Microsoft Windows VPN Clients

When configuring Microsoft Windows 2000, XP, or Vista clients for a VPN, you should take the following into consideration:

 

  • Windows VPN clients do not support

  • tunnel mode

  • XAUTH eXtended AUTHentication

  • IKE mode config

  • MS Microsoft -CHAP Challenge Handshake Authentication Protocol v1 (Vista only) — Because the Threat Management Services zl Module does not support MS-CHAPv2, you should select CHAP on the Vista client when MS-CHAPv1 is not available.

 

  • The default IPsec policy for the Vista client is for IKE certificates only. If you want to use PSK (or if you want to create an L2TP Layer 2 Tunneling Protocol -only tunnel), you must edit the registry to prevent the Vista client from using the default policy.

  • You can also edit the registry of Windows 2000 or Windows XP clients if you want to exercise granular control over the IPsec policy parameters.

  • The Windows client's security proposals for IKE are presented to the VPN gateway with the strongest DH Diffie-Hellman group presented first. If that first DH group is not specified in the TMS zl Module's IPsec policy, the module will close the session. Therefore, you must either delete all of the IKE security proposals on the Windows client before configuring your own proposal or you must configure the IKE policy on the module to conform to the client's strongest DH group.

  • To configure the optional shared secret for L2TP clients, you must edit the client's registry to input the secret.