Server

  • Create and install the Server Authentication certificate

  • Install Network and Policy Access Server Role

  • Configure Routing and Remote Access

  • Configure the Network Policy Server (NPS) to grant access for EAP-MSCHAPv2 authentication

The following sections explain these steps in detail.

Install the operating system

VPN1 must run Windows Server 2008 R2.

To install Windows Server 2008 R2

  1. On VP1n, start your computer using the Windows Server 2008 R2 product disc.

  2. Follow the instructions that appear on your screen.

  3. When prompted to provide a password for the Administrator user account, type Pass@word1

  4. After installation completes, and the Initial Configuration Tasks window appears

Note

If the Initial Configuration Tasks window does not appear, or if you closed it after selecting Do not show this window at logon, you can start it by clicking Start, typing oobe in the text box, and pressing ENTER.

Configure TCP/IP

Configure TCP/IP properties so that VPN1 has a static IP address of 131.107.0.2 for the public (Internet) connection and 192.168.0.2 for the private (intranet) connection.

To configure TCP/IP properties

  1. On VPN1, in the Initial Configuration Tasks window, under 1. Provide Computer Information, click Configure networking.

  2. In the Network Connections dialog box, right-click the connection for the adapter that is connected to the public (Internet) network, and then click Properties.

  3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Click Use the following IP address, and configure the following settings:

    1. In IP address, type 131.107.0.2.

    2. In Subnet mask, type 255.255.0.0.

    3. Do not configure a default gateway or DNS server on this connection.

    4. Click OK twice to return to Network Connections.

  5. Right-click the connection for the adapter that is connected to the private network, and then click Properties.

  6. Click Use the following IP address, and configure the following settings:

    1. In IP address, type 192.168.0.2.

    2. In Subnet mask, type 255.255.255.0.

    3. Do not configure a default gateway on this connection.

    4. In Preferred DNS server, type 192.168.0.1.

    5. Click OK twice to return to Network Connections.

  7. To rename the network connections, right-click a network connection, and then click Rename.

  8. Rename the network connections with the following names:

    1. On the interface connected to the public (Internet) network, type Public.

    2. On the interface connected to the private (intranet) network, type Private.

  9. Close the Network Connections window.

Use the ping command to verify network connectivity between VPN1 and DC1, and to verify that VPN1 can use DC1 for name resolution.

To use the ping command to check network connectivity

  1. On VPN1, click Start, click Run, in the Open box, type cmd, and then click OK. In the Command Prompt window, type ping dc1 /4.

  2. Verify that you can successfully ping DC1.

  3. Close the Command Prompt window.

Name the computer and join the Contoso domain

Configure VPN1 with its name, and join it to the Contoso.com domain.

To name VPN1 and join it to the Contoso.com domain

  1. On VPN1, in the Initial Configuration Tasks window, under 1. Provide Computer Information, click Provide computer name and domain.

Note

If the Initial Configuration Tasks window is not already open, to open it, click Start, click Run, type oobe in the text box, and then click OK.

  1. In the System Properties dialog box, on the Computer Name tab, click Change.

  2. In Computer name, clear the text and type VPN1.

  3. In Member of, click Domain, type contoso, and then click OK.

  4. Enter administrator for the user name and Pass@word1 for the password.

  5. When you see a dialog box welcoming you to the contoso.com domain, click OK.

  6. When you see a dialog box telling you to restart the computer, click OK. Click Close, and then click Restart Now.

Install Active Directory Certificate Services and Web Server

To support IKEv2-enabled VPN connections, first install the Active Directory Certificate Services and Web Server (IIS) server roles to enable Web enrollment of a computer certificate.

To install the certificate services and prerequisite roles

  1. After VPN1 restarts, log on as contoso\administrator with the password Pass@word1.

  2. In the Initial Configuration Tasks window, under 3. Customize This Server, click Add roles.

Note

If the Initial Configuration Tasks window is not already open, to open it, click Start, type oobe in the text box, and then click OK.

  1. In the Add Roles Wizard dialog box, on the Before You Begin page, click Next.

  2. On the Select Server Roles page, select Active Directory Certificate Services, and then click Next.

  3. On the Introduction to Active Directory Certificate Services page, click Next.

  4. On the Select Role Services page, select both Certification Authority and Certification Authority Web Enrollment.

  5. In the Add role services and features required for Certification Authority Web Enrollment? dialog box, click Add Required Role Services.

  6. Click Next.

  7. On the Specify Setup Type, select Enterprise, and then click Next.

  8. On the Specify CA Type page, select Root CA, and then click Next.

  9. On the Set Up Private Key page, select Create a new private key, and then click Next.

  10. On the Configure Cryptography for CA page, click Next to accept the default cryptographic settings.

  11. On the Configure CA Name page, click Next to accept the default CA common name and suffix.

  12. On the Set Validity Period page, click Next to accept the default validity period.

  13. On the Configure Certificate Database page, click Next to accept the default locations.

  14. On the Web Server (IIS) page, click Next.

  15. On the Select Role Services page, click Next to accept the default choices.

  16. In the Confirm Installation Selections dialog box, click Install. The installation might take several minutes.

  17. In the Installation Results dialog box, click Close.

Create and install the Server Authentication certificate

The Server Authentication certificate is used by CLIENT1 to authenticate VPN1. The certificate must have the “Server Authentication” and “IP security IKE intermediate” extended key usage (EKU) options applied.

