el-GRen-US
 
     
Connect a Windows 7/8 remote client to your intranet with a Vigor Router using L2TP

Connect a Windows 7/8 remote client to your intranet with a Vigor Router using L2TP

Σεπ 02 2015
Κοινοποίηστε το άρθρο στο:

If you need to connect a remote client running Windows 7/8 to your intranet there are some corporate options that are also easy to configure included in the O/S.
One of these options is to setup a L2TP connection with your intranet router if it is supported. All Vigor routers have support for this type of VPN connection and I will describe in this article how to setup and use it to securely access your intranet remotely.

It is mandatory to have a different local IP network (e.g. 192.168.99.x) from your intranet (e.g. 192.168.100.x) otherwise the routing will not work even if you successfully connect your remote client to your intranet. Since most of private networks in hotels, cafes etc are 192.168.1.x any intranet network other than that will work as expected.

Router Setup

First you need to setup the VPN connection in your Vigor Router administration page. For our example I am using a Vigor2860 Series router but the same setup apply to all recent Vigor routers. 

Vigor2860 Series router Dashboard
Fig.1 - Vigor2860 Series router Dashboard.

You need to login to your router and then click on the VPN and Remote Access option on your left. Then you click on the Remote Access Control and you select all the services you want the router to handle. If you want another server to handle your VPN connections you need to uncheck these services and setup the appropriate port forwarding. For our L2TP connections you need to check the Enable L2TP VPN Service.

Check all VPN services you want the router to support
Fig.2 - Check all VPN services you want the router to support.

Then you go to PPP General Setup where you need to setup the PPP Authentication and Encryption. The default values can be used but you will need to check and change the Assigned IP start LAN if your DHCP server is other than your router. These IP’s (depending on the number of your concurrent VPN connections) need to be excluded in your DHCP server.

Select your Authentication protocol and the Assigned IP start
Fig.3 - Select your Authentication protocol and the Assigned IP start. Be careful to exclude these IP's from your DHCP if its different from the router.

Next you click on IPsec General Setup. There you will need to enter the Pre-Shared Key for all VPN IKE/IPsec connections. This key is mandatory and you will need later when you will setup the connection in your remote client/computer. All other settings should remain as defaults.

Enter your Pre-Shared key
Fig.4 - Enter your Pre-Shared key. This is mandatory and you need to remember it so you can use it later when you setup your remote connection.

Next you click on Remote Dial-in User where you will setup all remote access user accounts. Click on Index number 1 and there enter a Username and Password as well as the Allowed Dial-In Type. For the later you must only select L2TP with IPsec Policy and from the drop down menu select Must. For IKE Authentication Method select Pre-Shared Key and for IPsec Security Method please check all available options. In my router these are all grey and default selected. That’s all for router setup.

Be careful to enable the account (A), setup a username and a password (B) and enable L2TP with Must as Policy
Fig.5 - Be careful to enable the account (A), setup a username and a password (B) and enable L2TP with Must as Policy (C). All IKE Authentication Method is checked automatically, in fact you cannot change it from default values (D).

Remote client setup

For remote client setup I will use a Windows 8.1 Pro computer but the same setup apply to all Windows 7/8 versions. 

First you need to go to Control Panel and then change view to Large Icons. From the list select Network and Sharing Center. There you select the Set up a new connection or network. A wizard window will open and there you select the Connect to a workplace option. In the second step select the No, create a new connection and in the next step Use my Internet Connection (VPN). In the next step you need to enter your router’s internet (public) IP address or FQDN (if the IP is not static use a dynamic DNS service provider). Enter your Office name as the destination name and check the Remember my credentials so you don’t need to enter these every time you want to connect. 

Open Control Panel and select Network and Sharing Center
Fig.6 - Open Control Panel and select Network and Sharing Center.

Start the new connection wizard
Fig.7 - Start the new connection wizard.

Choose the Connect to a workplace option
Fig.8 - Choose the Connect to a workplace option.

