1.	Be sure you have correctly setup your firewall, I mean:

	1.	Licence is uploaded to your system
	2.	Set up your Interfaces
	3.	Set up NAT MASQUERADE
	4.	Set up Packet Filter
	5.	Set up DNS proxy

	This will help for the next steps.

2.	Here you have a choice, either you try using the local authentication from the Astaro Security Gateway, or you choose to authenticate your VPN connections against an Active Directory Windows 2000 as I did, I’ll only explain the VPN setup on the Astaro side. So let’s lits what we’ll need to do:

		1.	Prepare RADIUS on your Windows 2000 ADS, begin by installing IAS from the Add/Remove Programs, then follow the step by step setup you can find in the Astaro User Manual you can find from the Astaro Web Interface, choose to open the .pdf version and look for the chapter 5.1.8.2 RADIUS page 82, it’s very easy, as long as your Active Directory is already up an running.
		2.	Be sure you set the user authentication as explained
		3.	Take time to create your definitions in the Definitions >> Networks just to be sure
		4.	Now create your IP SEC Connection in Astaro in IPSec VPN >> Connections:

				1. Enable IP-Sec Global Settings
				2. Choose a name for your connection
				3. Choose Type “MS Windows L2TP over IPSec”
				4. Then click the edit button to change the settings of the connection you just created
				5. There make sure the type is set to “MS Windows L2TP over IPSec”
				6. Then in the Endpoint definition set the Local Endpoint to your “External” Nic, understand the interface on your Astaro that owns the Public IP address. The remote endpoint should be set to “Any”
				7. Check L2TP Encapsulation is “ON”
				8. Choose to use pre-shared key and type the pre-shared key you will have to use when creating your VPN connection inside the XP client
		5.	Now go in IPSec VPN >> L2TP over IPSec

				1.	Then L2TP over IPSec Settings and Enable (if not)
				2.	Authentication: Radius Database
				3.	Debugging: Off
				4.	IP address assignment: Static IP Pool
				5.	Then L2TP over IPSec IP Pool
				6.	Network: IPSEC-Pool
				7.	Then L2TP over IPSec
				8.	There if you were smart enough to enable the DNS Proxy and forward all dns requests your Astaro receives (make it listen only on LAN networks, except if you host your own world DNS server) to your LAN DNS Server (mostly your Win2K ADS hosting RADIUS) you can add the Astaro IP address in the Client DNS Servers:. The IP address of your Astaro inside the IPSec IP Pool will mostly be xxx.xxx.xxx.1 
		6.	Make sure the NAT-Traversal: is enabled in IPSec VPN >> Advanced

3.	And here, the part where you’ll kick yourself:

	masq_02   IPSEC-Pool -> All / All   MASQ__External   None

	YEP, that’s the secret; you need to create a masquerade for your IP-SEC Pool for your connection to work

4.	Then the packet filter rule

	2  [none]    -  IPSEC-Pool  10.254.0.0/24   Any    0.0.0.0/0   Any    [none]  

	Create a rule for your IP-SEC Pool like you did for your LAN.

5.	Now you can go on your XP client

	1.	Go to Control Panel
	2.	Network Connection
	3.	Create New Connection
	4.	Connect to the network at my workplace
	5.	Virtual Private Network Connection
	6.	Set your Connection Name
	7.	Set the IP of the VPN you just finished to setup (you can still use the good old 56k modem to attack your own firewall and test the connection)
	8.	Allow those you want to allow to use the connection
	9.	Click Finish
	10.	The window of your connection will pop-up, click properties
	11.	Then options and add “Include Windows Logon Domain”
	12.	Then security and click on “IPSec Settings”, there click the “Pre-shared” key and fill the field with the preshared key you created when configuring the IPSec Connection in your Astaro
	13.	You can set in networking the type of VPN on: automatic
	14.	Click ok and try out the connection but before just read the last lines

And that’s all, if you followed up the instructions in the manual for the RADIUS part, you should just try out your XP client VPN connection and see it works. Don’t forget that the username and password you will have to provide is the same as in your Active Directory so take care the user you want to authenticate with on your VPN Connection has the “Remote Access Permission (Dial-in or VPN)” setting set on “Allow access”. You can find that inside your “Active Directory Users and Computers”, then find the user you want to use, right click it and choose “properties”, then click the “Dial-in” tab and the first option is the one you look for.