To create a certificate template with the required EKUs

  1. On VPN1, click Start, click Administrative Tools, and then click Certification Authority.

  2. In the navigation tree, expand contoso-VPN1-CA.

  3. Right-click Certificate Templates, and then click Manage. The Certificate Templates Console appears.

  4. Right-click the IPsec template in the list, and then click Duplicate Template.

  5. In the Duplicate Template dialog box, select Windows Server 2003 Enterprise, and then click OK.

  6. On the General tab, change the Template display name to VPN Reconnect.

  7. Check the Validity period. The default is 2 years. You can adjust this per your organization’s requirements.

  8. On the Request Handling tab, select Allow private key to be exported.

  9. On the Subject Name tab, select Supply in the request. If a warning message appears, click OK.

  10. On the Extensions tab, select Application Policies, and then click Edit.

  11. The IP security IKE intermediate policy is already present. Keep it. If there are any others, select them and click Remove.

  12. Click Add, select Server Authentication, and then click OK.

  13. Click OK to return to the Extensions tab.

  14. Select Key Usage, and then click Edit.

  15. In the Signature section, ensure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK.

  16. Click OK to save your completed template.

  17. Close the Certificate Templates Console window.

The certificate template has been created. It must be issued before it can be used to request a certificate.

To issue the certificate template

  1. In the Certification Authority console window, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  2. In the Enable Certificate Templates dialog box, select VPN Reconnect, and then click OK.

The template is now ready to be used for certificate requests. Before you can request one, you must configure Internet Explorer security settings to work with the certificate publishing web page.

To configure Internet Explorer to allow certificate publishing

  1. On VPN1, click Start, right-click Internet Explorer, and then click Run as administrator.

  2. Click Tools, and then click Internet Options.

  3. On the Security tab, under Select a zone to view or change security settings, click Local intranet.

  4. Change the security level for Local intranet from Medium-low to Low, and then click OK.

Note

In a real-world scenario, you should configure individual ActiveX® control settings using Custom level rather than lowering the overall security level.

Internet Explorer is now ready to be used to request and install certificates on the local computer.

To request a Server Authentication certificate using Internet Explorer

  1. On VPN1, in the Internet Explorer address bar, type https://localhost/certsrv, and then press ENTER.

  2. Under Select a Task, click Request a Certificate.

  3. Under Request a Certificate, click Advanced Certificate Request.

  4. Under Advanced Certificate Request, click Create and submit a request to this CA.

  5. On the first confirmation dialog box, click Yes to allow the ActiveX control.

  6. On the second confirmation dialog box, click Yes to allow the certificate operation.

  7. In the Certificate Template list, select VPN Reconnect.

  8. Under Identifying Information, in the Name field, type vpn1.contoso.com.

Note

The name is the certificate subject name and must be the same as the Internet address used in the IKEv2 connection settings configured later in this document.

  1. Under Key Options, select Mark keys as exportable, and then click Submit.

  2. Click Yes in each of the confirmation dialog boxes.

The server authentication certificate is created in the user personal store. It must be moved to the machine store to be used.

To move the certificate to the machine store

  1. On VPN1, click Start, type MMC, and then press ENTER.

  2. In Console1, click File, and then click Add/Remove Snap-in.

  3. Under Available snap-ins, click Certificates, and then click Add.

  4. Click Finish to accept the default setting of My user account.

  5. Click Add a second time, click Computer account, and then click Next.

  6. In the Select Computer dialog box, click Finish to accept the default setting of Local computer.

  7. Click OK to close the Add or Remove Snap-ins dialog box.

  8. In the navigation tree, expand Certificates - Current User, expand Personal, and then click Certificates.

  9. In the details pane, right-click the vpn1.contoso.com certificate, click All Tasks, and then click Export.

  10. On the Welcome page, click Next.

  11. On the Export Private Key page, click Yes, export the private key, and then click Next.

  12. On the Export File Format page, click Next to accept the default file format.

  13. On the Password page, type Pass@word1 in both text boxes, and then click Next.

  14. On the File to Export page, click Browse.

  15. Under Favorites, click Desktop

  16. In the File name text box, type vpn1cert, and then click Save to save the certificate to the desktop.

  17. Back on the File to Export page, click Next.

  18. On the Completing the Certificate Export Wizard page, click Finish to close the wizard, and then click OK in the confirmation dialog box.

