How To Configure Windows 7 VPN Client for

How To Configure
Windowsconnection
7 VPN Client for L2TP
connection
with MS-CHAP
L2TP
with
MS-CHAP
v2v2 Authentication

Authentication

Applicable Version: 10.00 onwards

Overview

Cyberoam supports L2TP connection between Cyberoam and Windows 7 VPN Client.
Cyberoam has extended the authentication protocol support to MS-CHAP v2 for L2TP, apart from
PAP.
MS-CHAP-V2 is the Microsoft Challenge-Handshake Authentication Protocol v2. CHAP provides the
same functionality as PAP, but does not send the password and other user information over the
network.

Scenario
This article consists of two sections:
1. Cyberoam Configuration
2. Windows 7 Configuration

Cyberoam Configuration
You must be logged on to the Web Admin Console as an administrator with Read-Write permission
for relevant feature(s).
Step 1: Configure L2TP
Go to VPN > L2TP > Configuration and click Enable L2TP. Specify the parameters as given below.
Parameters

Value

Description

Assign IP from

172.16.16.211 172.16.16.225

Primary DNS Server

<As
configured
Network>

Secondary DNS Server

<As
configured
Network>

Specify IP Address range if L2TP server has to

lease IP Addresses.
Select Primary DNS Server from the list.

in

Alternately, you can also specify DNS Server by

choosing Other from the list.
Specify Secondary DNS server.

in

Alternately, you can also specify DNS Server by

choosing Other from the list.

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

Click Apply to save changes.

Step 2: Add L2TP Members
Click Add Member(s) to add the users who would connect to Cyberoam using L2TP.

Select the L2TP members. Here, as an example, we have selected john.smith as the L2TP member.

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

Click Apply to save changes.

Step 3: Create L2TP Connection

Go to VPN > L2TP > Connection and click Add to add an L2TP connection as per parameters
below.
Parameters

Value

Description

Name

Head_Branch

Enter a unique name to identify L2TP Connection.

Policy

DefaultL2TP

Select policy
connection.

to

be

applied

to

the

L2TP

Select an action to be taken on the connection

when VPN services or Appliance restarts.
Action on VPN Restart

Respond Only

Available Options:
Respond Only Keeps connection disabled till
the user responds.
Disable Keeps connection disabled till the user
activates.
Select Authentication Type

Authentication Type

Preshared Key

Preshared Key authentication is a mechanism

whereby a single key is used for encryption and
decryption. Both the peers should have the
Preshared Key.
After selecting this option, mention the Key to be
used.

Local WAN Port

<Select WAN Port)

Select Local WAN Port.

Remote Host

Specify IP Address or host name of of remote

end-point. Specify * for any IP Address.

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

Allow NAT Traversal

Remote LAN Network

Enabled

Enable NAT traversal if a NAT device is located

between your VPN endpoints when remote peer
has private/non-routable IP Address.

Any IP Host

Select IP Addresses and netmask of remote

network which is allowed to connect to the
appliance server through VPN tunnel.
Specify the Local Port number that the local VPN
peer uses to transport traffic related to TCP or
UDP protocol.

Local Port

1701
Specify * for any port.
Default - 1701

Remote Port

Specify the Remote Port number that the remote

VPN peer uses to transport traffic related to TCP
or UDP protocol.
Specify * for any port.

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

Click OK to save the connection.

Step 4: Activate Connection

Click the red icon under 'Active' column to activate the connection.

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

Step 5: Configure MS CHAP authentication

Perform the steps for configuring MS CHAP authentication.

Login to CLI Console and select Option 4 Cyberoam Console.

Execute the following command at the console prompt to use MSCHAP v2 authentication for your
clients:
set vpn l2tp authentication MS_CHAPv2

Windows 7 Configuration
Follow the steps below to configure the user machine to connect to Cyberoam using L2TP.

Step 1: Change the default Authentication Mechanism to Preshared Key

Go to Start Menu > Control Panel > Administrative Tools and double-click Windows Firewall with
Advanced Security. Select Properties to display the Windows Firewall with Advanced Security on
Local Computer window.

Switch to IPSec Settings tab and under IPSec Defaults, click Customize to display the Customize
IPSec Settings window.

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

Under Authentication Method, select Advanced and click Customize to display the Customize
Advanced Authentication Methods window.

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

Select the current First Authentication Method, in this case Computer (Kerberos V5) and click
Remove.

Click Add to add another First Authentication Method.

In the Add First Authentication Method screen, select Preshared Key and specify the Preshared Key
configured in Cyberoam (Cyberoam Configuration step 3).

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

Click OK in all the cascading windows.

Note:
Make sure that IPSec Policy Agent and IKE and AuthIP IPSec Keying Modules in the machine are
running without error.
Step 2: Create the L2TP Connection in User Machine
Go to Start > Control Panel > Network and Sharing Center and click Setup a new connection or
network. Follow further steps as per screens shown below.

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

Step 3: Configure Authentication Mechanism of the L2TP Connection

After Connection is established, click the Network symbol on the System Tray and right-click the
connection created in step 2. Click Properties to open the Properties window.
Switch to Security tab and click Advanced Settings under Types of VPN

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

In the L2TP tab, select Use preshared key for authentication and specify the key configured in
Cyberoam.

Click OK to save settings.

How To Configure Windows 7 VPN Client for L2TP connection with MS-CHAP v2 Authentication

The above configuration establishes an L2TP connection using MSCHAPv2 authentication between
Cyberoam and a Windows 7 machine.
Note:
Login to CLI console and go to option 4 Cyberoam Console and type the command - show vpn
logs to check the logs.
These logs help in troubleshooting in case the L2TP connection fails.

Document Version: 2.0 3 March, 2015