How to Set Up IPSEC on Your Windows Computer

If you’re using your Windows computer for anything beyond casual web browsing, it’s a good idea to enable additional security measures than those that are automatically enabled in Windows. If you’re doing sensitive business work on your computer, the need for enhanced security is much more pressing than just a good idea. Many third-party applications offer enhanced authentication and encryption features. Before you shell out significant cash for one of those, you should know that Windows itself can do the same thing. It’s called internet protocol security, or IPSEC.

IPSEC isn’t enabled by default. It’s not automatic, and setting it up takes a little know-how. Here’s our brief guide on how to set up IPSEC on your Windows computer. We’ll walk you through the process using as little jargon as possible.

Understanding IPSEC

IPSEC is a method of protecting IP communication by both authentication and encryption. Using IPSEC requires at least 2 machines, as they have to authenticate with each other and share cryptographic keys. This is a method whereby the server can determine that the user/computer trying to access it is who it says it is, and the reverse is also true. The computer can confirm that the server is genuine and not some malicious redirect lookalike.

IPSEC also allows IT to implement additional IP restrictions as deemed necessary within an organization.

A Basic IPSEC Implementation

In practice, IPSEC is usually used on a broader scale, but for purposes of illustration, we’ll build a basic IPSEC implementation between two devices. One needs to be a Windows server and will serve as the VPN server. The other should be a Windows 10 machine, which will serve as the client.

VPN Server Setup

To begin, log onto the Windows Server machine. We’ll set up this machine first.

Note: Instructions here are based on Windows 2012 Server. If you’re running a different server OS, some of the steps may be slightly different.

First Steps

Once logged in, open the server manager and select “Add Roles and Features”. Select “Role based or feature based installation”. Next, select the proper server (in this example, it’s the machine you’re setting up).

Next, move on to Server Roles and enable or install the following options under the listed menus.

Network Policy and Access Services: Here, all you need to do is enable Network Policy Server.

Remote Access: Here you need to install Direct Access and VPN (RAS) and Routing.

Going Deeper

These next steps get fairly technical. We’ll do our best to minimize the jargon.

As an administrator, open mmc.exe and click “File”, then “Add/Remove Snap In”. You’ll see a list. Choose “routing and remote access”. Back in the main mmc space, right-click “routing and remote access” and select “add server”. You want to pick the local machine, then right-click on it and select “Configure and Enable Routing and Remote Access”. Choose the first option, “Remote access (dial-up or VPN)” and check the VPN option.

Note: Your Windows server machine needs two or more network cards to do this successfully.

Next, you’ll need to set a range of IP addresses for the incoming connection to use. These can’t conflict with other allocations on your network. If you’re not sure about this, check with IT.

Almost Done

We’re in the home stretch now. It’s time to start up the routing and remote access service. Return to the mmc.exe console and right-click on the name of this computer. Choose “Properties”, then the “Security” tab. You need to choose the proper authentication methods. In that window, check boxes next to “Extensible authentication protocol” and “Microsoft encrypted authentication version 2”, and leave all other boxes unchecked.

Back on the “Security” tab, tick the box that will allow custom IPSEC policy, then add a pre-shared key.

Allow Access

All that’s left is to allow access to the VPN. Run compmgmt.msc, navigate to “Local Users and Groups”, and select “properties” for the user that needs access. Move to the Dial Up tab and choose “Allow Access”. Next, hit “Apply”. After rebooting your server machine, congratulations! Setup is complete.

Windows 10 Machine Setup

If you’ve made it this far, you’re in the clear. The remaining steps are far simpler than the last few. It’s time to configure your Windows 10 machine to work with the VPN you’ve just established on your server.

Open Settings, then “Network and Internet” on the Windows 10 computer and select “VPN”. Choose to add a VPN connection. Under “server name or address”, type in your VPN server’s IP address. Choose “L2TP/IPSEC with pre-shared key” as the VPN type. Next, fill in the username, password, and pre-shared key. Click “Save” to continue.

Next, you need to modify the security properties for this network. Find “Network Connections” in your control panel, then right-click on the VPN. Click “Properties” and switch to the Security tab. The type of VPN should already be listed as “Layer 2 Tunneling Protocol with IPSec (L2TP/IPsec)”, but if not, select that here.

Below this you should see some authentication settings. Click “Use Extensible Authentication Protocol” and choose “Microsoft: Secured password (EAP-MSCHAPv2)”. Click OK.

The last step is to click on the Internet Connections button in the start menu tray, select your VPN, and click “Connect.” Now you’re running a VPN tunnel with IPSEC!

About Tektonic

Tektonic is a Toronto IT Support company, helping local GTA companies with all their Microsoft solutions.  Visit https://www.tek-help.com to learn more.