Configure Windows 7 VPN Client for L2TP Connection With MS-CHAP v2 Authentication

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

Applicable to Version: 10.00 onwards

Cyberoam has extended the authentication protocol support to MS-CHAP v2 for L2TP. Until previous

versions, Cyberoam supported PAP authentication only.

MS-CHAP-V2 is the Microsoft Challenge-Handshake Authentication Protocol v2. CHAP provides the

same functionality as PAP, but does not send the password and other user information over the

network.

This document has 3 sections:

1. Cyberoam Configuration

2. CLI Configuration

3. Windows 7 Configuration

Cyberoam Configuration

The entire configuration is to be done from Web Admin console. Access Web Admin console with

user having Administrator profile.

Note:

PPTP and L2TP connections established using MSCHAPv2 or CHAP protocol can be authenticated

through RADIUS or Local authentication server.

For AD Authentication, the AD Server should be behind a RADIUS Server and passwords should be

stored in reversible encrypted form.

Step 1

Go to VPN L2TP Configuration to configure L2TP Settings.

Parameters Value

General Settings

Local IP Address PortA 172.16.16.120

Assign IP from 172.16.16.221- 172.16.16.225

Specify IP address range if L2TP server has to

lease IP Addresses. This range preferably should

be in a different range other than any of the

Cyberoams Local Subnet.

Client Information

Primary DNS Server 4.2.2.2

Secondary DNS

Server

1.1.1.1

How To Configure Windows 7 VPN Client for L2TP

connection with MS-CHAP v2 Authentication


Click on Apply and the L2TP Configuration will be added successfully.

Step 2

Go to VPN L2TP Connection to manage the L2TP Connection. Click on Add button to add a

new connection.

Parameters Value

General Settings

Name L2TP

Policy DefaultL2TP

Action on VPN Restart Respond Only


Authentication Details

Authentication Type Preshared Key

Preshared Key Configure password as required

Confirm Preshared Key Type the same password as in above field

Local Network Details

Local WAN Port PortB 192.168.13.120

Remote Network Details

Remote Host *

Specify IP address of remote peer/host. Specify * for any

IP address

Allow NAT Traversal Checked

Remote LAN Network Any

Select IP addresses and netmask of remote network

which is allowed to connect to the Cyberoam server

through VPN tunnel.

Quick Mode Selectors

Local Port 1701

Remote Port *

Click OK button and the L2TP connection L2TP will be added successfully.


Step 3

Activate the connection by clicking on the red icon under Active column and the connection will be

activated successfully.

Step 4

Perform the steps as mentioned in the CLI Configuration section and then go to Step 5

Step 5

Once the authentication mechanism is set in Cyberoam, you need to add the users in the L2TP

configuration in Cyberoam.

Go to L2TP Configuration (as created in Step 1) and click on Add Members button to define users.

Select the Groups and Users to give L2TP VPN access.

Click Apply button to add these users and user groups to the L2TP members list.


CLI Configuration

This configuration is to be done from CLI Console (Telnet/SSH)

Step 1

Login to CLI Console and Go to Option 4 Cyberoam Console and press Enter

Step 2

Set the authentication mechanism for your client

Type the command set vpn l2tp authentication MS_CHAPv2 to use MSCHAP v2 authentication

for your clients.

Note:

You can also set the authentication to CHAP or PAP or ANY depending on your requirement.


Windows 7 Configuration

The following procedures outline how to configure a Windows 7 VPN client to access resources

behind a Cyberoam Appliance that has been set up to accept L2TP connections.

Set up a L2TP connection on a Windows 7 client as follows:

Step 1

Go to Start Control Panel Network and Sharing Center and click Set up a new connection or

network.


Step 2

Select Connect to a workplace and click Next.

Step 3

Select Use my Internet connection.


Step 4

In the Internet address field, type the WAN IP address of the Cyberoam and click Next.

Note:

WAN IP address should be same as specified in Local WAN Port field under Local Network Details in

L2TP Connection.


Step 5

A windows dialer will open automatically. Specify valid username and password and click Connect.

Step 6

A connection will be established. Go to Start Control Panel Network and Sharing Center and

click Connect to a network to view the connection.


Step 7

Open the connection properties and set the below settings in client.

Select the IP address in the general tab.


Step 8

In Security tab, Select Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec) as Type of VPN, Select

Data Encryption depending on your requirement and enable Microsoft CHAP Version 2 and click OK.

Step 9

Click Advanced Settings and enable Use preshared key for authentication. Specify preshared key

and click OK.

Click Ok and connect the VPN.


Step 10

Specify valid username and password and Click Connect.

Note:

Login to CLI console and go to option 4 Cyberoam Console and type the command - show vpn

logs to check the logs.

These logs help in troubleshooting in case the L2TP connection fails.

Document Version 1.0 23/06/2011

Documents

Configure Windows 7 VPN Client for L2TP Connection With MS-CHAP v2 Authentication