IT tutorials
 
Technology
 

Windows 7 : Troubleshooting VPN Client Connectivity

10/2/2013 1:50:20 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Use the following list to help you troubleshoot VPN client connectivity:

  • Verify that the VPN client connection is configured properly with the VPN server name or IP address.

  • Verify that the VPN client computer has an active Internet connection. The VPN connection can be established only when the client is connected to the Internet.

  • Verify that the proper user credentials are defined in the VPN connection.

  • Verify that the user is authorized for remote access.

  • Verify that certificates are configured properly for the VPN connection. For instance, verify that the certificate of the root CA that has issued the VPN server's computer certificate is installed in the Trusted Root Certification Authorities store on the VPN client computer. In the case of an L2TP/IPSec VPN, verify that the VPN client computer has installed a computer certificate that can be validated by the VPN server.

  • If an error message with code 741 appears and indicates that the local computer does not support encryption, verify that that encryption settings defined in the VPN connection are compatible with those defined on the server.

PRACTICE: Creating an IKEv2 VPN Connection

PRACTICE: Creating an IKEv2 VPN Connection

In this practice, you create a simulated IKEv2 VPN connection between a client running Windows 7 and a server running Windows Server 2008 R2.

Note that the two-computer network used in this practice does not approximate the environment in which such a connection would be used in the real world. In a real-world scenario, a VPN connection would link a client on the Internet through a firewall to a VPN server, which would be a member server of the local Active Directory Domain Services (AD DS) domain. A separate server acting as a domain controller would be used to authenticate the user. Yet another server would act as the certificate server used to generate the certificates for the connection. Instead of that scenario, this practice has a single server running Windows Server 2008 R2 acting as the VPN server, domain controller, and certificate server.

In this practice, you perform the following steps:

  1. On the domain controller, you create a domain user account and assign that user account the Allow Access dial-up permission. (Exercise 1)

  2. You install Active Directory Certificate Services on the server. Using Certificate Services, you generate both a server authentication certificate to be installed on the server and a root CA certificate to be installed on the client. (Exercises 2–8)

  3. You install and configure the Network Policy and Access Services server role on the server; this step enables the server to receive and route VPN connections. (Exercises 9–11)

  4. You create and test the VPN connection on the client. (Exercises 12–13)

To prepare for this practice, name the server DC1.nwtraders.msft and the client Client1.nwtraders.msft. Configure both computers with a single network adapter and connect them to the same network. DC1 should be a domain controller in the Nwtraders.msft domain and Client1 should be a member of the same domain.

DC1 should be configured only with the following roles:

  • AD DS

  • DHCP Server

  • DNS Server

Note

REMOVE ANY OTHER ROLES

If any other roles have been installed on DC1, remove them before beginning this practice. (You can make an exception for the Active Directory Certificate Services server role. If you installed this role when the server was named DC1.nwtraders.msft, you can leave the role installed.) Note also that if you have installed the Routing and Remote Access Services role service of the Network Policy and Access Services server role, you should first disable the Routing and Remote Access service before removing this associated server role.

Finally, when removing the server roles, use the same domain administrator account that you will use during the practice exercises.

EXERCISE 1 Creating a Domain User with Network Access Permissions

In this exercise, you create a domain user account in Active Directory Users And Computers and then grant that user account the Allow Access network access permission.

  1. Log on Nwtraders from DC1 as a domain administrator.

  2. Open the Active Directory Users And Computers console by clicking Start, clicking Administrative Tools, and then clicking Active Directory Users And Computers.

  3. In the Active Directory Users And Computers console tree, expand nwtraders.msft, right-click Users, click New, and then click User.

  4. On the first page of the New Object-User wizard, enter into the corresponding fields a first name, last name, and user logon name that you want to give a VPN user, and then click Next.

  5. On the second page of the New Object-User wizard, enter a password into the Password and Confirm Password text boxes.

  6. Clear the check box next to User Must Change Password At Next Logon, and then click Next.

  7. On the Final page of the New Object-User wizard, click Finish.

  8. In the Active Directory Users And Computers console, locate and then open the properties for the user account you just created.

