Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShellWindows 10 Always On VPN and DirectAccess both provide seamless, transparent, always on remote network access for Windows clients. However, Always On VPN is provisioned to the user, not the machine as it is with DirectAccess. This presents a challenge for deployment scenarios that require the VPN connection to be established before the user logs on. To address this issue, Microsoft introduced support for a device tunnel configuration option beginning with Windows 10 version 1709 (Fall creators update).

Want to learn more about Windows 10 Always On VPN? Register for one of my hands-on training classes now forming in cities across the U.S. Details here.

Prerequisites

To support an Always On VPN device tunnel, the client computer must be running Windows 10 Enterprise or Education version 1709 (Fall creators update). It must also be domain-joined and have a computer certificate with the Client Authentication Enhanced Key Usage (EKU) issued by the organization’s Public Key Infrastructure (PKI).

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

In addition, only the built-in Windows VPN client is supported for Always On VPN device tunnel. Although Windows 10 Always On VPN user connections can be configured using various third-party VPN clients, they are not supported for use with the device tunnel.

VPN ProfileXML

The Always On VPN device tunnel is provisioned using an XML file. You can download a sample VPN ProfileXML file here. Make any changes required for your environment such as VPN server hostnames, routes, traffic filters, and remote address ranges. Optionally include the trusted network detection code, if required. Do not change the protocol type or authentication methods, as these are required.

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

Reference: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#configure-the-vpn-device-tunnel

Once the ProfileXML file is created, it can be deployed using Intune, System Center Configuration Manager (SCCM), or PowerShell. In this post I’ll cover how to configure Windows 10 Always On VPN device tunnel using PowerShell.

Client Configuration

Download the PowerShell script located here and then copy it to the target client computer. The Always On VPN device tunnel must be configured in the context of the local system account. To accomplish this, it will be necessary to use PsExec, one of the PsTools included in the Sysinternals suite of utilities. Download PsExec here, copy it to the target machine, and then run the following command in an elevated PowerShell command window.

PsExec.exe -i -s C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

Another elevated PowerShell window will open, this one now running in the context of the local system account. In this window, navigate to the folder where you copied the PowerShell script and XML file to. Run the PowerShell script and specify the name of the ProfileXML file, as shown below.

VPN_Profile_Device.ps1 -xmlFilePath .\profileXML_device.XML -ProfileName DeviceTunnel

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

To verify creation of the VPN device tunnel, run the following PowerShell command.

Get-VpnConnection -AllUserConnection

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

Note: Be advised that the ConnectionStatus is always Disconnected. Hopefully this will be addressed by Microsoft in the near future.

Server Configuration

If you are using Windows Server 2012 R2 or Windows Server 2016 Routing and Remote Access Service (RRAS) as your VPN server, you must enable machine certificate authentication for VPN connections and define a root certification authority for which incoming VPN connections will be authenticated with. To do this, open an elevated PowerShell command and run the following commands.

$VPNRootCertAuthority = “Common Name of trusted root certification authority”
$RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like “*$VPNRootCertAuthority*” })
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -RootCertificateNameToAccept $RootCACert -PassThru

Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell

Summary

Once the Always On VPN device tunnel is configured, the client computer will automatically establish the connection as soon as an active Internet connection is detected. This will enable remote logins for users without cached credentials, and allow administrators to remotely manage Always On VPN clients without requiring a user to be logged on at the time.

Additional Information

Configure Windows 10 VPN Device Tunnel on Microsoft.com

3 Important Advantages of Always On VPN over DirectAccess

5 Things DirectAccess Administrators Should Know About Always On VPNΒ 

Windows 10 Always On VPN and the Future of DirectAccess

Windows 10 Always On VPN Training and Consulting Services

Leave a comment

187 Comments

  1. Michael de Cler

     /  December 18, 2017

    We are experiencing issues where, once the device tunnel is created, the user profile does not connect when logged on. It tries to connect for about 5 times and then stops. Seems that the devicetunnel is preventing the user tunnel. When we disconnect the devicetunnel on the server the user tunnel becomes online within seconds.

    Secondly, seems that the devicetunnel never disconnects. Even when we reboot the device the tunnel remains. At some point there were 8 (!!) different tunnel open.

    Please advise..

    Reply
    • Unusual for sure. πŸ™‚ Did you use the trusted network detection option for your user tunnel? I’m wondering if the device tunnel might be interfering with it that way. I’ve not seen where there are multiple device tunnels though! I’ll continue to test and let you know what I find, if anything. πŸ™‚

      Reply
    • Azad Sofi

       /  March 6, 2018

      Hi Michael,

      Issue identified was : you had been using the route for management server and DC as same and device tunnel once up was able to reach to internal domain resources which should not happen on device tunnel.

      the change that we did was to create a new subnet/route for management server.

      I hope you are able to work with Always on VPN after we fixed it.

      Regards,
      Azad Sofi
      Support Engineer Microsoft Networking

      Reply
  2. Nico Junge

     /  December 22, 2017

    The device tunnel is not sufficient? An additional user tunnel is needed for the user to access corporate resources? So two profiles have to be rolled out onto each notebook? Did I get this right?

    Reply
    • The Windows 10 Always On VPN device tunnel is designed to enable domain log on without cached credentials, and a few other scenarios. With that, it should be configured with limited access. Yes, a logged on user would have access to whatever is allowed over the device tunnel, but it really shouldn’t be full network access. That would be granted by the user tunnel after authentication takes place. However, if you want to open up the device tunnel to all traffic I guess you could do that and use one tunnel, but I really wouldn’t recommend it from a security perspective. πŸ™‚

      Reply
  3. Hi Richard,

    We are only having the device tunnel enabled (no user profile).

    Everything works alright until we reboot the device after we have applied the VPN profile.

    Nothing shows in the logs, besides it actually says the profile was successful connected. But in “Network Connections” it’s stuck in connecting and the machine doesn’t get any IP.

    I can force the connection and get it to work if I first disconnect, and then reconnect again using utility rasdial.exe in a command prompt:

    rasdial.exe “” /disconnect

    rasdial.exe “”

    We are using the sample XML file (with relevant connection details substituted) found here:

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#configure-the-vpn-device-tunnel

    The profile was made in the “SYSTEM” context, as you pointed out.

    Any ideas?Kind Regards Alex

    Reply
    • Interesting. I’m having issues with the Always On VPN device tunnel as well, but something different. On my test machines the client will connect without issue, but when I restart it will never reconnect. There are errors in the event log indicating related services are failing to start, so I suspect it is a bug. It is likely the same in your case. :/

      Reply
      • Hi Richard,
        Thanks for replying, sounds like the same issue. I think I will open a Microsoft support ticket, and post the details (and a solution) if we succeed to resolve the issue. I will keep you updated.

      • Did this ever get resolved?

      • Not to my knowledge, but Microsoft is aware so I suspect something will be forthcoming. I did some further testing and it appears the issues I was experiencing were only happening on Windows 10 virtual machines. The device tunnel seems to work perfectly on all of my physical Windows 10 devices though. πŸ™‚

      • Thanks. So far it happens on all of my physical devices. Clearly it does talk to the server because a new connection shows up in RRAS. If I disconnect it from the RRAS gui quickly, the client will reconnect and work… if I wait a while before disconnecting, it will just go to disconnected state on the client and never try to reconnect.

        If I have both a User tunnel and a device tunnel configured, the User Tunnel will never connect automatically… but what’s really messed up is that the device tunnel will show the domain name rather than “connecting” … it looks like the tunnel would should be working. But still, it doesn’t work without killing/restablishing the connection.

        The change in behavior when both tunnels are present is curious. I’ve been through everything I can think of three times… nothing I do has any effect other than to break it entirely. πŸ™‚

      • Sounds frustrating for sure. What I might suggest is that you don’t use TrustedNetworkDetection at all, either on the device tunnel or the user tunnel. It would be interesting to see if that clears up your automatic connection issues. If you are concerned with clients connecting to the VPN when they are on the internal network, just make sure they can’t resolve the VPN’s public hostname to an IP address, or black hole it by resolving it to a bogus IP. If you try either of those let me know how it works!

