CloudTrust

Trust is the new currency when it comes to digital technology

Virtual private networks – VPNs – are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization's private network.

There are many options for VPN clients. In Windows and macOS there is built-in plug-in to connect. This guide focuses on the Windows and macOS platform clients and the features – based on Microsoft and Apple official system support pages – that can be configured to CloudTrust VPN Edge, otherwise known as Remote Network Connection™ IKEv2/IPsec Gateway. Learn more...

Add or change a VPN connection in Windows

A virtual private network – VPN – connection gives you a more secure connection to your network and the internet.

Create a new connection to join your VPN. To get started, select the Start button, and then select Settings > Network & Internet > VPN, and then select Add a VPN connection.

Follow these steps to enter info you get from your VPN service. This becomes your VPN profile.

  1. For VPN provider, choose Windows (built-in).
  2. In the Connection name box, enter a name you'll recognize for the VPN connection profile.
  3. In the Server name or address box, enter the address for the VPN server.
  4. For VPN type, choose the type of VPN connection you want to create. You'll need to know which kind of VPN connection your company or VPN service uses.
  5. For Type of sign-in info, choose the type of sign-in info to use.
  6. Select Save.

Now that you have a VPN profile, you're ready to connect.

  1. On the far right of the taskbar, select Internet access .
  2. Select Connect under the VPN connection you want to use. Or, you can open Settings > Network & Internet > VPN and select the VPN connection there.
  3. If you're prompted, enter your sign-in information. When connected, the VPN connection name will display Connected underneath.

Choose from additional settings or edit the VPN connection info.

  1. Select the Start button, and then select Settings > Network & Internet and then select VPN.
  2. Under Advanced Options, turn on Allow VPN over metered networks or Allow VPN while roaming.

Click to open Windows VPN Settings

Sample IKEv2 PowerShell configuration profile for Windows device

This example imports the certificate from the file into the root store of the Local Machine and setup a VPN connection to CloudTrust VPN Edge services. The cipher suites that are CloudTrust VPN Edge services used here are selected to ensure the widest range of compatibility across Windows, macOS, iOS, Android, and Linux clients. Import-Certificate -FilePath "CloudTrust VPN Edge Root CA.cer" -CertStoreLocation Cert:\LocalMachine\Root\ Add-VpnConnection -Name "CloudTrust VPN Edge" -ServerAddress "edge.cloudtrust.solutions" Set-VpnConnection -Name "CloudTrust VPN Edge" -TunnelType "IKEv2" Set-VpnConnection -Name "CloudTrust VPN Edge" -AuthenticationMethod "EAP" Set-VpnConnection -Name "CloudTrust VPN Edge" -EncryptionLevel "Maximum" Set-VpnConnection -Name "CloudTrust VPN Edge" -AllUserConnection $True Set-VpnConnection -Name "CloudTrust VPN Edge" -SplitTunneling $False Set-VpnConnection -Name "CloudTrust VPN Edge" -RememberCredential $True Set-VpnConnection -Name "CloudTrust VPN Edge" -PassThru Set-VpnConnectionIPsecConfiguration -Name "CloudTrust VPN Edge" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -DHGroup ECP384 -IntegrityCheckMethod SHA384 -PfsGroup ECP384 -EncryptionMethod GCMAES256

To create IKEv2 PowerShell configuration profile for Windows device, save the sample profile content to PowerShell file with .ps1 extension – for example: edge.cloudtrust.ps1

CloudTrust VPN Edge certificates

X.509 certificates to import into a certificate store to use CloudTrust VPN Edge services – the following certificate bundle consists of all certificate plus its attributes.

CloudTrust VPN Edge Root CA.cer
edge.cloudtrust.solutions.cer
CloudTrust VPN Edge bundle.cer

Connect to a VPN in Windows

Whether it's for work or personal use, you can connect to a virtual private network (VPN) on your Windows PC. A VPN connection can help provide a more secure connection to your company's network and the internet, for example, if you're working from a coffee shop or similar public place.

Before you can connect to a VPN, you must have a VPN profile on your PC. You can either create a VPN profile on your own or set up a work account to get a VPN profile from your company.

