• How to set up IKEv2 VPN Connection on Windows 7 with Certificate or EAP-MSCHAP v2 Authentication

    This guide assumes that you have obtained a Personal Information Exchange (p12) file from your VPN service provider. The file contains the server certificate and maybe the client private key & certificate (if using certificate authentication instead of EAP-MACHAP v2).

    There are two major tasks: install the certificates and create a VPN connection.

    Task 1: install the certificates.

    1. Start mmc: click the Start button, then enter mmc.
    2. In the mmc window, click “Add/Remove Snap-in”.
    3. Select “Certificates”, then click Add.
    4. Select “Computer Account”, click “Next”.
    5. Select “Local Computer”, click “Finish”.
    6. Right click on “Personal”, select “All Tasks”, then “Import”.
    7. Browse for the p12 file.
    8. Select “Personal Information Exchange” under the file type selection dropdown. Then open the p12 file.
    9. Enter the password for the p12 file (if there is one).
    10. Select “Automatic” certificate store.
    11. Click “Finish”.

    Task 2: create the VPN connection.

    1. Click “Open Network and Sharing Center”.
    2. Click “Set up a new connection…”
    3. Select “Connect to a workplace”.
    4. Select “Use my Internet connection (VPN)”.
    5. Enter VPN server domain name or IP address. Name the VPN connection. Check “Don’t connect now; just set it up so I can connect later”.
    6. Leave username, password empty (if you are authenticating with client certificates). Enter your username and password here if you are authenticating with EAP-MSCHAP v2. Click “Create”.
    7. After the VPN connection is created, go back to the “Network and Sharing Center”. Click on “Change adapter settings”.
    8. Right click on the newly created VPN connection. Click “Properties”.
    9. Click on the “Security” tab. Select “IKEv2” for “Type of VPN”. Click “Use machine certificates” (if you are using client certificates to authenticate the user). If you are using EAP-MSCHAP v2 (with username and password), see alternative task below.
    10. Click on the “Networking” tab. Uncheck “TCP/IPv6). Click OK.
    11. Click on the network icon at the bottom right corner again. Click on the VPN connection, then click “Connect”.

    Alternative task 2: if authenticating with EAP-MSCHAP v2.

    1. In step 6 above, enter your username and password.
    2. In step 9 above, select “Use Extensible Authentication Protocol (EAP), then EAP-MSCHAP v2.

    Task 3: Check that your VPN connection is working

    1. Open a web browser, enter https://ipleak.net/. Make sure that your IP address is that of the VPN service (i.e., no longer your ISP assigned IP address), and DNS addresses are also that from the VPN service.
    2. If your VPN server is located in the same geographical region as your ISP connection, sometimes it’s hard to tell if your DNS service has changed to that provided by the VPN. This page will tell you who is your DNS provider: http://whoismydns.com/
    3. There are instances that your browser is stuck with the ISP assigned DNS server. In that case, manually set the DNS service on your ISP connection (WiFi or Ethernet adapter) to a third party DNS service, for example, Cloudflare DNS. Just to be safe, disable IPv6 on the WiFi or Ethernet adapter too.

Leave a Reply