Using a Certificate

This chapter describes the configuration of Microsoft Windows XP/Vista/7 for using X.509 certificates as IPsec authentication. The configuration is generated in two steps:

Importing a Certificate into Microsoft Windows XP, Vista, or 7

1. Start the management console.

   • In Windows Vista or 7, click Start, then, in the Search field, enter mmc.

     The program mmc is displayed in the Programs list.

     Click the mmc entry.

     Depending on your settings, you need to confirm with Yes or Continue. The management console opens.

   • In Windows XP, click Start > Run. Enter mmc and click OK.

2. From the menu, select File > Add/Remove Snap-in.

3. Click Add.

4. Select Certificates, then click Add.

5. Select Computer account, then click Next.

6. Select Local computer (the computer this console is running on).

7. Click Finish, then Close, and then OK.

8. In the tree view on the left side, in the category Certificates (Local Computer), right-click Personal.

9. From the context menu select All Tasks > Import.

   The Certificate Import Wizard opens.

10. Click Next.

11. Select Browse and select the PKCS#12 container file to import.

    You might have to select the correct file extension .p12 in the drop-down list to be displayed the PKCS#12 container files.

12. Click Next.

13. Enter the security password.

    Enter the security password of the certificate that you used while downloading the certificate from the User Portal.

14. Click Next.

15. Select Automatically select the certificate store based on the type of certificate.

16. Click Next and then Finish.

17. Select Action > Refresh.

    Now, the newly imported certificate should be visible.

18. Close the management console.

    If asked whether you want to save anything, you don’t need to.

19. Move the CA certificate to the root CA folder, if necessary.

Configure Windows 7

1. Click Start and then Control Panel.

2. In the Control Panel, click Network and Internet, then Network and Sharing Center.

3. Click Set up a new connection or network.

   The Set up a Connection or Network assistant opens.

4. Click Connect to a workplace and Next.

5. Define the dial-up internet connection.

   If you have a permanent connection to the internet, select the Use my internet connection (VPN) option. Otherwise, click Dial directly, and then select your dial-up internet connection from the list.

6. Click Next.

7. Enter the hostname or the IP address of the gateway you want to connect to.

8. Enter a descriptive name for the connection.

9. Optional: Select the following options if required:

   Allow other people to use this connection: Select this option if you want the connection to be available to anyone who signs in to the client.

   Don't connect now; just set it up so I can connect later: Select this option if you want to use the connection later.

10. Click Next.

11. Enter the user credentials.

    Enter the User name and Password (Remote User Account).

12. Click Create.

    The assistant closes.

13. In the Network and Sharing Center, click Connect to a network.

    A list with the available network connection opens.

14. Right-click the new connection and select Properties.

    The Connection Properties dialog box opens.

15. Only for Windows Vista, do the following:

    1. Select the Networking tab.

    2. In the Type of VPN section, select L2TP IPsec VPN.

    3. Select the Security tab.

    4. Select the Advanced (custom settings) option and click the Settings button.

    5. Set the Data encryption option to Optional encryption (connect even if no encryption).

    6. Click OK.

16. Only for Windows 7, do the following:

    1. Select the Security tab.

    2. In the Type of VPN section select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).

    3. Set the Data encryption option to Optional encryption (connect even if no encryption).

17. To close the dialog box, click OK.

    Now you can directly establish the connection in the sign-in window.

    For information on how to establish the connection if the sign-in window is not open, see Connecting to the VPN in Windows 7.

Configuring Windows XP

1. Click Start > Settings, and then click Control Panel.

2. In the Control Panel, double-click Network Connections.

   The Network Connections window opens.

3. Click Create a new connection.

   The New Connection Wizard window opens.

4. Click Next.

5. Click Connect to the network at my workplace and then Next.

6. Define how to connect to your network.

   Select Virtual Private Network connection if you use a VPN connection over internet.

7. Click Next.

8. Enter the name of the company or a descriptive name for the connection.

9. Click Next.

10. Define the dial-up internet connection.

    If you have a permanent connection to the internet, select the Do not dial the initial connection option. Otherwise, click Automatically dial this initial connection, and then select your dial-up internet connection from the list.

11. Click Next.

12. Enter the hostname or the IP address of the gateway that you want to connect to.

13. Click Next.

14. Select who should be able to use this connection.

    Click Anyone’s use if you want the connection to be available to anyone who logs on to the client. Otherwise, click My use only, to make the connection only available for your account.

15. Click Next.

16. If you want to create a shortcut on the desktop, click Add a shortcut to this connection to my desktop.

17. Click Finish.

    The login window opens.

18. In the login window, click Properties.

    The Properties dialog box opens.

13. Open the Security tab.

14. Disable the Require data encryption (disconnect if none) option.

15. Open the Networking tab.

16. In the Type of VPN section select L2TP IPsec VPN.

17. To close the dialog box, click OK.

    Now you can directly establish the connection in the sign-in window.

    For information on how to establish the connection if the sign-in window is not open, see Connecting to the VPN in Windows 7.