Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)

Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS)Windows 10 Always On VPN is infrastructure independent and can be implemented using third-party VPN devices. It is not necessary to deploy any Windows servers at all to support an Always On VPN solution. However, in a recent blog post I outlined some compelling reasons to consider using Windows Server 2016’s Routing and Remote Access Service (RRAS) feature to terminate VPN connections. RRAS supports both modern and legacy VPN protocols, each with their own advantages and disadvantages. The choice of which protocols to support will be determined by many factors, but it is important to understand the capabilities of each to make an informed decision.

RRAS VPN Protocols

Windows RRAS supports the following VPN protocols.

  • Internet Key Exchange version 2 (IKEv2) – RFC7296
  • Secure Sockets Tunneling Protocol (SSTP) – Microsoft
  • Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) – RFC2661
  • Point-to-Point Tunneling Protocol (PPTP) – RFC2637

There are pros and cons associated with each of these VPN protocols. Here’s a breakdown of each.

IKEv2

This IPsec-based VPN protocol is the preferred choice for most deployments. IKEv2 provides the best security and performance, with native features that enhance mobility. This latest version of IKE (v2) features streamlined messaging during connection establishment and enhanced session management that reduce protocol overhead and improve performance.

Advantages: Best security and performance.
Disadvantages: Firewalls may block required UDP ports.

SSTP

SSTP is an excellent alternative to IKEv2. It uses industry standard Transport Layer Security (TLS), making it widely accessible from most locations. It provides good security out of the box, but can be improved upon with additional configuration. SSTP lends itself well to load balancing, making it much easier to scale out than IKEv2. Optionally, TLS can be offloaded to an Application Delivery Controller (ADC) to reduce resource utilization on the RRAS server and further improve performance.

Advantages: Easy to configure with firewall friendly access.
Disadvantages: Not as secure IKEv2.

L2TP

While technically supported for Always On VPN, L2TP is a legacy VPN protocol that offers no real advantages over IKEv2. Its use is unnecessary and should be avoided.

Advantages: None.
Disadvantages: Firewalls may block required UDP ports.

PPTP

PPTP is considered an obsolete VPN protocol with many known security vulnerabilities. Its use should be avoided at all costs.

Advantages: None.
Disadvantages: Insecure.

Summary

Implementation best practices dictate that IKEv2 and SSTP be enabled to support Windows 10 Always On VPN connections when using Windows Server 2016 RRAS. The use of L2TP/IPsec and PPTP should be avoided. The combination of IKEv2 and SSTP will provide the best security and availability for remote workers. Clients that can establish IKEv2 VPN connections can take advantages of the security and performance benefits it provides. SSTP can be enabled as a fallback for clients that are unable to establish an IKEv2 connection due to restricted firewall access.

Always On VPN Hands-On Training

Interested in learning more about Windows 10 Always On VPN? Hands-on training classes are now forming. More details here.

Additional Resources

Frequently Asked Questions about Microsoft’s PPTP Implementation

Always On VPN and Windows Server Routing and Remote Access Services (RRAS)

Windows 10 Always On VPN and the Future of DirectAccess 

5 Things DirectAccess Administrators Should Know about Always On VPN 

3 Important Advantages of Windows 10 Always On VPN over DirectAccess 

Windows 10 Always On VPN Hands-On Training Classes

Leave a comment

16 Comments

  1. Hi! Thanks for sharing all your knowledge with us. Can you tell me how to configure SSTP as a fallback for clients that are unable to establish an IKEv2 connection due to restricted firewall access, please? How do you tell the client to prefer IKEv2 and fallback to SSTP? Thank you very much!
    Dietmar

    Reply
    • Today it is not possible to configure *automatic* fallback to SSTP when IKEv2 is not available. If you define the NativeProtocolType in your ProfileXML as “Automatic” it will always use SSTP and never IKEv2. I’m hoping that in the future Microsoft changes this, however. For now, if you want SSTP fallback it would have to be configured as a separate manual connection.

      Reply
    • Yes you can, but it’s a manual config file change I’m afraid. For the user in question go to %appdata%\Microsoft\Network\Connections\Pbk and open the rasphone.pbk file in a text editor (Notepad.exe for example) – change the line VpnStrategy=6 to VpnStrategy=8. I found this when I came across the issue that SSTP is tried first THEN IKEv2. The VpnStrategy line dictates which order the different methods are attempted. Here are my findings:

      VPNStrategy=

      0 = IKEv2 , SSTP , PPTP then L2TP
      1 = PPTP
      2 = PPTP , IKEv2 , SSTP then L2TP
      3 = L2TP
      4 = L2TP , IKEv2 , SSTP then PPTP
      5 = SSTP
      6 = SSTP , IKEv2 , PPTP then L2TP
      7 = IKEv2
      8 = IKEv2 , SSTP , PPTP then L2TP

      Reply
      • Sort of. 😉 The problem with manually editing the VPNStrategy setting in the rasphone.pbk file is that it does not persist. If you set it to 8 and IKEv2 is unavailable, it will revert to 6. Of course you could script something that changes that setting every time you launch the VPN, but that’s not very elegant. 😉 Hoping Microsoft will address this in the future!

      • Robert Olsen

         /  November 7, 2018

        We have solved it by scheduling this task (Trigger when computer is idle):
        powershell.exe -Command “$infile=$env:APPDATA+’\Microsoft\Network\Connections\Pbk\rasphone.pbk’; $content = (Get-Content -Path $infile -Raw) -replace ‘VpnStrategy=6′,’VpnStrategy=8’ | Set-Content -Path $infile”

        Elegant? No, but it does the job without interferring with the user…

      • Clever! Definitely not elegant but if it works, it works! 🙂

  2. Robert Olsen

     /  November 6, 2018

    Hello!

    You write “SSTP can be enabled as a fallback for clients that are unable to establish an IKEv2 connection due to restricted firewall access.” Where does one do that? If we configufe “Automatic” as the protocol, the connection will try SSTP and then IKEv2 (effectively always connecting over SSTP). Are there any clever ways to make the client have SSTP only as a fallback? The alternatives, as I see it, is to use SSTP for Always On VPN, have a manual VPN pushed out or having a HTTPS DirectAccess as a fallback, none of those is a really good alternative, especially when you are planning to replace our HTTPS DirectAccess (which works pretty much everywhere).

    Reply
    • Robert Olsen

       /  November 6, 2018

      Oh, I saw that the question was somewhat already answered above… I guess we have to script a solution in the phonebook then.

      Reply
    • SSTP can certainly be used as a fallback option, but the limitation today is that it is stick and doesn’t every try IKEv2 again. :/ Hoping that Microsoft will address this behavior in the future!

      Reply
  1. Deleting an Always On VPN Device Tunnel | Richard M. Hicks Consulting, Inc.
  2. Always On VPN and the Name Resolution Policy Table (NRPT) | Richard M. Hicks Consulting, Inc.
  3. Always On VPN Certificate Requirements for IKEv2 | Richard M. Hicks Consulting, Inc.
  4. Always On VPN SSL Certificate Requirements for SSTP | Richard M. Hicks Consulting, Inc.
  5. Always On VPN ECDSA SSL Certificate Request for SSTP | Richard M. Hicks Consulting, Inc.
  6. Troubleshooting Always On VPN Error Code 0x80092013 | Richard M. Hicks Consulting, Inc.
  7. Always On VPN IKEv2 Load Balancing with KEMP LoadMaster | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: