UniOTP VPN Solution

From SecuTech Wiki
Jump to: navigation, search


Note

The following steps apply to Windows Server 2003 and Windows XP where relevant. For recent versions of Windows, the steps below may differ slightly.

About This Guide

VPN (Virtual Private Network) refers to a computer and firewall with VPN capability that can establish a secure tunnel between the server and a client over the Internet. In the tunnel initiator (server), the user's private data is encapsulated and encrypted and then transmitted through the Internet; on the receiver side (client), the received data is unpacked and decrypted. VPN services are installed with Windows 2000/2003. This manual is based on the installed VPN service, named "Routing and Remote Access". This service can be found from Start Menu - All Programs - Administrative Tools - Services

Routing and Remote Access Configuration

From Start Menu - All Programs - Administrative Tools - [Routing and Remote Access] open the Routing and Remote Access control panel. Right-Click on Routing and Remote Access on the left-side of the panel, then select Add server to add a VPN server.

routing and remote access main window

Right click on the newly-added server and select Configure and Enable Routing and Remote Access. If the Windows Firewall/Internet Connection Sharing (ICS) service is enabled, the Routing and Remote Access service cannot be turned on, and an ICS service warning message will appear. Configure the ICS service to allow the above operation, then redo the above steps. After Routing and Remote Access is enabled, the following configuration wizard will appear. In the Routing and Remote Access Server Setup Wizard window, under the Configuration step, select Remote access (dial-up or VPN) then click Next.

choose remote access (dial-up or VPN)

On the Remote Access step, select VPN then click Next.

choose VPN then next

Click Finish after completing the remainder of the wizard to complete the VPN installation.

Configuring the VPN Server with UniOTP

After successfully setting up and configuring the VPN Server, open Start Menu - All Programs - Administrative Tools and open the Routing and Remote Access control panel.

routing and remot access control panel

In the Routing and Remote Access window, right-click on the respective server from the directory list and select Properties.

selecting properties option

In the Properties window, select the Security tab, and under Authentication provider, select RADIUS Authentication from the drop-down menu.

RADIUS authentication selection

Click on Configure to configure the RADIUS Authentication server. In the configuration panel, click on Add to add a Radius authentication server.

adding a RADIUS authentication server

Under the Add RADIUS Server window, fill in the UniOTP authentication server name and server details. Afterwards, click on Change next to Secret to change the RADIUS communication shared key.

server name; secret; time-out (s); initial score; port

In the Change Secret window, configure the communication shared key, then click OK.

changing secret value

The RADIUS Authentication window should now a indicate a Radius server has been added. Click on OK to save the authentication server configuration.

added server 192.168.1.225 with initial score 30

Returning to the Properties window, click on Authentication Methods.

certificate properties tab

In the Authentication Methods window, check the check-boxes: Extensible authentication protocol (EAP); Encrypted authentication (CHAP); and Unencrypted password (PAP). Please Note: Authentication methods Microsoft encrypted authentication version 2 (MS-CHAP v2); Microsoft encrypted authentication (MS-CHAP); and Shiva Password Authentication Protocol (SPAP) are not supported. Click on OK to apply settings and exit the window.

authentication methods window

To apply configuration changes, restart the VPN server by right-clicking the server, selecting All Tasks, Restart.

restarting the VPN server

Add VPN Client

Open the Network Connections control panel found in the Control Panel.

network connections control panel

On the left-hand side, under Network Tasks, click on Create a new connection.

'connect to the network at my workplace' option

A New Connection Wizard window will appear. On the Network Connection Type step, select Connect to the network at my workplace, then click Next.

'virtual private network connection' option

On the Network Connection step, select Virtual Private Network connection, then click Next.

enter host name or IP address

On the VPN Server Selection step, enter the host name or IP address of the VPN to connect to, then click Next. If you wish, you can choose to Add a shortcut to this connection to my desktop on the final step, then click Finish to complete the wizard.

adding a desktop shortcut option

When attempting to connect to the VPN server, a connection window similar to the window below will appear.

VPN connection window

If you have added a VPN access user, and bound this user to a dynamic token, you can use that dynamic password and PIN (if OTP+PIN authentication method has been selected) to connect to the VPN. When following this manual, a Guest account has been added to VPN Server and to the UniOTP dynamic password authentication system, therefore Guest and OTP + PIN (for Guest account the authentication method is OTP + PIN) need to be filled into this window. Please Click Connect.

VPN connection window with details entered

The following error may happen:

'local computer does not support required encryption' message

To solve this error, please click Properties.

properties is located at the bottom of the connection window

Deselect Require data encryption, click on OK, and click Connect to start the connection again.

'require data encryption (disconnect if none)' option in security

After connecting to the VPN server successfully, on the lower-right corner of the screen, the following information will appear indicating that the configuration of VPN with UniOTP authentication has been completed successfully.

'user is now connected' pop-up

Appendix

Common errors upon VPN clients connecting to the server

Error Code Reason
800 Unable to establish VPN connection. The VPN server may be un-reachable, or security parameters may not be configured properly for this connection
619 In most cases, it is caused by the NAT-T function, used for clients to connect to the Internet, has been turned off, or a VPN that does not support NAT-T in GRE and PPTP protocol. To solve this problem, you can turn on the gateway’s NAT-T. If this error happens frequently, please change the gateway equipment.
721 In most cases, this problem is caused by the client system. If users are using Windows XP SP2, this problem may happen, and you can solve it through modifying the registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\<000x> <000x> is the network adapter of the Satellite WAN port (PPTP) driver. In this key, create a new DWORD value, name ValidataAddress with value 0. If the configuration of the PPP protocol on the server is not correct, it will cause this problem as well.
718 Wrong user name or password when connecting, or authentication service error occurs on authentication server.
734 Normally caused by VPN configuration problems, such as PPP configuration, unsupported or poorly supported MPPE.