      • J

         /  March 2, 2018

        Thanks for the suggestions, I tried those permutations and a few others. Unfortunately no change. Hopefully Patch Tuesday will bring a present.

  4. Peter Enoch

     /  January 1, 2018

    Hi Richard, the requirements for Always On VPN for the User mode is not Windows 10 Enterprise licenses, is there a reason that Enterprise licenses is needed for Device mode?

    Reply
    • The Windows 10 Always On VPN device tunnel feature is designed to provide pre-logon network connectivity to support domain logons when cached credentials are not available. It was implemented specifically to provide feature parity with DirectAccess, so Microsoft made the decision to restrict it to Windows 10 Enterprise edition.

      Reply
  5. Hi Richard, I am looking to move my RAS environment to Azure as this is where most of my apps now reside. RRAS isn’t currently supported in Azure so my only option to do always-on VPN is use a supported 3rd party product such as F5 APM (I believe). However a lot of development is going into the native Azure VPN Gateway with regards to increasing user limits and authentication methods. Would an always-on device tunnel work to an Azure VPN Gateway?

    Reply
    • Yes, you could deploy a third-party appliance, but obviously that adds cost and administrative overhead. Indeed it should be possible to use the Azure VPN gateway with Windows 10 Always On VPN. It supports IKEv2 and now with RADIUS support I think it should work. It’s not something I’ve tested myself yet, but its on my list. I’ll be sure to post something here once I do.

      Reply
  6. Hi again,

    Is it possible to configure something similar as NPRT in DirectAccess with Always On VPN.

    We are using split DNS in our environment, this will cause the client to lookup resources through the tunnel. We really only want Active Directory, SCCM and similar connections and not web pages etc.

    Kind Regards Alex

    Reply
  7. Matthew

     /  February 5, 2018

    Can Always On VPN with pre-logon device tunnels be configured to connect through an existing Cisco ASA infrastructure instead of setting up RRAS servers for clients to connect through?
    We don’t want to throw away our investment in ASA hardware, but we would like to be able to get rid of the Cisco AnyConnect software and login steps on domain-joined systems.

    Reply
    • As long as you use IKEv2 with machine certificate authentication, and you use the built-in Windows 10 VPN client to establish the connection, then yes it should work. It’s not something I’ve tested myself yet though, but in theory it should work. πŸ™‚

      Reply
  8. Tony

     /  February 16, 2018

    Do you know of any guidance for deploying the Device Tunnel using Intune?. I have successfully deployed the user tunnel this way but it is straight XML

    I can also confirm same issue with User VPN not connecting when the Device Tunnel is connected, in my case if I had my DCs in the routes then User tunnel would not connect if ‘trustednetworkdetection’ was set.

    If I removed the DCs from Device Tunnel then it would connect but no user could authenticate to logon to machine.

    Reply
    • You deploy the device tunnel in Intune just as you would the user tunnel, with the exception that you’ll use the ./Device/Vendor/MSFT/VPNv2/ OMA-URI instead of ./User. Also, if you are using the device tunnel, it is recommended that you not enable the option to use trusted network detection on the user tunnel to avoid the problem of detecting the device tunnel as the internal network. To prevent the user tunnel from establishing itself on the internal network, make sure your clients can’t resolve the VPNs public hostnmame or that they can’t reach the VPN server instead.

      Reply
  9. Tony

     /  February 19, 2018

    Thanks for that Richard, much easier than I thought and it’s working like a charm now. Also the Trusted Network Detection makes perfect sense, our vpn name is not resolvable internal so there was no requirement for it.

    Reply
  10. Tony

     /  February 20, 2018

    Thanks for this Richard, working well for me now.

    Regarding Proxies – In our DirectAccess we specified the Proxy server in the NRPT rule for certain external websites that only allowed access via our internal network . This worked great but it doesn’t seem to work for me using
    in the XML for AlwaysON. Is it the same concept? I see no traffic going to the proxy server which is internal. On DirectAccess we can see the traffic coming from the DIrectAccess servers internal network.

    Reply
    • It should be. There are two places to define a proxy serer – at the connection level and at the namespace level. Try adding the domain in the DomainNameInformation tag and then define your proxy under WebProxyServers. Let me know how that works!

      Reply
      • Tony Wood

         /  February 22, 2018

        Thanks Richard, I have that in the vpn profile xml, but it prevents the page from loading. Does the proxy server need to be external facing? Our current proxy setup with DirectAccess is internal only.

      • No, it should be an internal proxy server reachable over the VPN connection.

  11. Andrew

     /  February 21, 2018

    I assume it is possible to lock down configuration for users so that either you have the tunnel and connect through your corporate infrastructure or you have no internet access at all?

    Reply
    • That’s correct. Keep in mind that when you enable lockdown VPN that it must be a device profile and you can’t have any other VPN profiles configured. And as you noted, the behavior will be such that the user will have no network access at all unless the VPN connection is established.

      Reply
  12. Eric

     /  February 25, 2018

    Can you confirm why we need to run this command? Seems like it bypass NPS authentication by doing this?

    $VPNRootCertAuthority = β€œCommon Name of trusted root certification authority”
    $RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like β€œ*$VPNRootCertAuthority*” })
    Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -RootCertificateNameToAccept $RootCACert -PassThru

    Reply
    • NPS isn’t used when using machine certificate authentication is used. However, this command simply tells the RRAS server which root CA to trust for machine certificate authentication. With out it, you would have to delete all root CAs on the server except your internal CA. Otherwise your VPN server would accept a client authentication certificate from any of its trusted CAs, which includes many public CAs. Not a good idea at all. πŸ™‚

      Reply
  13. Mincey

     /  February 28, 2018

    We have a setup with both a device and user tunnel in operation. It works well, apart from one fairly major issue and I was wondering if a supported solution had been identified. I can see comments above and I am curious if anyone is experiencing the identical issue.

    Firstly, we have tried to set things up with the ‘Trusted Network Detection’ only in the device tunnel config, as had been recommended above. This seems work well when outside of the corporate network, and the user tunnel automatically connects. However, with ‘Trusted Network Detection’ missing from the user tunnel config we can see entries in the event log of repeated attempts to connect to the VPN when the computer is in use on our corporate network. These bursts of activity can be 3-4 minutes apart and seem to continue for as long as the machine is connected to the corporate network.

    Therefore, we would ideally prefer to keep ‘Trusted Network Detection’ in the user tunnel config to prevent the repeated failed attempts at connecting to the VPN. The issue with keeping ‘Trusted Network Detection’ in the user tunnel config is that after a device tunnel has been established and the user logs on then the user tunnel is not automatically connected. The user would have to manually connect to the VPN. Admittedly this isn’t the end of the world, but it isn’t ideal for a large workforce currently using DirectAccess that works automatically, so being cut across to AlwaysOn without automatic VPN connection will appear like a backward step.

    We are attempting a workaround at the moment. It’s very much a ‘work in progress’ but we have had a bit of success. However, we would be very interested in a reliable, supported solution if there happens to be one. So far, any queries to our local Microsoft Support hasn’t provided us with any solution, so hopefully someone here might have the answer?

    Reply
    • You’re not alone with this experience for sure. πŸ˜‰ Another solution to consider is preventing Always On VPN clients from resolving the VPN public hostname when they are on the internal network. Alternatively, you could black hole those DNS queries to prevent client machines from establishing VPN connections when they are on the internal network. That would solve the issue without the need for enabling TrustedNetworkDetection on either the device or user tunnel.

      Reply
  14. yannara

     /  March 1, 2018

    The challenge seems to be around AOV, that no one cares to run VPN service based on Windows Server. Also, it is uknown what VPN vendors (Cisco, Citrix) do support this type of protocol today.