  9. In the Properties dialog box, on the Dial-in tab, click Allow Access in the Network Access Permission area.

  10. Click OK to close the user Properties dialog box.

EXERCISE 2 Installing Active Directory Certificate Services and Web Server (IIS) Server Roles

Note

HAVE YOU ALREADY INSTALLED THESE SERVER ROLES?

In this exercise, you install the Certification Authority and Certification Authority Web Enrollment role services of the Active Directory Certificate Services server role. Choosing the second of these role services initiates the additional installation of the Web Server (IIS) role. Together, these features are needed to create the infrastructure needed to support IKEv2-enabled VPN connections.

Perform the steps in this exercise while you are still logged on to DC1 as a domain administrator.

  1. In Server Manager, select the Roles node and then click Add Roles in the Roles Summary area of the details pane.

    The Add Roles Wizard opens.

  2. On the Before You Begin page, click Next.

  3. On the Select Server Roles page, select Active Directory Certificate Services, and then click Next.

  4. On the Introduction To Active Directory Certificate Services page, read all the text on the page, and then click Next.

  5. On the Select Role Services page, select both Certification Authority and Certification Authority Web Enrollment.

  6. In the Add Role Services And Features Required For Certification Authority Web Enrollment? dialog box, click Add Required Role Services.

  7. Click Next.

  8. On the Specify Setup Type, verify that Enterprise is selected, and then click Next.

  9. On the Specify CA Type page, verify that Root CA is selected, and then click Next.

  10. On the Set Up Private Key page, verify that Create A New Private Key is selected, and then click Next.

  11. On the Configure Cryptography For CA page, click Next to accept the default cryptographic settings.

  12. On the Configure CA Name page, click Next to accept the default CA common name and suffix.

  13. On the Set Validity Period page, click Next to accept the default validity period.

  14. On the Configure Certificate Database page, click Next to accept the default locations.

  15. On the Web Server (IIS) page, click Next.

  16. On the Select Role Services page, click Next to accept the default choices.

  17. In the Confirm Installation Selections dialog box, click Install.

    The installation might take several minutes. When the installation completes, the Installation Results page appears.

  18. On the Installation Results page, click Close.

EXERCISE 3 Creating and Issuing a Certificate Template

After you install Active Directory Certificate Services, you must use the new CA on DC1 to generate a server certificate. This server certificate will be used later to authenticate the VPN server.

No certificate template exists by default for the kind of server certificate needed to authenticate a VPN server for an IKEv2 connection. Before you can submit a request to the CA for such a certificate, then, you need to create a certificate template that includes the proper extended key usage (EKU) options: Server Authentication and IP Security IKE Intermediate.

In this exercise, you create a certificate template that will enable you to request a server certificate with the required EKU options applied. Perform the steps in this exercise while you are still logged on to DC1 as a domain administrator.

  1. Open the Certification Authority console by clicking Start, clicking Administrative Tools, and then clicking Certification Authority.

  2. In the Certification Authority console tree, expand the nwtraders-DC1-CA node.

  3. Right-click Certificate Templates, and then click Manage.

    The Certificate Templates Console appears.

  4. In the details pane, locate and right-click the IPSec template in the list, and then click Duplicate Template.

  5. In the Duplicate Template dialog box, verify that Windows Server 2003 Enterprise is selected, and then click OK. The Properties Of New Template dialog box opens.

  6. On the General tab, change the Template Display Name to IKEv2 VPN.

  7. On the Request Handling tab, select Allow Private Key To Be Exported.

  8. On the Subject Name tab, select Supply In The Request. If a message box appears, click OK to dismiss the message.

  9. On the Extensions tab, verify that Application Policies is selected, and then click Edit.

    The IP Security IKE Intermediate policy is already present in the list of application policies.

  10. Click Add, select Server Authentication, and then click OK.

  11. Click OK to return to the Extensions tab.

  12. Click OK to save your completed template.

  13. Close the Certificate Templates Console window.

  14. In the Certification Authority console tree, right-click Certificate Templates, select New, and then click Certificate Template To Issue.

  15. In the Enable Certificate Templates dialog box, select IKEv2 VPN, and then click OK.

  16. Restart DC1.

EXERCISE 4 Configuring Windows Internet Explorer to Allow Certificate Publishing

The new certificate template is now ready to be used for certificate requests. Before you can request one, however, you must configure Windows Internet Explorer security settings to work with the certificate publishing web page.

