UniOTP VPN Solution
Contents
Note
The following steps apply to Windows Server 2003 and Windows XP where relevant. For recent versions of Windows, the steps below may differ slightly.
About This Guide
VPN (Virtual Private Network) refers to a computer and firewall with VPN capability that can establish a secure tunnel between the server and a client over the Internet. In the tunnel initiator (server), the user's private data is encapsulated and encrypted and then transmitted through the Internet; on the receiver side (client), the received data is unpacked and decrypted. VPN services are installed with Windows 2000/2003. This manual is based on the installed VPN service, named "Routing and Remote Access". This service can be found from Start Menu - All Programs - Administrative Tools - Services
Routing and Remote Access Configuration
From Start Menu - All Programs - Administrative Tools - [Routing and Remote Access]
open the Routing and Remote Access control panel. Right-Click on Routing and Remote Access on the left-side of the panel, then select Add server to add a VPN server.
Right click on the newly-added server and select Configure and Enable Routing and Remote Access. If the Windows Firewall/Internet Connection Sharing (ICS) service is enabled, the Routing and Remote Access service cannot be turned on, and an ICS service warning message will appear. Configure the ICS service to allow the above operation, then redo the above steps. After Routing and Remote Access is enabled, the following configuration wizard will appear. In the Routing and Remote Access Server Setup Wizard window, under the Configuration step, select Remote access (dial-up or VPN) then click Next.
On the Remote Access step, select VPN then click Next.
Click Finish after completing the remainder of the wizard to complete the VPN installation.
Configuring the VPN Server with UniOTP
After successfully setting up and configuring the VPN Server, open Start Menu - All Programs - Administrative Tools
and open the Routing and Remote Access control panel.
In the Routing and Remote Access window, right-click on the respective server from the directory list and select Properties.
In the Properties window, select the Security tab, and under Authentication provider, select RADIUS Authentication from the drop-down menu.
Click on Configure to configure the RADIUS Authentication server. In the configuration panel, click on Add to add a Radius authentication server.
Under the Add RADIUS Server window, fill in the UniOTP authentication server name and server details. Afterwards, click on Change next to Secret to change the RADIUS communication shared key.
In the Change Secret window, configure the communication shared key, then click OK.
The RADIUS Authentication window should now a indicate a Radius server has been added. Click on OK to save the authentication server configuration.
Returning to the Properties window, click on Authentication Methods.
In the Authentication Methods window, check the check-boxes: Extensible authentication protocol (EAP); Encrypted authentication (CHAP); and Unencrypted password (PAP). Please Note: Authentication methods Microsoft encrypted authentication version 2 (MS-CHAP v2); Microsoft encrypted authentication (MS-CHAP); and Shiva Password Authentication Protocol (SPAP) are not supported. Click on OK to apply settings and exit the window.
To apply configuration changes, restart the VPN server by right-clicking the server, selecting All Tasks, Restart.
Add VPN Client
Open the Network Connections control panel found in the Control Panel.
On the left-hand side, under Network Tasks, click on Create a new connection.
A New Connection Wizard window will appear. On the Network Connection Type step, select Connect to the network at my workplace, then click Next.
On the Network Connection step, select Virtual Private Network connection, then click Next.
On the VPN Server Selection step, enter the host name or IP address of the VPN to connect to, then click Next. If you wish, you can choose to Add a shortcut to this connection to my desktop on the final step, then click Finish to complete the wizard.
When attempting to connect to the VPN server, a connection window similar to the window below will appear.
If you have added a VPN access user, and bound this user to a dynamic token, you can use that dynamic password and PIN (if OTP+PIN authentication method has been selected) to connect to the VPN. When following this manual, a Guest account has been added to VPN Server and to the UniOTP dynamic password authentication system, therefore Guest and OTP + PIN (for Guest account the authentication method is OTP + PIN) need to be filled into this window. Please Click Connect.
The following error may happen:
To solve this error, please click Properties.
Deselect Require data encryption, click on OK, and click Connect to start the connection again.
After connecting to the VPN server successfully, on the lower-right corner of the screen, the following information will appear indicating that the configuration of VPN with UniOTP authentication has been completed successfully.
Appendix
Common errors upon VPN clients connecting to the server
Error Code | Reason |
800 | Unable to establish VPN connection. The VPN server may be un-reachable, or security parameters may not be configured properly for this connection |
619 | In most cases, it is caused by the NAT-T function, used for clients to connect to the Internet, has been turned off, or a VPN that does not support NAT-T in GRE and PPTP protocol. To solve this problem, you can turn on the gateway’s NAT-T. If this error happens frequently, please change the gateway equipment. |
721 | In most cases, this problem is caused by the client system. If users are using Windows XP SP2, this problem may happen, and you can solve it through modifying the registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\<000x> <000x> is the network adapter of the Satellite WAN port (PPTP) driver. In this key, create a new DWORD value, name ValidataAddress with value 0. If the configuration of the PPP protocol on the server is not correct, it will cause this problem as well.
|
718 | Wrong user name or password when connecting, or authentication service error occurs on authentication server. |
734 | Normally caused by VPN configuration problems, such as PPP configuration, unsupported or poorly supported MPPE. |