Configuring a Windows IPSec VPN client, using PGPNet

This is a document describing how to set up a shared-secret VPN connection using the PGPNet 7.0 IPSec software for Windows. It has been tested under Windows 98 and Windows 2000 Professional.

Installing the software is fairly straightforward, and will not be covered here.

After installing the software, you will see the following lock icon in your system tray (down in the lower right corner of your screen, on the taskbar).

Click on that icon to bring up a menu; and choose 'PGPNet', then the 'VPN' item from the submenu. The following window should appear:

Click on the 'Add' button to get the following window. At this point:

Enter the hostname (or IP address) of the machine which will be your VPN server and gateway into the remote network. If you don't know the IP address, just put the full name in, and click the 'DNS Lookup' button, which will help you find it.
Choose 'Secure Gateway' from the drop-down list.
Make sure 'Connect Automatically' is chosen.
Set 'Authentication Type' to 'Normal'
Click on the 'Set Shared Passphrase' button

At this point, type in (or paste in, if it is very long) the agreed-upon shared passphrase into each of the two fields here. You can uncheck the 'Hide Typing' box if you are unsure of your typing.

Close the passphrase window, and the setup window; then single-click the connection you just created in the VPN window; and then click the 'Properties' button.

First, choose the 'VPN' tab, and set the parameters as you see below. The key timeouts are suggested to be lower than the defaults, because of some common problems with Windows IPSec implementations.

Choose the 'VPN Advanced' tab, and then:

Allow TripleDES cipher, and the MD5 hash; unselect CAST and SHA-1.
Move Shared Key/MD5/TripleDES/1024 to the top of the IKE proposal list.
Move MD5/TripleDES/None to the top of the IPSec list
Set Perfect Forward Secrecy to 1024

Next choose the 'Advanced' tab and:

Set 'Preferred Algorithm' to TripleDES
Uncheck all but TripleDES from the list of allowed algorithms

Open a Command Prompt/DOS Prompt; and type:

ping <name of host or its IP address>

You should then see ping responses come back from the host...

...and upon looking at the PGPNet window, you should see a green dot by the connection that you pinged. This means that the connection is working.

However, in order to get to machines behind that gateway, you will need to add another network to those that the VPN software knows about. To do this, highlight the gateway connection we just made, and click on the 'Add' button again.

Answer 'yes' to the question about adding the new host entry behind the gateway.

Set the IP address to be the network address of the remote, private network that you wish to connect to.
Choose 'Insecure Subnet' from the drop-down menu.

The new network entry should then appear below the gateway entry in the VPN list.

Returning to our Command Prompt (or DOS Prompt) window; we should now be able to ping a machine on the remote, private network. This means that access to it is working; and one should now be able to access machines on it readily.