  19. In the console tree pane, expand Certificates (Local Computer), and then expand Personal.

  20. Right-click Certificates, point to All Tasks, and then click Import.

  21. On the Welcome page, click Next.

  22. On the File to Import page, click Browse.

  23. Under Favorites, click Desktop.

  24. In the file type drop-down list, select Personal Information Exchange (*.pfx, *.p12).

  25. In the list of files, double-click vpn1cert.

  26. Back on the File to Import page, click Next.

  27. On the Password page, type Pass@word1, and then click Next.

  28. On the Certificate Store page, click Next to accept the Personal store location.

  29. Click Finish to close the Import Export Wizard, and then click OK in the confirmation dialog box.

To generate the trusted root certificate

  1. On VPN1, in the Internet Explorer address bar, type https://localhost/certsrv, and then press ENTER.

  2. Under Select a task, click Download a CA certificate, certificate chain, or CRL.

  3. Click Yes to allow the ActiveX control, and Yes to allow the certificate operation.

  4. Click Download CA certificate.

  5. Click Save, select Desktop, type the name RootCACert, click Save, and then click Close. Later, you will move this certificate to the Client1 computer.

Important

The root certificate for the CA is already installed on VPN1, because the root certificate for a CA is installed when the computer is made a CA. If your CA is a separate computer from VPN1, then you must separately download and install the root CA certificate to VPN1.

Install Network and Policy Access Server Role

Configure VPN1 with Routing and Remote Access to function as a VPN server.

To install the NPS and RRAS service roles

  1. On VPN1, in the Initial Configuration Tasks window, under Customize This Server, click Add roles.

Note

If the Initial Configuration Tasks window is not already open, you can open it by clicking Start, typing oobe in the text box, and then clicking OK.

  1. On the Before You Begin page, click Next.

  2. On the Select Server Roles page, click Network Policy and Access Services, click Next.

  3. On the Network Policy and Access Services page, click Next.

  4. On the Select Role Services page, select both Network Policy Server and Routing and Remote Access Services, and then click Next.

  5. On the Confirm Installation Selections page, click Install.

  6. On the Installation Results page, click Close.

Now that the services are installed, you can configure them.

Configure Routing and Remote Access

Configure VPN1 to be a VPN server providing remote access for Internet-based VPN clients.

To configure VPN1 to be a VPN server

  1. On VPN1, click Start, point to Administrative Tools, and then click Routing and Remote Access.

  2. In the navigation tree, right-click VPN1 (local), and then click Configure and Enable Routing and Remote Access.

  3. On the Welcome to the Routing and Remote Access Server Setup Wizard page, click Next.

  4. On the Configuration page, click Next to accept the default setting of Remote access (dial-up or VPN).

  5. On the Remote Access page, select VPN, and then click Next.

  6. On the VPN Connection page, under Network interfaces, select Public. This is the interface that will connect VPN1 to the Internet.

  7. Clear the option Enable security on the selected interface by setting up static packet filters, and then click Next.

Note

In a production environment, you should leave security enabled on the public interface. For the purposes of testing lab connectivity, you should disable it.

  1. On the IP Address Assignment page, select From a specified range of addresses, and then click Next.

  2. On the Address Range Assignment page, click New.

  3. On the New IPv4 Address Range dialog box, in Start IP address type 192.168.0.200, in End IP address type 192.168.0.210, click OK to add the range, and then click Next. (This is the set of IP addresses available to assign to VPN clients).

  4. On the Managing Multiple Remote Access Servers page, click Next to accept the default setting of not working with a RADIUS server. In this scenario, RRAS uses Windows Authentication.

  5. On the Completing the Routing and Remote Access Server Setup Wizard page, click Finish.

  6. On the warning about possible NPS policy conflicts, click OK.

  7. On the warning about the need to configure the DHCP Relay Agent, click OK.

Configure the Network Policy Server (NPS) to grant access for EAP-MSCHAPv2 authentication

Configure VPN1 by using Network Policy Services (NPS) to enable and configure the remote access policies required for an IKEv2-based VPN connection.

Note

You can choose to have NPS installed on any other server also have the NPS installed on DC1 or any other server. NPS running on Windows Server 2008 is also supported. For the sake of simplicity in this guide, we are deploying it on VPN1.

IKEv2 supports both machine certificate and EAP based authentication. NPS is required to when using EAP-based authentication, and is not required when using machine certificate based authentication.

Configuring the NPS server

  1. click Start, point to Administrative Tools, and then click Routing and Remote Access.

  2. On VPN1, in the Routing and Remote Access navigation tree, expand VPN1 (local).

  3. Right-click Remote Access Logging & Policies, and then select Launch NPS.

  4. In the Network Policy Server window, in the Network Access Policies section, click the Network Access Policies link.

  5. Double-click Connections to Microsoft Routing and Remote Access server.

  6. On the Overview tab, in the Access Permission section, select Grant access. Grant access if the connection request matches this policy.

  7. On the Constraints tab, in the Contstraints list, select Authentication Methods.

  8. If Microsoft: Secured password (EAP-MSCHAPv2) is not present in the EAP Types list, then follow these steps:

    1. Click Add.

    2. In the Add EAP dialog box select Microsoft: Secured Password (EAP-MSCHAP v2), and then click OK.

  9. Select Microsoft: Smart Card or other certificate and click Remove to remove the EAP type.

  10. Click OK to save your changes.

  11. Close the Network Policy Server window.