  1. Log on to DC1 as a domain administrator.

  2. Click Start, right-click Internet Explorer, and then click Run As Administrator.

  3. Click Tools, and then click Internet Options.

  4. On the Security tab, under Select A Zone To View Or Change Security Settings, click Local Intranet.

  5. In the Security Level For This Zone area, change the security level for Local Intranet from Medium-low to Low, and then click OK.

Note

CUSTOM LEVEL IS PREFERABLE

In a real-world scenario, it is preferable to adjust the individual ActiveX control settings by using Custom Level than to lower the overall security level.

EXERCISE 5 Requesting a Server Authentication Certificate by Using Internet Explorer

After you have adjusted its security settings, Internet Explorer is now ready to be used to request and install certificates on the local computer. In this exercise, you perform this action. You do this while still logged on to DC1 as a domain administrator.

  1. In the Internet Explorer address bar, type http://localhost/certsrv, and then press Enter.

  2. Under Select A Task, click Request A Certificate.

  3. Under Request A Certificate, click Advanced Certificate Request.

  4. Under Advanced Certificate Request, click Create And Submit A Request To This CA.

  5. On the first confirmation dialog box, click Yes to allow the ActiveX control.

  6. On the second confirmation dialog box, click Yes to allow the certificate operation.

  7. In the Certificate Template list, select IKEv2 VPN.

  8. Under Identifying Information, in the Name field, type DC1.nwtraders.msft.

    Note

    USE THIS SAME NAME IN THE CONNECTION SETTINGS

    The name is the certificate subject name and must be the same as the Internet address used in the IKEv2 connection settings configured in Exercise 12 in this practice.

  9. Under Key Options, verify that Mark Keys As Exportable is selected, and then click Submit.

  10. Click Yes in each of the confirmation dialog boxes.

  11. Click Install This Certificate. A message appears indicating that the certificate has been installed.

EXERCISE 6 Moving the New Certificate to the Machine Store

By default, the server authentication certificate you have just requested and installed is created in the user personal store. However, the certificate must be moved to the machine store to be used. In this exercise, you perform this step. You do this while you are still logged on to DC1 as a domain administrator.

  1. Click Start, type mmc, and then press Enter. A Microsoft Management Console (MMC) window named Console1 appears.

  2. In Console1, click File, and then click Add/Remove Snap-in.

  3. In the Add Or Remove Snap-ins window, under Available Snap-ins, click Certificates, and then click Add.

  4. In the Certificates snap-in window, click Finish to accept the default setting of My User Account.

  5. In the Add Or Remove Snap-ins window, click Add a second time, click Computer Account, and then click Next.

  6. In the Select Computer dialog box, click Finish to accept the default setting of Local Computer.

  7. Click OK to close the Add Or Remove Snap-ins dialog box.

  8. In the Console1 console tree, expand Certificates – Current User, expand Personal, and then click Certificates.

  9. In the details pane, right-click the DC1.nwtraders.msft certificate, click All Tasks, and then click Export. The Certificate Export Wizard opens.

  10. On the Welcome page, click Next.

  11. On the Export Private Key page, click Yes, Export The Private Key, and then click Next.

  12. On the Export File Format page, click Next to accept the default file format.

  13. On the Password page, type a password in both text boxes, and then click Next.

  14. On the File To Export page, click Browse.

  15. Under Favorites, click Desktop.

  16. In the File Name text box, type DC1cert, and then click Save to save the certificate to the desktop.

  17. Back on the File To Export page, click Next.

  18. On the Completing The Certificate Export Wizard page, click Finish to close the wizard, and then click OK in the confirmation dialog box.

  19. In the Console1 console tree, expand Certificates (Local Computer), and then expand Personal.

  20. Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard opens.