Create a VPN profile

If you don't have a VPN profile on your Windows PC, you'll need to create one. Before you start:

  1. Select the Start button, then select Settings > Network & Internet > VPN > Add a VPN connection.
  2. In Add a VPN connection, do the following:
    • For VPN provider, choose Windows (built-in).
    • In the Connection name box, enter a name you'll recognize (for example, My Personal VPN). This is the VPN connection name you'll look for when connecting.
    • In the Server name or address box, enter the address for the VPN server.
    • For VPN type, choose the type of VPN connection you want to create. You'll need to know which kind of VPN connection your company or VPN service uses.
    • For Type of sign-in info, choose the type of sign-in info (or credentials) to use. This might be a user name and password, one-time password, certificate, or a smart card if you're connecting to a VPN for work. Enter your user name and password in the respective boxes (optional).
  3. Select Save.
  4. If you need to edit the VPN connection info or specify additional settings, such as the proxy settings, choose the VPN connection and then select Advanced options.

Connect to a VPN

When you have a VPN profile, you're ready to connect.

  1. On the far right of the taskbar, select the Network icon .
  2. Select the VPN connection you want to use, then do either of the following depending on what happens when you select the VPN connection:
    • If the Connect button displays under the VPN connection, select Connect.
    • If VPN in Settings opens, select the VPN connection there, then select Connect.
  3. If you're prompted, enter your user name and password or other sign-in info.

When connected, the VPN connection name will display Connected underneath it. To see if you're connected to the VPN while you're doing things on your PC, select the Network icon on the far right of the taskbar, then see if the VPN connection says Connected.

Troubleshoot

The connection establishment is initialized three times by default – see IKE_SA_INIT sending ethenet packets per second to the VPN server. If the VPN connection fails, it may be necessary to configure the local network, or in some cases it may be possible to fine-tune the VPN configuration of the operating system.


If the L2TP/IPsec VPN server is behind a NAT device, in order to connect external clients through NAT correctly, you have to make some changes to the registry both on the server and client side to allow UDP packet encapsulation for L2TP and NAT-T support in IPsec.

Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Services\PolicyAgent" -Name "AssumeUDPEncapsulationContextOnSendRule" -Type DWORD -Value 2 -Force;

Sometimes it can happen that, if your local network has several Windows computers, you cannot establish more than one simultaneous connection to an external L2TP/IPSec VPN server. If you try to connect to the same VPN server from another computer – with an active VPN tunnel from different device –, error code 809 or 789 will appear.

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters" /v AllowL2TPWeakCrypto /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters" /v ProhibitIpSec /t REG_DWORD /d 0 /f

Configure a L2TP/IPsec server behind a NAT-T device

Set up a VPN connection on Mac

To connect to a virtual private network (VPN), you need to enter configuration settings in Network preferences. These settings include the VPN server address, account name, and any authentication settings, such as a password or a certificate you received from the network administrator.

If you received a VPN settings file from your network administrator, you can import it to set up your connection. If you didn't, you can enter the settings manually.

Import a VPN settings file

On your Mac, do one of the following:

  1. Double-click the file to open Network preferences and automatically import the settings.
  2. Choose Apple menu > System Preferences, click Network, click the Action pop-up menu , then choose Import Configurations. Select the file, then click Import.

To export a file, select the service whose settings you want to export, such as a VPN configuration, in the list on the left, click the Action pop-up menu , then choose Export Configurations. Give the configuration file a name, click the Where pop-up menu, then choose where to save it. You can also select to export the user or machine configuration, or both.

Enter VPN settings manually

  1. On your Mac, choose Apple menu > System Preferences, then click Network.
  2. Click the Add button in the list on the left, click the Interface pop-up menu, then choose VPN.
  3. Click the VPN Type pop-up menu, then choose what kind of VPN connection you want to set up, depending on the network you are connecting to. Give the VPN service a name, then click Create.
    • L2TP is an extension of the Point-to-Point Tunnelling Protocol used by internet service providers to enable a VPN over the internet.
    • IPSec (Internet Protocol Security) is a set of security protocols.
    • IKEv2 is a protocol that sets up a security association in IPSec.
  4. Enter the server address and the account name for the VPN connection.
  5. Click Authentication Settings, then enter the information you received from the network administrator.
  6. If specified by your network administrator, click Advanced to enter additional information such as session options, TCP/IP settings, DNS servers and proxies.
  7. The additional information you can enter depends on the type of VPN connection you're setting up.
  8. Click Apply, then click OK.