    Reply
    • That’s not true at all. Many customers have deployed and are deploying VPN servers using Windows Server 2016. In fact, there are some very compelling reasons to do so as I outlined in this recent blog post: https://directaccess.richardhicks.com/2018/01/02/always-on-vpn-and-windows-routing-and-remote-access-service-rras/. The good thing about Windows 10 Always On VPN is that you aren’t locked in to use a Windows server. If you decide you want to implement using a purpose-built security appliance, that’s entirely up to you. In fact, ANY VPN server that supports IKEv2 will work with Always On VPN. Also, any VPN that has a Windows store VPN plug-in available can also be used for Always On VPN. Some popular solutions are SonicWALL, Juniper Pulse, Fortinet Fortigate, Palo Alto Networks, Checkpoint, and F5 APM just to name a few. You definitely have options!

      Reply
      • Tony

         /  March 5, 2018

        I’ve just set this up via Netscaler Load Balancer. While testing failover the device tunnel seamlessly reconnects to the other RRAS server but the user tunnel just disconnects and stays that way until I manually connect. Is there something else I need to configure here?

      • Not sure. If you are successfully getting the device tunnel to failover, I see no reason why the user tunnel wouldn’t do the same, assuming they are using the same protocol. Keep in mind that load balancing IKEv2 presents some unique challenges when the VPN server is behind a NAT. This is because both ports 500 and 4500 must be delivered to the same real server, which is challenging because it is UDP. Most ADCs have a way of dealing with this, but it differs depending on the vendor. You’ll have to refer to their documentation for guidance.

  15. Marko

     /  March 7, 2018

    Hey,
    is it possible to configure a fallback to SSTP when IKEv2 is blocked ?
    Thanks !

    Reply
  16. Matthew

     /  March 10, 2018

    I see the requirement for clients to establish device tunnels is domain-joined with machine certificates and be running Windows 10 1709 Enterprise.
    We have vendors we would like to provide VPN access to from their corporate laptops that belong to an unrelated, untrusted domain.

    Would those users be able to use out Always On VPN to establish USER tunnels to access our internal LAN/Intranet/File shares etc. from older versions of Windows 10 or even Windows 7 using their built-in Windows VPN settings and user certificates instead of computer certificates?

    Reply
    • The device tunnel was designed to provide feature parity with DirectAccess, hence the requirement for Windows 10 Enterprise edition. That said, you can enable Always On VPN user tunnels for any Windows 10 device. Although user certificates are the recommended best practice for authentication, it is not a hard requirement. You could enable Always On VPN using username/password, although the first connection would not be seamless/transparent. The user would have to enter their credentials the first time, then subsequent connections would not require user interaction. This would easily allow you to provide Always On VPN to users outside your organization.

      Windows 7 is another story. There is no support for Always On VPN in Windows 7 at all. However, you can easily configure Windows 7 clients to establish VPN connections using whatever parameters you choose (certificates, username/password, etc.), it just won’t be “Always On”. The user would have to manually establish the connection each time they needed remote access.

      Reply
  17. Matthew

     /  March 15, 2018

    Will Always On VPN work on Windows 10 Enterprise systems running in “S Mode?”

    Reply
  18. Christian

     /  March 15, 2018

    Hey,
    at first thx for your nice work πŸ™‚ but i still have an Error ID 13806 in the Event Log
    The Certificates are still there, and issued to the Server but the Issuer is my Enterprise Sub-CA
    I have an offline standalone root CA and an Enterprise subordinate CA.

    Can you help me by this?
    Thx a Lot

    Christian

    Reply
    • The certificate can be issued by any CA that is trusted. Make sure that both certificates (server and client) have the Client Authentication EKU. As long as they are issued from a trusted CA it should work (assuming the RRAS configuration is correct too, of course).

      Reply
  19. Johnny M. Forp

     /  March 23, 2018

    I am trying to get a device tunnel with routes/traffic filters to the DC’s and public fileserver (192.168.3.20/32, 192.168.3.21/32, 192.168.3.23/32). If I’m logged in as a user with the user tunnel disconnected, the connection to these device routes works fine. I can communicate with those hosts. If I’m at pre-logon, I’ll have 4-5 connections to the RRAS server from the device tunnel and the connection is not working properly. On my RRAS server each connection states β€œTotal Bytes In: 0” which tells me something is not transmitting back to the client properly. However, once the system logs in, the tunnel works fine.

    Once the user tunnel connects on the same machine (192.168.2.0/23 [possible routing conflict or no? I have same setup using OpenVPN no issues], and 10.10.200.0/23), both of the connections are working fine and ONE of the device tunnels which had β€œTotal Bytes In: 0” consistently shows activity. The other device tunnels remain dormant. I need group policy to apply and network shares to mount on boot.

    Another issue causing me even issues testing is that if I don’t login as a user quickly after a reboot, my NRPT keeps getting corrupted causing all connections to my RRAS server to fail for 30 min. I imagine it’s because the device tunnel tries to connect every 2-3 seconds and something is bugging out (relation to β€œTotal Bytes in: 0”?)

    Overall, I think there’s an issue with the device tunnel but it works fine when testing logged in. Pulling my hair out trying to fix these 2 issues and have spent way too much time on this project. Any ideas?

    Reply
    • I know the Always On VPN device tunnel hasn’t been entirely stable based on a number of reports. You might be encountering some of those issues. In my testing it has been working ok so far, but enough others are complaining that I think something might be up. I’d caution you that if you are using Trusted Network Detection in your ProfileXML, that could be causing some problems, especially if it is specified on both the device tunnel and user tunnel. Would recommend only using it on the device tunnel, if at all.

      Reply
      • Johnny M. Forp

         /  March 23, 2018

        Wish they would get the kinks worked out as I greatly prefer this over some of the alternatives. Thank you for the response!

      • Hopefully soon. πŸ™‚

  20. Sossage

     /  March 29, 2018

    Hi Richard,
    Great guides as usual, thank you.
    We are trying to deploy AlwaysOnVPN via GPO/Powershell/Intune in a corporate environment. We get a couple of issues:-
    1. You say the powershell scripts to import the XML config needs to be run under SYSTEM user? i.e. not user?
    2. Is there a way of configuring a proxy just on the VPN/dial-up connection that actually gets encapsulated in the config file? This never seems to work and we always need to configure manually. We can se ta general proxy, just not specifically on the dial-up connection.
    Cheers.

    Reply
    • Only the device tunnel needs to be deployed under the SYSTEM account. The user tunnel is deployed as the user, albeit with administrative privileges. As for the proxy configuration, you should be able to add that under ./User/Vendor/MSFT/ProfileName/Proxy. You can choose manual or autoconfig. Optionally you can define a proxy server by individual namespace or FQDN under ./User/Vendor/MSFT/ProfileName/DomainNameInformation/WebProxyServers.

      Reply
  21. Andy

     /  April 6, 2018

    Windows 10 1709 with the latest March 2018 updates.

    I have setup the device tunnel on a few physical laptops. It works BUT the device tunnel always crashes after logging on (no matter if there is a user tunnel configured or not):

    The Remote Access Connection Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

    Faulting application name: svchost.exe_RasMan, version: 10.0.16299.15, time stamp: 0x9c786b9a
    Faulting module name: msvcrt.dll, version: 7.0.16299.125, time stamp: 0x20688290
    Exception code: 0xc0000005
    Fault offset: 0x000000000005b893
    Faulting process ID: 0x1360
    Faulting application start time: 0x01d3cdbd900eb67c
    Faulting application path: c:\windows\system32\svchost.exe
    Faulting module path: C:\WINDOWS\System32\msvcrt.dll
    Report ID: 7399725d-1cdb-4447-8137-c9fc45e86952
    Faulting package full name:
    Faulting package-relative application ID:

    Fault bucket , type 0
    Event Name: APPCRASH
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: svchost.exe_RasMan
    P2: 10.0.16299.15
    P3: 9c786b9a
    P4: msvcrt.dll
    P5: 7.0.16299.125
    P6: 20688290
    P7: c0000005
    P8: 000000000005b893
    P9:
    P10:

    Attached files:
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EC0.tmp.mdmp
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CBC.tmp.WERInternalMetadata.xml
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CBA.tmp.csv
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CCB.tmp.txt
    \\?\C:\Windows\Temp\WER8CDC.tmp.appcompat.txt
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_RasM_da58269ec0c690daebc26797612e62ba4d950e8_9c1a5be5_cab_10dd8dd3\memory.hdmp

    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_RasM_da58269ec0c690daebc26797612e62ba4d950e8_9c1a5be5_cab_10dd8dd3

    Analysis symbol:
    Rechecking for solution: 0
    Report ID: 7399725d-1cdb-4447-8137-c9fc45e86952
    Report Status: 4
    Hashed bucket:

    Is anybody else having this issue?

