Connect a Windows 7/8 remote client to your intranet with a Vigor Router using L2TP
If you need to connect a remote client running Windows 7/8 to your intranet there are some corporate options that are also easy to configure included in the O/S.
One of these options is to setup a L2TP connection with your intranet router if it is supported. All Vigor routers have support for this type of VPN connection and I will describe in this article how to setup and use it to securely access your intranet remotely.
It is mandatory to have a different local IP network (e.g. 192.168.99.x) from your intranet (e.g. 192.168.100.x) otherwise the routing will not work even if you successfully connect your remote client to your intranet. Since most of private networks in hotels, cafes etc are 192.168.1.x any intranet network other than that will work as expected.
First you need to setup the VPN connection in your Vigor Router administration page. For our example I am using a Vigor2860 Series router but the same setup apply to all recent Vigor routers.
You need to login to your router and then click on the VPN and Remote Access option on your left. Then you click on the Remote Access Control and you select all the services you want the router to handle. If you want another server to handle your VPN connections you need to uncheck these services and setup the appropriate port forwarding. For our L2TP connections you need to check the Enable L2TP VPN Service.
Then you go to PPP General Setup where you need to setup the PPP Authentication and Encryption. The default values can be used but you will need to check and change the Assigned IP start LAN if your DHCP server is other than your router. These IP’s (depending on the number of your concurrent VPN connections) need to be excluded in your DHCP server.
Next you click on IPsec General Setup. There you will need to enter the Pre-Shared Key for all VPN IKE/IPsec connections. This key is mandatory and you will need later when you will setup the connection in your remote client/computer. All other settings should remain as defaults.
Next you click on Remote Dial-in User where you will setup all remote access user accounts.
Click on Index number 1 and there enter a Username and Password as well as the Allowed Dial-In Type. For the later you must only select L2TP with IPsec Policy and from the drop down menu select Must. For IKE Authentication Method select Pre-Shared Key and for IPsec Security Method please check all available options. In my router these are all grey and default selected. That’s all for router setup.
Remote client setup
For remote client setup I will use a Windows 8.1 Pro computer but the same setup apply to all Windows 7/8 versions.
First you need to go to Control Panel and then change view to Large Icons. From the list select Network and Sharing Center. There you select the Set up a new connection or network. A wizard window will open and there you select the Connect to a workplace option. In the second step select the No, create a new connection and in the next step Use my Internet Connection (VPN). In the next step you need to enter your router’s internet (public) IP address or FQDN (if the IP is not static use a dynamic DNS service provider). Enter your Office name as the destination name and check the Remember my credentials so you don’t need to enter these every time you want to connect.
After your connection is created please don’t immediately connect. Instead go back to your Network and Sharing Center and click the Change adapter settings on your left. There you will find your new connection and right click on its icon to change the properties.
You need to go to Security tab and select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) for the Type of VPN. In the Advanced Properties you will need to check Use pre-shared key for authentication and enter the key you created while setting up your VPN IKE/IPsec connections in your router. Additionally you will need to select Require encryption (disconnect if server declines) and for Authentication select Allow these protocols and check Microsoft CHAP Version 2 (MS-CHAP v2). Next you click on Networking tab and for Internet Protocol Version 4 (TCP/IPv4) select properties then Advanced and there please uncheck the Use default gateway on remote network option. If you leave that checked all internet traffic will be router through your VPN connection.
That’s it, now you are ready to test your connection with your router and securely access your intranet.
If you have Windows 8.1 as I have click on the network icon on you notification area and a charm will open with all network connections. Click on your remote connection and a dialog will open asking for your username and password. After you successfully login this information will be stored and never asked again except if you change the password in your router’s configuration.
Verify your access to your intranet by pinging the intranet's router IP address.
In Vigor's Connection Management and in VPN Connection Status you should be able to see your connection.
Thanks for reading and as always any comments or questions are most welcome.