VPN Access to DirigoHost - Configuring a L2TP/IPsec VPN Connection on a PC10/15/2015
On 10/28/2015 Dirigo installed a set of new security devices (e.g. firewall, intrusion detection, network security, server protection software, load balancers, etc.) that required a switch in how clients access the their DirigoHost servers. We will no longer be using the Cisco AnyConnect software that we've used for the past six years. Instead, we're moving to a more universal VPN Protocol called L2TP/IPsec. The setup looks daunting, but, it's really not that bad.
Our ESP project and a deprecation of SSL SHA1 encryption, a limiting technology with the Cisco ASA firewalls, made the change necessary to comply with industry standards.
Fortunately, L2TP/IPsec is built into Windows, Mac OS, iOS, Android, etc., so no extra software is required. There is a “shared secret” you’ll need to know and we’ll communicate that secret when we provide you new credentials (e.g. your username and password). The secret – as well as the Username and Password is case-sensitive and respects spaces between words.
Never store your the shared secret with your username and password. It is best to put your credentials into a paper file locked away or into a password keeper on your smartphone or computer. At Dirigo we use Keepass 2 to lock away credentials.
Here’s how you’d set up the VPN client on Windows 7 - 10:
If you're not a Wndows 8 or 10 user we also have instructions for Mac OSX
- Go to Control Panel -> Network and Sharing Center.
- Choose Set up a new connect or network, or something to that effect if you’re on something other than Windows 8.1.
- Choose Connect to a workplace . Move through the screens to Create a new connection .
- Choose Use my Internet Connection (VPN).
- For Internet Address, use gwi.dirigodev.com. Sometimes the name resolution fails. If that's the case use 220.127.116.11.
- Name the connection whatever you’d like (we call it DirigoHost), and choose whether you’d like to save credentials (for security reasons, you probably shouldn’t save your credentials on a laptop or a mobile device — the best practices is not do so on a desktop either — it is best to keep passwords secure at all times). Create the connection. On Windows 7 you'll need to check the box that says not to login now.
- Back in Network and Sharing Center, click on Change Adapter Settings , then right-click Properties on your new connection.
- On the Security tab, change Type of VPN from Automatic to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) :
- Also, under Allow these protocols , choose Microsoft CHAP Version 2 (MS-CHAP v2). Don’t choose the Automatically use my Windows logon name and password option unless your device is part of the Dirigo Windows domain. You'll be told when we supply you credentials if the account is part of a Domain
- Click the Advance Settings button, select Use preshared key for authentication , and type in the Shared secret that we mentioned previously. Once entered click okay to return to the Properties:
- On the Networking tab, uncheck File and Printer Sharing for Microsoft Networks , which allows your machine to act as a file server. This step is optional.
- Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Then click the Advanced button.
- Uncheck the Use default gateway on remote network checkbox. If we don't uncheck this box all of your non-Dirigo-destined traffic will be routed over the DirigoHost network.
- That’s it. Double-click on the connection to try out the connection.
- With Windows 8.1 you will log-on or -off the VPN through the network connections icon. That’s the little computer monitor with a network cord icon at the bottom of your screen. If you click the networking icon you’ll get a blue bar with a list of connections. The VPN connection is the v-shaped knot-like icon. This is where you’ll connect to the VPN and disconnect from the VPN.
If you’re using a Mac the same principles apply. Create an LT2P/IPsec connection pointing to gwi.dirigodev.com, supply the shared secret and your Windows network credentials, and give it a try. Thanks to the late Steve Jobs and his great crew, less setup is required on the Mac. By default Mac’s don’t use VPN connections as the default gateway. So the setup is much easier.
Dirigo's VPN Security Policy
This policy applies to the use of Dirigo’s Virtual Private Network (VPN) service, which is one mechanism Dirigo provides for authorized users to access corporate computing and network resources from remote locations.
All VPN users must actively use anti-virus software on each computer from which the VPN server is accessed. The anti-virus software must be updated regularly with new anti-virus definitions. Users are required to keep their computer updated with the latest operating system and software patches available from their respective vendors. Microsoft Windows-based PC’s should have the automatic updater configured. Mac OS users should have the software updater configured through the OS system preferences, and Linux users should have the RTM manager configured.
Users connecting to the VPN server using a wireless connection, must install and enable a software or hardware firewall. The software firewall built into Windows is acceptable, as is Zone Alarm.
While a computer is connected to the VPN server, it is logically connected to both the internal DirigoHost network and the Internet. For security reasons, each VPN user should disconnect from the VPN server when access to DirigoHost is no longer required. VPN users should be aware that if their VPN connection remains open and is not configured correctly, their Internet connection will be routed and logged through the VPN server and the Dirigo network. This will result in a slower Internet connection for the VPN user and brings about privacy issues/concerns. Don't use DirigoHost as the default gateway.
Consult with David Addison or Peter McCabe or the designated Dirigo Information Security Officer (ISO) if you have questions about any of the above policy.