    Reply
  22. Hi Richard,

    I tried to follow your step by step procedure to implement the VPN tunnel device but it does not work. For information, I tested the solution in virtual environment without Internet connection.
    is it an obligation to have an Internet connection from the client computer?
    the external IP address used on the RAS server is an IP address ‘192.168.100.1’. This is not a public IP address.

    in your comments, tell you to position ./Device/Vendor/MSFT/VPNV2: ……..
    I do not know how to set this parameter

    I do not know how to set this parameter in the XML file, can you give me a concrete example please?

    Thank you very much

    Patrick

    Reply
  23. Hi, Wondering how/where in the XML profile to add NRPT rules? For example, some FQDN’s for things like OWA, and our DMZ Webserver, I wouldn’t want to go through the VPN. How would we add these exceptions?

    Reply
    • You can enable the NRPT by adding the DomainNameInformation element in your ProfileXML. Details here: https://directaccess.richardhicks.com/2018/04/23/always-on-vpn-and-the-name-resolution-policy-table-nrpt/.

      Reply
      • Sounded good in theory. In reality, even with the missing element for the FQDN, I’m still getting internal resolution. I even tried putting the “exceptions” ahead of the elements that include the DNS Server, in the profile, so it would maybe find a match and use external, but no go.
        EXAMPLE

        exception.domain.com

        .domain.com
        192.6.1.X

      • Unusual, because it has worked for me in the past. Are you using the device tunnel also? I’m wondering if perhaps the name resolution request is somehow leaking over the device tunnel.

      • I haven’t been able to get the Device tunnel to work as of yet, so no. But after getting the NRPT working, that will be my next and final task before testing with pilot users.

      • Strange, I removed all the DomainNameInformation DNS related tags out of the profile, and am still getting full internal resolution.

      • That’s to be expected. The VPN connection will be assigned a DNS server by the VPN server. The NRPT is only required if you want need to define specific DNS servers to specific namespaces.

      • So it seems that if I define an external DnsServer tag (1.1.1.1), I will then get external resolution, but for me, simply removing the tag for the specified FQDN results in internal resolution still through the VPN tunnel.

      • That’s odd. Definitely not been my experience. :/

  24. Yikes, what a mess judging from the comments here and elsewhere! Sounds like DirectAccess is still the way to go for the time being…

    Reply
    • I’ll agree that some of this technology isn’t quite fully baked at the moment, but hoping it will get better soon for sure. πŸ™‚

      Reply
  25. ND

     /  April 20, 2018

    Hi Richard,

    Your posts have helped me understand things so many times thank you. I have a question:

    We have implemented always on VPN a few times without issue, however on a recent implementation we found that after having used the makeprofile script to create a VPN profile using VPN_profile.ps1 the clients were auto connecting OK but weren’t able to get to any network resources. (When we created a successful manual connection we did have connectivity to internal resouces). We used the Microsoft Documentation: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment for configuring the servers and clients.

    We deduced that the issue we were seeing was because of the network configuration we were working on and the fact that when auto connecting we were split tunneling. We ended up finding this article: https://docs.microsoft.com/en-gb/windows/client-management/mdm/vpnv2-profile-xsd and realising we might have to put some routes in to the makeprofile script to feed in to the VPN profile script and profile on the clients to get the connectivity to work. We did this and it worked.

    It is not massively clear from the Always on documentation that this is what you have to do as part of the client config, can you confirm that we are doing the right thing by adding the routes in to the script as your article seems to agree with this? It strikes me if there was a route issue and the VPN clients needed updated routes adding you would have to re run the scripts and deploy the profile again?

    Thank you.
    ND

    Reply
    • Agreed, the Always On VPN documentation on the Microsoft web site is highly unintuitive. πŸ™‚ It’s one of the reasons my Windows 10 Always On VPN hands-on training classes have been so popular (shameless plug!). You are right, there will be times when you need to define routes to remote internal networks in the ProfileXML. Hope that helps!

      Reply
      • Andy

         /  April 23, 2018

        Would you recommend the following as our network team doesn’t tell us about new networks:

        10.0.0.0
        8

        172.16.0.0
        12

        192.168.0.0
        16

      • That would certainly work. πŸ™‚

      • ND

         /  April 23, 2018

        Hi Richard, Thanks for verifying what we already thought was the case. If I was anywhere near Denver or NY I’d be on the training course like a shot! Regards ND

      • Well, if you can get a few of your mates together I’d love to come to the UK and deliver the class. Perhaps it could even be sponsored by Risual? πŸ™‚

  26. ced666

     /  April 23, 2018

    Hi Richard,

    thank you very much for your quick return. Indeed, after simulating the internet network, the device tunnel connection works. Is it possible to configure Full tunneling in tunnel device mode? I configured the ForceTunnel section but it does not work. I want all flows to be routed to the corporate network.

    is it possible to configure this in tunnel device mode?

    For information, the bug declared in the tunnel device mode 1709 after reboot is no longer relevant in the 1803 version.

    Thank you.

    Patrick

    Reply
    • You should be able to specify force tunneling by defining that in the RoutingPolicyType element in your ProfileXML. It’s not something I’ve tested myself, but it should work I would expect. I’ll do some testing myself soon and see what I find.

      Reply
  27. ced666

     /  April 24, 2018

    Hi Richard,
    thank you for your return, I indicated in the configuration file the “RoutingPolicyType” section in ForceTunnel and yet I enter the command get-vpn connection -alluserconnection, I see that the value of the SplitTunneling attribute is always True . I’m still able to access my shares live outside the corporate network.
    Thank you.

    Patrick

    Reply
  28. Hello Richard,
    is it possible in tunnel device mode to pass an Internet connectivity so that the tunnel is automatically mounted in the corporate network without Internet. The idea is to be able to mount a VPN tunnel (device mode) without Internet connectivity. One can very well imagine to impose the VPN tunnel even in his company. Can we use triggering by DNS names, ie trigger the VPN as soon as there is a network connectivity (in the company or outside?)

    Thank you

    Patrick

    Reply
    • I’m not entirely clear about what you are asking, but I think you are looking for something called “LockDown” mode. When LockDown is enabled, the device will not be able to access the internet unless the VPN connection is established. Also, all traffic is tunneled over the VPN (force tunnel). Is that what you were looking for?

      Reply
  29. Matt

     /  May 5, 2018

    Hi Richard,

    Thanks for all your hard work with this stuff, it’s been so helpful.

    I’m posting to bring your attention to a bug in the user tunnel that MS have just confirmed. You may know about it already but I’ve not seen anything on the web about it.

    In Windows 10 1709, when using the always on feature in an IKEv2 user tunnel, the automatic trigger dials the connection under the SYSTEM context. This causes an authentication failure on the NPS due to an incorrect certificate being used. Dialling manually runs in the user context and will connect the tunnel successfully.

    I logged a call with MS and they have confirmed the bug. They say they’re hoping to patch it in June.

    Workaround for now seems to be to use an SSTP tunnel instead, which seems to work.

    Cheers,

    Matt

    Reply
    • Thanks Matt! This tunnel has been known for some time, and in fact Microsoft has resolved it in the latest update, 1803 (RS4). Also, to be clear, the device tunnel only supports IKEv2. You cannot create a device tunnel using SSTP, only user tunnels.

      Reply
      • Tony

         /  May 7, 2018

        Is Matt talking about another issue here as he’s mentioning the user tunnel as opposed to the known device tunnel issue?

        On another note is there a way to get the client to automatically reconnect when they lose connection to the RRAS? It works fine if the internet connection is lost and reestablished but if connection interrupted due to RRAS reboot for example the client doesn’t reconnect either tunnel.

        Thanks Tony

      • I thought he was talking about the device tunnel. I’m not aware of any specific issues regarding the user tunnel. As for automatically reconnecting, I would expect the client to reconnect regardless of the cause. I’ll do some testing when time permits and see if I have the same experience.

    • Mike

       /  May 7, 2018

      I’ve notice since updating to 1803, The user tunnel connects with SSTP instead of IKEv2.

      Reply
      • If you’ve configured NativeProtocolType to be “Automatic”, then the client will first try to establish a connection using IKEv2. If that fails for any reason, it will fall back to SSTP. It would appear that an IKEv2 connection was unsuccessful at some point, resulting in the client connecting with SSTP. Curious though, are you able to manually establish an IKEv2 connection?

      • Mike

         /  May 10, 2018

        Just tried it after the 1803 cumulative update. Yes, I can manually establish an IKEv2 connection.

      • Ok, good. I’d suggest removing the Always On VPN connection and then re-adding it. It should automatically choose IKEv2, assuming it is available. However, understand that the default behavior of the VPN client in Windows is to fall back to SSTP, but then subsequent connection attempts will always be made using the last successful protocol. If that was SSTP, it will be tried first! In reality that means that it will most likely always use SSTP, because it’s hard to conceive of a scenario in which SSTP isn’t available but IKEv2 is. πŸ˜‰

    • Matt

       /  May 10, 2018

      Hi all,

      I was talking about the user tunnel and it does indeed work with 1803. The problems i am seeing relate to the ‘alwayson’ setting on the user tunnel on 1709. When set to true, on network switch, unlock, or logon It will dial under the SYSTEM context and therefore attempt to authenticate with the machine certificate (not the user PEAP-based cert). If the device tunnel is up, the VPN server terminates the connection as the device is already connected and authenticated with its machine certificate. I logged a call with an MS breakfix team and they confirmed the bug.

      On another note and in response to Mike, i’ve noticed that when the profile is set to ‘automatic’ if the tunnel has to fall back to SSTP for some reason and establishes a connection, it will bump that protocol to the top of its preferred list and use SSTP as its first option on the next connection attempt. I’ve not looked into why this happens yet but any input would be great!

      Matt

      Reply
      • Ok, that’s news to me then. Definitely update us if Microsoft provides a workaround or fix. Also, the behavior you describe where the VPN client always prefers the protocol used during the last successful connection attempt is expected and by design. Not a good design if you ask me, but that’s what it is. πŸ™‚

  30. MaxG

     /  May 7, 2018

    Hello Richard
    We have an IKEv2 deployment which is load balanced behind a Netscaler LB Server. The allowed ports are UDP 500 and UDP 4500, but he have an issue here. The connection will succeed, but there is no traffic in the tunnel and Windows 10 client sets the network as Private profile. If manually update the network profile to be a domain network it will work perfectly. Have you had any issues load balancing with Citrix Netscaler? Any other suggestions?
    Thanks.

    Reply
    • If you can establish a VPN connection one the Domainprofile but not on the Private profile, I would have to assume that the Private profile is blocking outbound VPN connections. I’d look closely at the firewall configuration and see what’s up. If you can connect at all, the load balancer is likely configured correctly. πŸ™‚

      Reply
  31. Hello Richard,

    thank you for your comeback.

    I want to implement the trigger of the tunnel device as soon as a network connectivity is detected not necessarily an Internet connection.
    I set up the LockDown mode, unfortunately the tunnel device does not mount until the NCSI component detects an Internet connection.
    In summary, the Device tunnel is automatically mounted when the NCSI component detects Internet connectivity. Is there a possibility of
    to bypass the Internet detection (NCSI) so that the tunnel is mounted automatically (inside or outside the company)?

    Thanks in advance.

    Patrick

    Reply
    • Not to my knowledge. However, it might be possible to spoof NCSI and point it to itself so that it is always detects an Internet connection. I have no idea what sort of unintended consequences that would bring, but it might be interesting to experiment with!

      Reply
  32. Dan

     /  May 15, 2018

    Hi Richard,
    Are you aware if the Trusted Network Detection bug has been fixed in 1803? I would like to enable Trusted Network Detection for both the user and device tunnels but am currently unable to do so as the user tunnel never connects.
    Thanks

    Dan

    Reply
  33. ced666

     /  May 15, 2018

    Hello Richard,

    I set up a VPN tunnel device connection with LockDown mode. I would like to delete the VPN connection but it is impossible via the get-vpnconnection -alluserconnection | remove-vpnconnection -force. Access is denied and yet I am well connected with pstools with the localsystem account. Do you have an idea ?

    Reply
    • Interesting. I’ve not yet used the lockdown mode yet. However, you should be able to delete the connection once it is stopped. I’d suggest using rasdial.exe [connection name] /disconnect and then using PowerShell to remove the connection. Let me know what happens!

      Reply
      • Mike

         /  May 17, 2018

        I had difficulty deleting the device tunnel as well. I found that rebooting the PC then quickly disconnecting the connection, then delete the connection, finally removed it.

      • ced666

         /  May 17, 2018

        I tried to disconnect the VPN tunnel under Local System but the prompt is no longer responding. Even after disconnecting the network cable, disconnection via the rasdial command is not possible, as well as deletion. Thank you for your help.

  34. Hello,

    did you try to delete a VPN connection in LockDown mode? As stated in my previous posts, even with a card offline, deleting the network card is impossible.
    Do you have an idea ?

    Reply
    • I have not done any testing with lockdown mode. At this point I’ve not come across a requirement for its use.

      Reply
    • ced666

       /  May 22, 2018

      Hello,

      I just ask through the Forum if it is possible to delete a VPN connection ‘Device Tunnel’ which was done in LockDown mode under the LocalSystem context.For my part, I can not delete the VPN connection even when the card physical is disconnected, I have the message “Access Denied.” However, I did try manipulation under the administrator or localSystem context.
      I’m just wondering if you have a procedure to delete a LockDown VPN connection without restoring the machine.

      Reply
      • That’s unusual. However, I have no experience with the lockdown configuration. I’ll do some testing soon though to see if I can replicate your issue. You should be able to delete the connection, of course. How that’s done I’m not certain of right now. Stay tuned!

  35. ced666

     /  May 18, 2018

    Hello,
    Have you ever used the “trustedNetworkDetection” directive? in tunnel device? I read that this and direftive only works with a wireless connection (see link https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp).
    Have you managed to run the “trustedNetworkDetection” mode with a network card?
    Thanks in advance.

    Reply
    • Yes, I’ve used the TrustedNetworkDetection element before. I think the use of the term “wireless” in the VPNv2 CSP documentation is misleading though. It should work with any physical adapter on the device, both wired and wireless. When enabled, the VPN compare the string defined in TrustedNetworkDetection to the connection-specific DNS suffix on any physical adapter. If detected, the VPN will not initialize.

      Reply
      • Hello,
        I tested the directive mondomauine.com and I notice that the tunnel is mounted anyway. However, on the physical interface, I have the DNS suffix “.mydomain.com” via the ipconfig command. Do you have an idea ?

      • If your physical adapter has the suffix “.mydomain.com” then your TrustedNetworkDetection element would need to include that information. If it doesn’t match, the VPN connection will be established automatically.