Choose the create a new connection option
Fig.9 - Choose the create a new connection option.

Choose my Internet connection (VPN) option
Fig.10 - Choose my Internet connection (VPN) option.

Enter your FQDN or your Vigor (intranet) static IP. If you don't have a static IP please use router's Dynamic DNS service to get a valid hostname
Fig.11 - Enter your FQDN or your Vigor (intranet) static IP. If you don't have a static IP please use router's Dynamic DNS service to get a valid hostname.

After your connection is created please don’t immediately connect. Instead go back to your Network and Sharing Center and click the Change adapter settings on your left. There you will find your new connection and right click on its icon to change the properties. 

After you have successfully created the connection don't connect. Use the Change adapter settings to alter connection's properties
Fig.12 - After you have successfully created the connection don't connect. Use the Change adapter settings to alter connection's properties.

You need to go to Security tab and select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) for the Type of VPN. In the Advanced Properties you will need to check Use pre-shared key for authentication and enter the key you created while setting up your VPN IKE/IPsec connections in your router. Additionally you will need to select Require encryption (disconnect if server declines) and for Authentication select Allow these protocols and check Microsoft CHAP Version 2 (MS-CHAP v2). Next you click on Networking tab and for Internet Protocol Version 4 (TCP/IPv4) select properties then Advanced and there please uncheck the Use default gateway on remote network option. If you leave that checked all internet traffic will be router through your VPN connection. 

Right click on connection's icon and select properties
Fig.13 - Right click on connection's icon and select properties.

Click on Security tab and choose (A) L2TP as Type of VPN, (B) Advanced settings to enter your Pre-Shared key you have created during router's setup and (C) Require encryption and select MS-CHAP v2 as Authentication protocol
Fig.14 - Click on Security tab and choose (A) L2TP as Type of VPN, (B) Advanced settings to enter your Pre-Shared key you have created during router's setup and (C) Require encryption and select MS-CHAP v2 as Authentication protocol.

Enter your Pre-Shared key. Mandatory, if you don't enter it correctly the L2TP connection won't work
Fig.15 - Enter your Pre-Shared key. Mandatory, if you don't enter it correctly the L2TP connection won't work.

Select TCP/IPv4 to alter its properties
Fig.16 - Select TCP/IPv4 to alter its properties.

Click on Advanced
Fig.17 - Click on Advanced.

Mandatory, please uncheck the Use default gateway to remote network. If you leave it as is then all your internet traffic will be routed through VPN
Fig.18 - Mandatory, please uncheck the Use default gateway to remote network. If you leave it as is then all your internet traffic will be routed through VPN.

That’s it, now you are ready to test your connection with your router and securely access your intranet. 

If you have Windows 8.1 as I have click on the network icon on you notification area and a charm will open with all network connections. Click on your remote connection and a dialog will open asking for your username and password. After you successfully login this information will be stored and never asked again except if you change the password in your router’s configuration.

Use the Connection charm to connect to Your Office Connection. The dialog will ask for a username and password that will save after your first successful login
Fig.19 - Use the Connection charm to connect to Your Office Connection. The dialog will ask for a username and password that will save after your first successful login.

Verify your access to your intranet by pinging the intranet's router IP address.

After successful connection ping the remote gateway (Vigor router)
Fig.20 - After successful connection ping the remote gateway (Vigor router).

In Vigor's Connection Management and in VPN Connection Status you should be able to see your connection.

Login to your Vigor and verify connection status
Fig.21 - Login to your Vigor and verify connection status.

Thanks for reading and as always any comments or questions are most welcome. 

Best,
Spyros

Spyros Samartzis
Σχετικά με τον Spyros Samartzis
I love creating web applications using Microsoft technologies and open source platforms.
My moto is "I work and enjoy technology every day!"
Πρέπει να είστε μέλος στο website ώστε να μπορείτε να σχολιάσετε. Παρακαλώ εγγραφείτε εδώ
Top