  21. On the Welcome page, click Next.

  22. On the File To Import page, click Browse.

  23. Under Favorites, click Desktop.

  24. In the file type drop-down list, select Personal Information Exchange (*.pfx, *.p12).

  25. In the list of files, double-click DC1cert.

  26. On the File To Import page, click Next.

  27. On the Password page, type the password you assigned to the certificate in step 13, and then click Next.

  28. On the Certificate Store page, click Next to accept the Personal store location.

  29. Click Finish to close the wizard, and then click OK in the confirmation dialog box.

EXERCISE 7 Generating a Root Certificate

In this exercise, you use Internet Explorer to generate a root certificate for the local CA. This root certificate is later imported on Client1. You do this while still logged on to DC1 as a domain administrator.

  1. In the Internet Explorer address bar, type http://localhost/certsrv, and then press Enter.

  2. Under Select A Task, click Download A CA Certificate, Certificate Chain, Or CRL.

  3. Click Yes to allow the ActiveX control, and Yes again to allow the certificate operation.

  4. Click Download CA Certificate.

  5. Save the certificate to the Desktop with the name RootCACert.

EXERCISE 8 Configuring the VPN Client with the Root Certificate

This exercise is performed on Client1. In the exercise, you install the root certificate for the CA that issued the server authentication certificate. This step is required for the client computer to trust the server authentication certificate and complete the VPN connection.

  1. Log on to Nwtraders from Client1 as a domain administrator.

  2. Click Start, type mmc, and then press Enter. A Microsoft Management Console (MMC) window named Console1 appears.

  3. In the Console1 window, click File, and then click Add/Remove Snap-in.

  4. Under Available Snap-ins, select Certificates, and then click Add.

  5. In the Certificates Snap-in dialog box, select Computer Account, and then click Next.

  6. In the Select Computer dialog box, click Finish to accept the default selection of Local Computer.

  7. Click OK to close the Add/Remove Snap-ins dialog box.

  8. In the Console1 console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, click All Tasks, and then click Import. The Certificate Import Wizard opens.

  9. On the Welcome page, click Next.

  10. On the File To Import page, click Browse.

  11. In the Open window, in the address text box, type \\dc1.nwtraders.msft\c$\users\, and then press Enter.

  12. In the list of folders, double-click to open the folder whose name corresponds to the name of the domain administrator account with which you have performed the previous exercises in this practice. The folders associated with the user account appear.

  13. Double-click the Desktop folder to open it.

  14. Select RootCACert from the file list, and then Click Open.

  15. With the path to the certificate now complete on the File To Import page, click Next.

  16. On the Certificate Store page, click Next to select the default value of placing the certificate in the Trusted Root Certification Authorities store.

  17. On the Completing The Certificate Import Wizard page, click Finish, and then click OK to close the message box indicating that the import was successful.

EXERCISE 9 Installing the Network Policy and Access Services Server Role

You perform this exercise on DC1 logged on as a domain administrator. In the exercise, you use the Add Roles Wizard to add the Network Policy Server and Routing And Remote Access Services roles services. These two role services are features of the Network Policy and Access Services server role.

  1. Open Server Manager.

  2. In the Server Manager console tree, select the Roles node, and then click Add Roles in the Roles Summary area of the details pane. The Add Roles Wizard opens.

  3. On the Before You Begin page, click Next.

  4. On the Select Server Roles page, click Network Policy And Access Services, and then click Next.

  5. On the Network Policy And Access Services page, click Next.

  6. On the Select Role Services page, select both Network Policy Server and Routing And Remote Access Services, and then click Next.

  7. On the Confirm Installation Selections page, click Install.

  8. On the Installation Results page, click Close.

EXERCISE 10 Configuring DC1 as a VPN Server

In this exercise, you enable and configure the Routing and Remote Access service so that DC1 can receive and establish connections from VPN clients. You do this while still logged on to DC1 as a domain administrator.

  1. Open the Routing and Remote Access console by clicking Start, pointing to Administrative Tools, and then clicking Routing And Remote Access.

  2. In the Routing And Remote Access console tree, right-click DC1 (Local), and then click Configure And Enable Routing And Remote Access.

  3. On the Welcome To The Routing And Remote Access Server Setup Wizard page, click Next.

  4. On the Configuration page, click Next to accept the default setting of Remote Access (Dial-up Or VPN).

  5. On the Remote Access page, select VPN, and then click Next.

  6. On the VPN Connection page, under Network Interfaces, verify that the connection that is associated with the network shared by DC1 and Client1 is selected.