      • ced666

         /  May 22, 2018

        Hello

        I found why the Peripheral Tunnel did not work with the TrustedNetworkDetection directive. In the documentation it is stated that the tunnel is always mounted whatever the situation. That is, the device tunnel is not compatible with the suffix-based trigger.

        The “TrustedNetworkDetection” directive is only functional with the User tunnel mode.

        Can you confirm that?

      • That’s incorrect. TrustedNetworkDetection works for both the user and device tunnels. As long as you correctly configure this setting to match your internal connection-specific DNS suffix VPN tunnels (user and/or device) will not be established.

      • ced666

         /  May 23, 2018

        Hello,

        excuse me for my previous message, there was an error. Let’s summarize.
        My physical adapter has the suffix “mydomain.com”.
        Then my TrustedNetworkDetection element would need to include that information “mydomain.com”, so that should be okay. However, the VPN connection is automatically mounted.
        The tunnel continues to mount despite the DNS suffix that matches with the “TrustedNetWorkDetection” element.

      • That’s correct. It should match exactly. If it does, and the VPN connection still establishes automatically, I’d have to say it’s a bug. In that case, I’d suggest opening a support case with Microsoft to have them investigate.

  36. Raphael Eymann

     /  May 18, 2018

    I’m using Windows 10 1709 with Device Tunnel (Split Tunnel). Everything works as expected only the vpn ip address registration with the internal dns server doesn’t work. In the eventviewer of the client I can see he is contacting the ISP dns servers and not the internal ones. How can I get this to work?

    Reply
    • It is not uncommon to see the client try to register with external DNS servers. However, it will register with internal DNS servers too. If internal registration isn’t successful, the client might not have permission to update it’s DNS record. Have a close look at the event logs both on the client and server. Perhaps they will yield some clue as to why it is failing.

      Reply
      • Raphael Eymann

         /  May 23, 2018

        I had the issue that the ras service was crashing every reboot. So I updated to Windows 10 1803 and the ras service was not crashing anymore. Also the “RegisterDNS” parameter seems to work with Windows 10 1803. The checkbox register dns under ipv4 dns settings is checked now (with Windows 10 1709 it was not checked). So if you use device tunnel – I recommend version 1803 …

      • Good to hear the Register DNS setting is working reliably now! πŸ™‚

  37. Ben Morgan

     /  May 28, 2018

    Hopefully an easy resolution. I have joined 2 x 1803 Windows 10 (VMs both Pro and Ent) to the domain, got a computer certificate on them, created the XML and PS1 files, ran the ps1 file, specifying the xml in the command line (ran as system using psexec -i -s) and the device tunnel shows up connected (great result).

    I then log out and attempt to log in as any other domain user, and it says the domain is not available, yet as soon as I log in with cached credentials, it comes up connected again.

    I have no rules or anything applied (as this is a lab and proof of concept) can’t quite figure out why this will not allow me to authenticate against the domain controller, also doesn’t show up when I click the network symbol on the logon screen, can you shed any ideas or educate me on what I have missed.

    Reply
    • The Device Tunnel does not appear in the UI, so that is normal. However, it should provide pre-logon connectivity to allow users without cached credentials to authenticate. Not sure why it isn’t working for you though. There were some known issues in v1709, but those were resolved in 1803. Curious…do you see the device tunnel going down when you log off? If it is established, it should stay up regardless who is logged on, if anyone.

      Reply
  38. Hi Richard,

    about the tunnel device, where are the logs stored in Windows? I find that there are not many logs for VPN connections. How does troubleshooting work if there are not many logs?

    Reply
  39. I’m having difficulty creating a Device Tunnel with the -AllUserProfile enabled. If I run the Get-VPNConnection in a user context it returns the correct VPN connection settings but it always lists the AllUserConnection as False.

    If I run the same command in the SYSTEM context it returns nothing. If I use the -AllUserConnection parameter it complains about not being able to find it in the phone book.

    I suspect I need to force the -AllUserProfile when creating the connection but can’t find the right parameter. I’d expect to see it here, but it’s not: https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-profile-xsd

    Any clues?

    Reply
    • When you create the device tunnel you need to stipulate the OMA-URI of ./Device/Vendor/MSFT/VPNv2/ and not ./User/Vendor… That’s the most common mistake that I see. If you are doing this with PowerShell, keep in mind you can’t use the same script as you use to provision the user tunnel. There’s a different script for creating the device tunnel, and that script must be run in the context of the local system account.

      Reply
      • Richard,
        I’m using the same configuration as that in the Microsoft example:

        $nodeCSPURI = ‘./Vendor/MSFT/VPNv2’
        $namespaceName = “root\cimv2\mdm\dmmap”
        $className = “MDM_VPNv2_01”

        So do I need to modify this so it reads ‘./Device/Vendor/MSFT/VPNv2’ ?

      • If you’re using the Microsoft example script it should work. It does for me. I have to assume that somewhere else they specify the device and not the user URI. If you’d like I can send you the script I’m using. It’s the same as the Microsoft script though, so I’m not sure how much help it will be. If you’re following the guidance in this post explicitly it should work though.

      • OK, following your example almost exactly (apart from the specific IP addresses) it’s now working for me. Before this, I was using the example whereby the ProfileXML and script was embedded into one PS file. It all worked apart from the AllUserConnection setting. Using the distinct PS1 and XML files has fixed that.
        Thank you Richard.

      • Great to hear. πŸ™‚ Now you’ll have to let me know how your experience goes with the device tunnel. In my experience it has been entirely stable. πŸ˜‰

  40. Hi Richard,

    I would like to see if it is possible to have in addition to the tunnel device, the user tunnel on the same laptop. Can you send me the .ps1 and .xml script to create the user tunnel? For information, I use Microsoft’s .ps1 and xml script to create the device tunnel in the localSystem context.
    Another question, is it mandatory to have the NAP server when mounting a user tunnel based on machine certificates for IKE?
    I thank you in advance.

    Patrick

    Reply
    • Send me an email and I’ll send you the scripts that I use. They are essentially the same as the Microsoft scripts, just modified slightly. Also, no, NPS is not required if your are performing device certificate authentication on the VPN server with IKEv2.

      Reply
      • ced666

         /  June 5, 2018

        Hello Richard

        Thank you very much

      • ced666

         /  June 5, 2018

        Hello,

        I just send my email address in your personal box.
        If I understand correctly, contrary to Windows 1709, the tunnel device So, can also be installed on the version of Windows 10 pro 1803 ?
        thanks for quick reply

        Patrick

      • No. The device tunnel is supported only on Windows 10 Enterprise edition clients that are joined to a domain.

  41. Colin Pazdzior

     /  June 5, 2018

    Hi Richard,
    First, thanks for the outstanding documentation and articles you’ve provided for years on this site – I’ve used a number of these extensively in the past.

    We’re now starting to roll out AOVPN with both device and user tunnels, but are starting to see that the tunnels don’t reliably attempt to connect. If connected manually, both work perfectly.

    Provisioning for both is through InTune MDM, using custom profile for device tunnel, and a predefined template for the user tunnel, with our EAP section. We’re using Azure Conditional Access on the user tunnel. All of this works perfectly – once the client attempts to connect.

    Initially, when testing just the device tunnel with trusted network detection turned on, it connected more reliably, and seemed to be happier to initiate its auto connection. With the user tunnel though, the device tunnel would disconnect as soon as it connected, presumably due to the trusted network detection. So we have disabled trusted network detection (the vpn server isn’t listed in internal DNS), so the tunnels won’t connect internally.

    This is with W10 1803.

    Any thoughts?

    Thanks,
    Colin

    Reply
    • Thanks Colin! πŸ™‚ In my experience the user tunnel seems to be stable. However, there have been some issues reported when TrustedNetworkDetection is configured on the user tunnel. Is that configured in your deployment? Also, there are numerous issues related to the device tunnel, most of which have been fixed in 1803. However, I am still hearing reports (and experiencing it myself) of issues with unreliable device tunnel connectivity. With that, there may still be some things that are broken with the device tunnel in 1803.