Select "Show VPN status in menu bar" to use the VPN status icon to connect to the network and switch between VPN services.

To remove the VPN configuration, select the VPN network connection service in the list and click the Remove button .

Change options

Set VPN options, such as controlling when VPN disconnects, and turning on verbose logging to capture more log information in a VPN session.

VPN options are available only for the L2TP over IPSec type of VPN connection. (For other types of VPN connections, the options are specified by the VPN server when the VPN connection is negotiated.)

  1. On your Mac, choose Apple menu > System Preferences, then click Network.
  2. Select your VPN service in the list on the left.
  3. If your VPN service isn't in the list, click the Add button at the bottom of the list, click the Interface pop-up menu and choose VPN, then click the VPN Type pop-up menu and choose the VPN type. Enter a name for the service, then click Create.
  4. Enter the server address, account name, and any authentication settings you received from your network administrator or ISP.
  5. Click Advanced, click Options, then select the options you want to use:
    • Disconnect when switching user accounts: Ends a VPN session when you switch users.
    • Disconnect when a user logs out: Ends a VPN session when a user logs out.
    • Send all traffic over VPN connection: Sends all network traffic over the VPN connection, regardless of the network service you use, such as Wi-Fi or Ethernet.
    • Use verbose logging: Captures more detailed log information in your VPN session. This may be useful if you are troubleshooting a problem with your VPN connection.

Sample IKEv2 configuration profile for iOS and macOS device

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ConsentText</key> <dict> <key>default</key> <string>You are about to use CloudTrust's VPN Edge service. You will need the appropriate user credentials to use this service. Please ensure proper endpoint protection and keep your antivirus solution up to date. In some cases, you may need special firewall settings to properly use the service - we recommend that you consult with your system administrator before using the service. More information: https://cloudtrust.solutions/edge/</string> </dict> <key>HasRemovalPasscode</key> <false/> <key>PayloadContent</key> <array> <dict> <key>PayloadCertificateFileName</key> <string>CloudTrust VPN Edge Root CA.cer</string> <key>PayloadContent</key> <data> -----BEGIN CERTIFICATE----- CloudTrust VPN Edge Root CA Base64 format -----END CERTIFICATE----- </data> <key>PayloadDescription</key> <string>Adds a CA root certificate</string> <key>PayloadDisplayName</key> <string>CloudTrust VPN Edge Root CA</string> <key>PayloadIdentifier</key> <string>com.apple.security.root.09ECCF1E-4298-41CC-8A46-C69C64218BBC</string> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadUUID</key> <string>09ECCF1E-4298-41CC-8A46-C69C64218BBC</string> <key>PayloadVersion</key> <integer>1</integer> </dict> <dict> <key>IKEv2</key> <dict> <key>AuthenticationMethod</key> <string>None</string> <key>ChildSecurityAssociationParameters</key> <dict> <key>DiffieHellmanGroup</key> <integer>14</integer> <key>EncryptionAlgorithm</key> <string>AES-256</string> <key>IntegrityAlgorithm</key> <string>SHA2-256</string> <key>LifeTimeInMinutes</key> <integer>1440</integer> </dict> <key>DeadPeerDetectionRate</key> <string>Medium</string> <key>DisableMOBIKE</key> <integer>0</integer> <key>DisableRedirect</key> <true/> <key>EnableCertificateRevocationCheck</key> <integer>0</integer> <key>EnableFallback</key> <integer>0</integer> <key>EnablePFS</key> <true/> <key>ExtendedAuthEnabled</key> <true/> <key>IKESecurityAssociationParameters</key> <dict> <key>DiffieHellmanGroup</key> <integer>14</integer> <key>EncryptionAlgorithm</key> <string>AES-256</string> <key>IntegrityAlgorithm</key> <string>SHA2-256</string> <key>LifeTimeInMinutes</key> <integer>1440</integer> </dict> <key>LocalIdentifier</key> <string>edge.cloudtrust.solutions</string> <key>RemoteAddress</key> <string>edge.cloudtrust.solutions</string> <key>RemoteIdentifier</key> <string>edge.cloudtrust.solutions</string> <key>ServerCertificateIssuerCommonName</key> <string>CloudTrust VPN Edge Root CA</string> <key>UseConfigurationAttributeInternalIPSubnet</key> <integer>0</integer> </dict> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>Configures VPN settings</string> <key>PayloadDisplayName</key> <string>VPN</string> <key>PayloadIdentifier</key> <string>com.apple.vpn.managed.FF1D4034-5C5E-4C17-8243-B8FE9732F9E4</string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadUUID</key> <string>FF1D4034-5C5E-4C17-8243-B8FE9732F9E4</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict> <key>HTTPEnable</key> <integer>0</integer> <key>HTTPSEnable</key> <integer>0</integer> </dict> <key>UserDefinedName</key> <string>CloudTrust VPN Edge</string> <key>VPNType</key> <string>IKEv2</string> </dict> </array> <key>PayloadDescription</key> <string>Connect your Mac to CloudTrust VPN Edge. More information: https://cloudtrust.solutions/edge/</string> <key>PayloadDisplayName</key> <string>CloudTrust VPN Edge</string> <key>PayloadIdentifier</key> <string>services@cloudtrust.solutions</string> <key>PayloadOrganization</key> <string>CloudTrust Ltd.</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>F711A6FB-A71D-448E-BD9A-FED859D6CAC3</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist> To create IKEv2 configuration profile for iOS and macOS device, save the sample profile content to an XML file with .mobike extension – for example: edge.cloudtrust.mobike

Connect your Mac to a VPN

You can use Network preferences to connect to a virtual private network (VPN) on an existing internet connection.

  1. On your Mac, choose Apple menu > System Preferences, then click Network.
  2. Select your VPN service in the list on the left.
  3. If there's a Configuration pop-up menu, click it, then choose a configuration. There may be only one configuration available.
  4. Click Connect.

Set up a VPN connection on iPhone

To connect to a virtual private network (VPN), you need to enter configuration settings in Network preferences. These settings include the VPN server address, account name, and any authentication settings, such as a password or a certificate you received from the network administrator.

If you received a VPN settings file from your network administrator, you can import it to set up your connection. If you didn't, you can enter the settings manually.

Enter VPN settings manually

  1. On your iPhone, choose Settings > General, then click VPN.
  2. Click the Add VPN Configuration...
  3. Click the VPN Type pop-up menu, then choose what kind of VPN connection you want to set up, depending on the network you are connecting to. Give the VPN service a name, then click Done.
    • L2TP is an extension of the Point-to-Point Tunnelling Protocol used by internet service providers to enable a VPN over the internet.
    • IPSec (Internet Protocol Security) is a set of security protocols.
    • IKEv2 is a protocol that sets up a security association in IPSec.
  4. Enter the server address and the account name for the VPN connection.
  5. Click Authentication Settings, then enter the information you received from the network administrator.
  6. If specified by your network administrator, click Advanced to enter additional information such as session options, TCP/IP settings, DNS servers and proxies.
  7. The additional information you can enter depends on the type of VPN connection you're setting up.
  8. Click Done.

To remove the VPN configuration, select the VPN network connection service in the list and click the Remove button.

Connect your iPhone to a VPN

You can use General Settings to connect to a virtual private network (VPN) on an existing internet connection.

  1. On your iPhone, choose Settings.
  2. Select your VPN service in the list.
  3. Click VPN.



Related network resources and solutions

The Remote Network Connection™ name and associated trademarks, logos are registered trademarks of CloudTrust Ltd.
Copyright © CloudTrust Ltd. 2014-2023. All rights reserved.  
Made with in Cloud