  7. Clear the option Enable Security On The Selected Interface By Setting Up Static Packet Filters, and then click Next.

    Note

    ENABLING SECURITY ON A PUBLIC INTERFACE

    In a production environment, you should leave security enabled on the public interface. For the purposes of testing connectivity in a lab environment, however, you can disable it.

  8. On the IP Address Assignment page, click Next to accept the default setting of Automatically.

  9. On the Managing Multiple Remote Access Servers page, click Next to accept the default setting of using Routing and Remote Access to authenticate connection requests.

  10. On the Completing The Routing And Remote Access Server Setup Wizard page, click Finish.

  11. On the warning about possible NPS policy conflicts, click OK.

EXERCISE 11 Configuring Network Policy Services (NPS)

In this exercise, you enable and configure the remote access policies required for an IKEv2-based VPN connection. Perform this exercise while you are still logged on to DC1 as a domain administrator.

  1. Open the Routing and Remote Access console if it is not already open.

  2. In the Routing and Remote Access console tree, expand DC1 (Local).

  3. Select and right-click Remote Access Logging & Policies, and then select Launch NPS. The Network Policy Server console opens.

  4. In the details pane, in the Network Access Policies section, click the Network Access Policies link.

  5. In the details pane, in the Network Policies area, double-click Connections To Microsoft Routing And Remote Access Server. The Connections To Microsoft Routing And Remote Access Server Properties dialog box opens.

  6. On the Overview tab, in the Access Permission section, select Grant Access. Grant Access If The Connection Request Matches This Policy.

  7. Select the Constraints tab. In the Constraints list, Authentication Methods is selected by default. In the right pane, two EAP types are listed: Microsoft: Secured Password (EAP-MSCHAP v2) and Microsoft: Smart Card Or Other Certificate. In this exercise, only the first authentication method is needed.

  8. Select Microsoft: Smart Card Or Other Certificate and click Remove to remove this EAP type.

  9. Click OK to save your changes.

  10. Close all open windows.

EXERCISE 12 Creating the VPN Connection on the VPN Client

In this exercise, you create a VPN connection on Client1 that you will use later to connect to DC1.

  1. If you have not already done so, log on the Nwtraders from Client1 as a domain administrator.

  2. Click Start, type Network and Sharing Center, and then press Enter. The Networking And Sharing Center opens.

  3. Click Set Up A New Connection Or Network.

  4. Click Connect To A Workplace, and then click Next.

  5. Click Use My Internet Connection (VPN).

  6. Click I'll Set Up An Internet Connection Later.

  7. In the Internet Address text box, type DC1.nwtraders.msft. Leave VPN Connection as the destination name, and then click Next.

  8. In the User Name and Password text boxes, type the name and password of the VPN user account you created in Exercise 1.

  9. Select the Remember This Password check box.

  10. In the Domain (Optional) text box, type nwtraders.msft.

  11. Click Create, and then click Close.

EXERCISE 13 Configuring and Testing the VPN Connection

In this exercise, you verify that you can establish a VPN connection between Client1 and DC1. You do this while still logged on to Client1 as a domain administrator.

  1. In the Network and Sharing Center, click Change Adapter Settings.

  2. Double-click VPN Connection, and then click Properties.

  3. On the Security tab, in the Type Of VPN drop-down list, select IKEv2, and then click OK.

  4. In the Connect VPN Connection dialog box, click Connect. The user is authenticated, and the VPN connection is established successfully.
 
Others
 
- Windows 7 : Understanding the Remote Access VPN Connectivity Process
- Understanding Windows 7 VPN Tunneling Protocols
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Upgrade (part 4) - Upgrading Site Collections
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Upgrade (part 3) - Attach Content Databases
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Upgrade (part 2) - Attach Service Applications
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Upgrade (part 1) - Copying Legacy Databases
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Planning (part 2) - Pre-Upgrade Maintenance, Managing Customizations
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Planning (part 1) - Database Attach Process, Minimizing Downtime
- SQL Server 2008 : Data management - Filegroups - Backup and restore flexibility
- SQL Server 2008 : Database file configuration (part 2) - Multiple data files, Sizing database files
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us