      Reply
      • Colin Pazdzior

         /  June 5, 2018

        Thanks for the prompt reply Richard!

        At the moment, TrustedNetworkDetection is not configured on either (and isn’t accessible to configure on the user tunnel, as I’m using the InTune VPN template – I’d need to use a custom config like with device tunnel for that.

        I may try and turn TrustedNetworkDetection back on for the device tunnel, although the user tunnel connecting was causing it to disconnect; I suppose that actually wouldn’t really be a problem, as the user tunnel provides access to everything the device tunnel does, and then some, so if it’s connected, the device tunnel isn’t really needed. On user logout, the device tunnel should then reconnect itself quietly. Though….the connection change on login isn’t ideal, as it may interrupt gpo processing, etc if connection drops and comes back.

        The other odd thing I noticed is that when the user tunnel deployed, the “connect automatically” checkbox was not checked. Checking this seems to make it connect automatically, at least a few times, but then stops doing it reliably if the machine is moved around different networks. Clicking connect works no problem.

        This seems so close….

      • Thanks for the feedback. Great to understand what others are experiencing. It does still seem that Always On VPN isn’t quite fully baked. πŸ˜‰ Your’re right though, we’re close! πŸ™‚ I agree, the device tunnel is redundant if you have a user tunnel. However, if you are doing manage out and the device tunnel is registering in DNS the client won’t be reachable. Something to consider. As for the “connect automatically” issue, I’ve not encountered that issue. I’ll keep an eye out for it. Unusual for sure.

  42. Mike Pietrorazio

     /  June 6, 2018

    Can add the device tunnel via PowerShell, and once connected to external network, the device connection shows in VPN server device list, but can’t ping in either direction to/from DC’s. Client status of device tunnel shows “disconnected” 1803. Testing without user tunnel atm.

    Reply
  43. Aaron Silber

     /  June 6, 2018

    Hi Richard,
    Your advice and write-ups are really great. I was wondering if you have tested a Device tunnel with Split tunneling disabled, aka ForceTunnel? I cannot seem to get it to work with the ProfileXML, the PowerShell command (even ran it as the SYSTEM account via PSExec) or unchecking the box in the network card properties.
    Thanks again!

    Reply
    • No, haven’t tested that yet. I haven’t encountered a use case whereby force tunneling is required for the device tunnel. Typically I deploy the device tunnel for access only to a few restricted machines for the sole purpose of authenticating user logons.

      Reply
  44. ced666

     /  June 6, 2018

    Hi Richard,
    unlike Windows 10 1709, Always on VPN tunnel device is only supported for enterprise edition. If I understand correctly, the tunnel device is also supported in professional version since Windows 10 1803?, Is that it?
    Thank you

    Reply
    • That is incorrect. The device tunnel is supported only on Windows 10 Enterprise edition clients that are joined to a domain.

      Reply
  45. Colin Pazdzior

     /  June 8, 2018

    The plot thickens! So, the most reliably we’ve been able to get the user tunnel to connect is to have trusted network detection on the device tunnel (which then disconnects itself once user tunnel connected). Register in DNS set on user tunnel, so machine should be reachable.

    However, there’s now something very, very strange going on that I’m trying to dig down on – user tunnel appeared to work just fine in past, but it actually wasn’t – SMB shares are broken.

    With device tunnel connected, share access (to servers the device tunnel has access to), works properly, no issues at all.

    With just user tunnel connected, shares do not work. Other internal resources are available, everything is pingable, RDP works, etc. SMB 3 shares do not work. They come back usually with “extended security error”. Digging through client logs, under SMBClient\Security, there are a lot of event 31001s listed.

    Content is either

    An attempt to initialize a security context failed.

    Error: The smartcard certificate used for authentication has expired. Please
    contact your system administrator.

    Security status: 0xC000038D
    User name:
    Logon ID: 0xD480C
    Server name: \servername.domainsuffix
    Principal name: cifs/servername.domainsuffix1UWhRGBAAAAAAAAAGAAAAAAAAAAAAAAAAAAQNCkbmeBAAAA

    or sometimes this:

    An attempt to initialize a security context failed.

    Error: The attempted logon is invalid. This is either due to a bad username or authentication information.

    Security status: 0xC000006D
    User name:
    Logon ID: 0xD480C
    Server name: \servername
    Principal name: cifs/servername1UWhRGBAAAAAAAAAGAAAAAAAAAAAAAAAAAAQNCkbmeBAAAA

    There’s something funny about the security context that it’s using; like that Azure CA cert is being presented, or something funny. I’m scratching my head on this one, trying to dig for more. Any thoughts on this?

    Reply
    • Are you using user certificate authentication?

      Reply
      • Colin Pazdzior

         /  June 11, 2018

        For the user tunnel, we’re using Azure conditional auth, so Azure provides a short lived certificate which should be used for the connection… Though I’m not sure how this should affect SMB shares, once the VPN tunnel is up.

      • Colin Pazdzior

         /  June 11, 2018

        Yes, and the tunnel connects successfully – all other resources work, just not SMB shares…

      • Unusual. Authentication is clearly working if the tunnel is established successfully, but sounds like it isn’t quite mapping your credentials to a suitable Kerberos ticket somehow. Why, I have no idea. :/

      • Colin Pazdzior

         /  June 11, 2018

        Haha, that’s kinda what I’d arrived at. Must be missing something. It’s only when connected over the user tunnel though; with device tunnel, no
        problem, and if I immediately take the machine and connect to corpnet directly, shares work. And everything other than smb shares works over user tunnel. Doing something funny….

      • Colin Pazdzior

         /  June 11, 2018

        Huh, so, progress, but also confusion. Tried accessing a UNC share using server FQDN, like \\server.domain.com\share instead of \\server\share (which works on our old vpn, locally, and on user tunnel). FQDN works.

        DFS-n shares don’t work, same error. The AOVPN profile for both device and user tunnels have the same domain.com DNS suffix set.

        Odd….but it looks like not kerberos / signing issues.

  46. Colin Pazdzior

     /  June 14, 2018

    Learned a little bit more. So, from here: https://social.technet.microsoft.com/Forums/sharepoint/en-US/daf53d2a-4d2d-4df9-a799-1200b9e72e23/trouble-with-dnsnetbios-name-resolution-over-vpn?forum=winserverNIS

    Looks like similar issue from the past. Tested what they suggested, removing the cert based credential from credential manager (this is the Azure Confitional Access cert), and the shares work perfectly. So Windows appears to be trying to use this cert to authenticate to the SMB shares. Not sure how to stop it doing that though!

    Reply
  47. Colin Pazdzior

     /  June 20, 2018

    I’ll second that, thanks Jason!

    I’ve been working on this for a few days now, and am still having trouble. Basically, I can’t seem to get the AOVPN xml config to correctly select the client cert I want used for the Kerberos identity check. Have tried many permutations of syntax for the EKU OID and issue hash, and it just doesn’t seem to take the cert. If I use the InTune wizard and create a profile there, it does work – correct cert is selected and shares are accessible. Unfortunately, the tunnel disconnects every time the InTune MDM policy refreshes every few hours, which doesn’t seem to be the case using a custom XML…. Does anyone at MS test this stuff????

    Sample of device compliance section with hash replaced:

    true

    true
    hashherewithoutspacesfromissuingca
    1.3.6.1.5.5.7.3.2

    Same

    Reply
    • Colin Pazdzior

       /  July 10, 2018

      So, finally had some time to come back to this.

      Basically, when using Azure Conditional Access with the user tunnel, an ent CA cert needs to be selected based on issuer hash and EKU for use by Kerberos…without this, the Azure CA issued cert will be used, and Kerberos auth will fail with all kinds of funny errors.

      The real difficulty here is that when defining a profile using a config XML, turns out it’s EXTREMELY picky on the capitalization it’s looking for on each of the various nodes, and documentation is not all correct or accurate. When capitalization and syntax is not exact, cert selection does not work – the VPN cert is used and Kerberos is broken.

      Using the built in InTune VPN template worked with Azure Conditional Access, except that on every MDM refresh, the VPN connection definition on the local PC appears to drop, be removed, and rewritten. For this reason it was desirable to use a custom XML, but defining the correct cert proved difficult as indicated above. I finally figured out the capitalization by pulling it out of a reg key when using the InTune template.

      Key bit is the SSO node tags are “Sso” – this format strips formatting, so can’t easily replicate, but basically:

      DeviceCompliance
      Enabled true /Enabled
      Sso
      Enabled true /Enabled
      Eku 1.2.3.4.5.6 /Eku
      IssuerHash ISSUER_HASH_HERE_NO_SPACES_LOWERCASE /IssuerHash
      /Sso
      /DeviceCompliance

      One thing I’m still not super happy about is its auto connection behaviour; the “Connect Automatically” box does not get ticked when the VPN profile is created on the client machine, and when a device tunnel is also present, the user tunnel does not always connect automatically without that box ticked. With it ticked, it does connect promptly, but that box seems to get unticked periodially. Anyone know how to programatically set that?

      Cheers,
      Colin

      Reply
      • Colin Pazdzior

         /  July 11, 2018

        Another point on auto connect behaviour; it really doesn’t seem to be quick to re-establish connections in a few common scenarios…Where it seems to work best is booting a laptop on a non-corp internet connection – this seems to get tunnels reestablished relatively quickly. What does not, is hibernating a laptop (as many of our users routinely do), and resuming on a non-corp connection, or having the machine go to sleep and then wake up on the same connection. Not exactly “Always On” if simple scenarios like this don’t trigger a reconnect. Thinking of adding task scheduler job to add my own connect triggers…

        Thoughts?

        Cheers,
        Colin

      • Same experience here. I’ve considered exploring some type of connection trigger as well. Perhaps run a scheduled task trigger by an event? Haven’t done it, but it might be a viable workaround.

      • Yes, the XML file is sometimes sensitive to case. Jason Jones pointed out that boolean values (true/false) are case sensitive. For example, true works, True does not. Sounds like you found another scenario in which case matters. Thanks for sharing that information! πŸ™‚ As for device tunnel/user tunnel stability, that seems to be a common complaint these days. Hopefully Microsoft is addressing some of these challenges. πŸ™‚

  48. Hi Richard,

    is it possible to launch the IPSEC VPN tunnel without encryption? ie only ensure integrity?
    Thank you

    Reply
  49. ced666

     /  June 22, 2018

    Hello Richard,
    when I try to use the ECP 256 or ECP 384 (DH) crypto suites, I get the following error from the Always On client
    Verifying username and password … failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store.
    Have you ever encountered this problem?

    Thanks in advance.

    Patrick

    Reply
    • Not specifically. You’ve defined the crypto in both the profile XML and on the VPN server as well, correct?

      Reply
    • Jason Jones

       /  June 22, 2018

      Those algorithms are likely looking for an elliptic curve (ECC) certificate as opposed to an RSA one – hence it can’t find any – try testing with a certificate issued from an ECC PKI hierarchy

      Reply
  50. Ian

     /  June 25, 2018

    Hi Richard, great stuff on your site! Quick question, I’ve noticed that the Device Tunnel allows for local users to connect as well as domain users. Do you know of a way to prevent local users access via the device tunnel?

    Ian

    Reply
    • I don’t. VPN doesn’t use AuthIP like DirectAccess does, so anything or anyone that can generate traffic on the interface will be able to access the network. It’s just a limitation of the technology.

      Reply
  51. Hello Jason
    Thank you very much for your answer.
    Indeed, the vpn works with certificates from a PKI ECC.

    I have another question.
    Is it possible from the Windows 10 system to verify the integrity logs of the VPN connection?

    thank you

    Patrick

    Reply
  52. ced666

     /  July 4, 2018

    Hello,

    I tried to implement log tracing when rebooting Windows 10 by following the procedure below:
    https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/example-13–creating-a-global-logger-session
    but no log is put back in the file.
    Do you have an idea?

    I want to trace all the events from system startup until the IPSEC tunnel is established.

    Thank you.

    Patrick

    Reply
    • That’s not something I’ve ever done, so I can’t really offer any advice. If you want to capture network traffic you can use “netsh trace start persistent=yes capture=yes tracefile=c:\nettrace.etl” which would persist through a reboot. Not sure if that helps you or not. You can also enable IPsec auditing which might help as well.

      auditpol.exe /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable
      auditpol.exe /set /subcategory:”IPsec Quick Mode” /success:enable /failure:enable

      Reply
  53. ced666

     /  July 4, 2018

    Hello,

    in the case of a use of a machine certificate issued by a public authority, does it not present a risk for a third party to connect in tunnel device mode from a machine certificate purchased by a public authority declared on the same VPN gateway?
    What is the recommendation on the use of machine certificate, is it recommended to use a private certification authority?

    Thank you

    Patrick

    Reply
    • Yes, absolutely! That’s why using a public certificate is always discourage for machine certificate authentication. You should always use a certificate issued by your internal private CA to ensure only your authorized client devices can connect.

      Reply
  54. Hello Richard,
    is it possible to deploy the tunnel device VPN client configuration via GPO? if not, is there a way to deploy it massively?

    Thank you
    Patrick

    Reply
    • Not natively. However, there’s nothing that prevents you from packaging the PowerShell script and the XML file and deploying that to users.

      Reply
  55. Hello Richard,
    In the XML file, is it possible to declare multiple VPN gateways in the vpn.contoso.com directive, ras.consoto.com>.
    The idea is that if the first gateway does not respond, the second gateway is contacted. I ask this question because in LockDown mode only one profile is allowed.

    Thank you very much.

    Patrick

    Reply
    • You can define multiple VPN servers in the XML file, but they don’t fail over like you would expect. Instead having multiple gateways defined simply allows the user to select a different gateway, if required. If it is the device tunnel (or lock down mode) the user won’t have access to those settings anyway. Your only option is to implement active/passive failover using GSLB like Azure Traffic Manager. Post coming on that soon. πŸ™‚

      Reply
  56. Saravanan

     /  July 12, 2018

    Hi Richard,

    we are currently using AutoVPN as our VPN solution. The problem we face here is fail-over. The fail-over between the servers in cluster and as well as site/DC fail-over is not happening until you set the mobility outage time. As Default, the mobility outage time is minimum set to 30 minutes, which is large time to fail over. Since we use UDP ports as our protocols it is connection less protocol which won’t send the reset package to the client who set in failed server.Is there any possibility to set the Network outage time as 2 minutes by powershell script?

    Reply
  57. u3comp

     /  July 13, 2018

    Hi Richard,

    Your post helps me a lot to understand Always On VPN.
    Do you think it is possible to connect VPN with Device Tunnel and then connect another VPN with User Tunnel automatically?
    The Purpose for doing the way is because I would like to implement Device Tunnel connection just for accessing active directory and User Tunnel for authenticating with NPS.

    Reply
    • Yes, absolutely. Device tunnel and user tunnel are not mutually exclusive. That’s a common deployment scenario in fact. Often the device tunnel is deployed with limited access only to facilitate remote logon without cached credentials. Once the user is authenticated a user tunnel is established that allows more access.

      Reply
  1. Deleting an Always On VPN Device Tunnel | Richard M. Hicks Consulting, Inc.
  2. Always On VPN RasMan Device Tunnel Failure | Richard M. Hicks Consulting, Inc.
  3. Always On VPN Certificate Requirements for IKEv2 | Richard M. Hicks Consulting, Inc.
  4. Deploying Windows 10 Always On VPN with Microsoft Intune | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: