Always On VPN with Azure Gateway

Always On VPN with Azure GatewayRecently I wrote about VPN server deployment options for Windows 10 Always On VPN in Azure. In that post I indicated the native Azure VPN gateway could be used to support Always On VPN connections using Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP). In this post I’ll outline the requirements and configuration steps for implementing this solution.

Requirements

To support Always On VPN, point-to-site VPN connections must be enabled on the Azure VPN gateway. Not all Azure VPN gateways are alike, and point-to-site connections are not supported in all scenarios. For Always On VPN, the Azure VPN gateway must meet the following requirements.

VPN SKU

The Azure VPN gateway SKU must be VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, or VpnGw3AZ. The Basic SKU is not supported.

VPN Type

The VPN type must be route-based. Policy-based VPN gateways are not supported for point-to-site VPN connections.

Limitations

Using the Azure VPN gateway for Always On VPN may not be ideal in all scenarios. The following limitations should be considered thoroughly before choosing the Azure VPN gateway for Always On VPN.

Device Tunnel

RADIUS/EAP authentication for user tunnel connections is not supported if the Azure VPN gateway is configured to support device tunnel with machine certificate authentication.

Maximum Connections

A maximum of 250, 500, and 1000 concurrent IKEv2 connections are supported when using the VpnGw1/AZ, VpnGw2/AZ, and VpnGw3/AZ SKUs, respectively (x2 for active/active gateway deployments). In addition, a maximum of 128 concurrent SSTP connections are supported for all VPN gateway SKUs (x2 for active/active gateway deployments).

Always On VPN with Azure Gateway

Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#gwsku

RADIUS Requirements

To support Always On VPN connections, the Azure VPN gateway must be configured to authenticate to a RADIUS server. The RADIUS server must be reachable from the VPN gateway subnet. The RADIUS server can be hosted in Azure or on-premises. Before proceeding, ensure that any network routes, firewall rules, and site-to-site VPN tunnel configuration is in place to allow this communication.

RADIUS Configuration

Guidance for configuring Windows Server NPS for Always On VPN can be found here. The only difference when configuring NPS for use with Azure VPN gateway is the RADIUS client configuration.

Open the NPS management console (nps.msc) and follow the steps below to configure Windows Server NPS to support Always On VPN client connections from the Azure VPN gateway.

1. Expand RADIUS Clients and Servers.
2. Right-click RADIUS Clients and choose New.
3. Enter a descriptive name in the Friendly name field.
4. Enter the Azure VPN gateway subnet using CIDR notation in the Address (IP or DNS) field. The gateway subnet can be found by viewing the properties of the Azure VPN gateway in the Azure portal.
5. Enter the shared secret to be used for RADIUS communication in the Shared secret field.

Always On VPN with Azure Gateway

Azure VPN Gateway Configuration

To begin, provision a Virtual Network Gateway in Azure that meets the requirements outlined above. Guidance for implementing an Azure VPN gateway can be found here. Once complete, follow the steps below to enable support for Always On VPN client connections.

Enable Point-to-Site

Perform the following steps to enable point-to-site VPN connectivity.

1. In the navigation pane of the Azure VPN gateway settings click Point-to-site configuration.
2. Click Configure Now and specify an IPv4 address pool to be assigned to VPN clients. This IP address pool must be unique in the organization and must not overlap with any IP address ranges defined in the Azure virtual network.
3. From the Tunnel type drop-down list select IKEv2 and SSTP (SSL).
4. In the RADIUS authentication field enter the IPv4 address of the RADIUS server. At the time of this writing only a single IPv4 address is supported. If RADIUS redundancy is required, consider creating a load balanced NPS cluster.
5. In the Server secret field enter the RADIUS shared secret.
6. Click Save to save the configuration.

Always On VPN with Azure Gateway

VPN Client Configuration

Perform the following steps to configure a Windows 10 VPN client to connect to the Azure VPN gateway.

Download VPN Configuration

1. Click Point-to-site configuration.
2. Click Download VPN client.
3. Select EAPMSCHAv2 (yes, that’s correct even if EAP-TLS will be used!)
4. Click Download.
5. Open the downloaded zip file and extract the VpnSettings.XML file from the Generic folder.
6. Copy the FQDN in the VpnServer element in VpnSettings.XML. This is the FQDN that will be used in the template VPN connection and later in ProfileXML.

Always On VPN with Azure Gateway

Create a Test VPN Connection

On a Windows 10 device create a test VPN profile using the VPN server address copied previously. Configure EAP settings to match those configured on the NPS server and test connectivity.

Create an Always On VPN Connection

Once the VPN has been validated using the test profile created previously, the VPN server and EAP configuration from the test profile can be used to create the Always On VPN profile for publishing using Intune, SCCM, or PowerShell.

IKEv2 Security Configuration

The default IKEv2 security parameters used by the Azure VPN gateway are better than Windows Server, but the administrator will notice that a weak DH key (1024 bit) is used in phase 1 negotiation.

Always On VPN with Azure Gateway

Use the following PowerShell commands to update the default IKEv2 security parameters to recommended baseline defaults, including 2048-bit keys (DH group 14) and AES-128 for improved performance.

Connect-AzAccount
Select-AzSubscription -SubscriptionName [Azure Subscription Name]

$Gateway = [Gateway Name]
$ResourceGroup = [Resource Group Name]

$IPsecPolicy = New-AzVpnClientIpsecParameter -IpsecEncryption AES128 -IpsecIntegrity SHA256 -SALifeTime 28800 -SADataSize 102400000 -IkeEncryption AES128 -IkeIntegrity SHA256 -DhGroup DHGroup14 -PfsGroup PFS14

Set-AzVpnClientIpsecParameter -VirtualNetworkGatewayName $Gateway -ResourceGroupName $ResourceGroup -VpnClientIPsecParameter $IPsecPolicy

Note: Be sure to update the cryptography settings on the test VPN connection and in ProfileXML for Always On VPN connections to match the new VPN gateway settings. Failing to do so will result in an IPsec policy mismatch error.

Additional Information

Microsoft Azure VPN Gateway Overview

About Microsoft Azure Point-to-Site VPN

Windows 10 Always On VPN IKEv2 Security Configuration

 

 

 

Leave a comment

76 Comments

  1. Justin Nel

     /  September 12, 2019

    Hi Richard, thank you for the tutorial, I have been looking for other options to implement AOVPN in Azure besides RRAS. I have a question around setting up AOVPN with Azure VPN Gateway. Will ADCS still be required as I don’t see anything about it in your tutorial ?

    Reply
  2. Justin Nel

     /  September 17, 2019

    Hi Richard, did you manage to get this to work with certificates ? I’m battling to get this to work with EAP (PEAP) OR “MS smart card or other certificate” for authentication. I managed to get it to work with MS-Chap V2 but would like the stronger authentication with certificates.I’m getting the following message when trying to connect “The remote access connection completed but authentication failed because the certificate” I have issued certificates to all the servers and client as per MS article so not sure where I’m going wrong.

    Reply
    • Absolutely. The authentication takes place on the NPS server so the gateway doesn’t really care what protocol is used. It just forwards the authentication request to the configured RADIUS server. As long as NPS is configured to use EAP with certificate authentication it should work just fine.

      Reply
  3. Hi Richard, great blog first of all. I just had a question about the limitation of using Device tunneling and User tunneling together. Is it possible to use Azure MFA with user tunneling after device tunneling is set-up? And use the NPS extension for forcing Azure user MFA. What i like to achieve is step 1: AOVPN connection will be established when user starts the device, step 2 User will be prompted to use MFA to start AOVPN user tunnel. Thanks in advanced!

    Reply
    • Sure, that should work. Device tunnel connections don’t use NPS, they’re just authenticated by the VPN server. So, in your case, a device tunnel would be established without MFA, but when a user connects they would be authenticated by NPS which would require Azure MFA. 🙂

      Reply
  4. Rob M

     /  December 4, 2019

    Great Article Richard. Having one problem though. When im trying to connect with IKEv2, I get ike authentication credentials are unacceptable. Machine certs are good so not sure why im getting this error with IKEv2.
    SSTP works ok but would prefer IKEv2 when push out the intune config

    Reply
    • If you are getting an IKE Authentication Credentials Unacceptable error I would suspect something is wrong in your NPS policy or client-side configuration. Make sure you are using the Azure-provided gateway hostname and have a close look at your NPS policy to ensure everything matches.

      Reply
      • Christian Götz

         /  April 14, 2021

        I have the same Issue! SSTP works, IKE not. It seems that the Gateway IKE Cert has a problem

      • You’re using the Azure VPN gateway hostname, right?

      • Christian Götz

         /  April 15, 2021

        Yes, I dont´t know other Options! I use the IKEv2 and SSTP Tunnel type.and Radius authentication. On the Client side the only option i canhe is the vpn type. When I use tunnel type IKEv2 only and Azure certificate, this is the only option without the IKE Authentication Credentials are unacceptable error!

  5. Marvin

     /  December 17, 2019

    Hey, what a great article with all tips. Is it all the same when using a Mac? Because I have Azure and I just started to use NordVPN Teams (route based VPN) – together they are a great match, because I can login via Azure to NordVPN Teams easily and use them both. But looking into your example which I think gonna to use, started to think if everything is the same on Mac…

    Reply
  6. Stuart

     /  February 7, 2020

    Hi Richard, a great article as always. It looks like the Azure VPN Gateway Generation 2 supports up to 10000 connections (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways). Is that a recent update or is there something I need to know about using generation 2 with AOVPN?
    Is there anyway to provide HA, in case the Azure VPN Gateway fails, such as deploying in 2 regions and is there a way to load balance these to get more connections?

    Reply
    • I’m not sure when those new limits were put in to effect. It was recently though I believe. It is important to point out that this applies only to IKEv2. SSTP connections are still (inexplicably!) limited to 128 connections. BTW, you can select the option to implement active/active gateways to provide redundancy. It also doubles the connection count. 🙂

      Reply
  7. Doug

     /  February 7, 2020

    The downside I’ve found is that Azure VPN Gateways don’t respect IP filters from NPS RADIUS. In any scenario where you want to limit access to certain networks by groups this makes things a little complicated as there is only one P2S config and IP pool per gateway/VNET

    Reply
    • Interesting. That’s not something I’ve ever tested with the Azure VPN gateway. Good to know!

      Reply
    • Rana Banerjee

       /  April 2, 2020

      Hello Richard, first of all excellent article which gives insight into always on VPN. I would really appriciate if you spare some time to share your thoughts on the following questions:

      My scenario:
      * all the servers are being migrated to Azure in a Vnet.
      * we have decided to go with always on Vpn in Azure
      * have configured the Point to Site VPN gateway using the recommended needed settings and sku.
      * we also have the enterprise root certificate authority

      My questions:
      * Do I Need an NPS server in Vnet? Or just selecting certificate authentication on Gateway do the job? (user tunnel)
      * if NPS is needed then what can be done to make it highly available in azure?
      * out of user and device tunnel which is most preferred?

      Many thanks

      Reply
      • You can choose either certificate authentication or RADIUS, so you’ll have to pick one. FYI, certificate authentication is required for the device tunnel, and you’ll use RADIUS if you want to use the user tunnel. If you choose RADIUS, then yes, you’ll need an NPS server somewhere, ideally in Azure. As you can only provide one IP address for the NPS, the recommendation to provide redundancy is to place them behind a load balancer (Azure or appliance, either will work).

        The choice to use user tunnel or device tunnel is up to you. Remember that with the Azure VPN gateway they are mutually exclusive options. You’ll have to pick one or the other.

  8. Justin Nel

     /  February 7, 2020

    Hi Richard, a bit of a late reply.Thanks for all your help! I decided to take your advice and use the RAS VPN option on an Azure VM over the Azure VPN Gateway after having so much trouble with it. I’ve been using the RAS VPN for a couple of months now and had no problems, works like BOSS.

    Reply
  9. Stuart

     /  February 11, 2020

    Hi Richard, I can see that you can monitor the health of the VPN Gateway, but is there a way to monitor the connections/users? This would be really useful as during periods of bad weather more people may work from home so the number of connections required may increase. If the limit was approaching I’m assuming we could change the SKU to one that had more connections and then scale down once the sun started shining again.

    Reply
    • I’m not aware of any way to monitor concurrent connections on the Azure VPN gateway. There might be something exposed through PowerShell or CLI though. Might have a look at those options and see what you can find.

      Reply
  10. Elliott Chandler

     /  February 17, 2020

    Hi Richard, nice article. Is it still necessary to have a VM installed with NPS? Referring to this article https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-howto-always-on-user-tunnel

    Reply
    • If you plan to use the Azure VPN gateway to host user connections, yes. Strictly speaking the NPS doesn’t have to be hosted in Azure, it just has to be reachable from the Azure VPN gateway. Ideally the NPS would be located in Azure because it improves authentication performance, but in theory it could be hosted on premises and reachable via express route or site-to-site VPN.

      Reply
  11. Steve Burkett

     /  February 17, 2020

    Technically you can use the Basic SKU for the Azure VPN Gateway if you’re just using an SSTP-based user tunnel for your Windows 10 Always On connection, no device tunnel. Works ok and much cheaper for some scenarios.

    Reply
  12. Grant Wilson

     /  March 11, 2020

    Thanks very much for the article – very helpful!
    Has anyone encountered an issue when configuring the Virtual Network Gateway P2S where Azure does not save the config? I amend the options to how I want then click Save – I get a notification that it Saved ok. But when I click out of the config screen immediately it asks me whether I want to save the changes again. I again say to save the changes and it allows me to leave the screen. But I go back into the config screen again and it remembers some settings (tunnel type and ip range) but always reverts to Azure Certificate authentication type. I wish to use Radius Authentication but it refuses to save these settings!
    The Radius server is up with a static IP address, no NSG is currently blocking access.

    Reply
    • Yes, I came across this recently myself! I think it is a UI display issue though. When we made the changes to use RADIUS authentication it works, even though the UI displays certificate authentication. Hopefully it gets fixed soon!

      Reply
      • Grant Wilson

         /  March 12, 2020

        Yep – it saved it fine after all 🙂
        I’m a little stuck now though!
        Trying to test out Always on VPN using Azure Gateway. User tunnel.
        I’ve gotten to the stage of being able to connect to the VPN and authenticate over Radius with an NPS server, but I am unable to access any resources on the VNET remotely.
        I’ve kept things as simple as possible:
        1 NPS server that is also a DC. NPS network policy has EAP-MSCHAPv2 selected for the authentication method.
        VPN gateway is attached to the Azure vnet (10.10.0.0/21) with my resources in it and is using IKEv2 and SSTP for tunnel type. The VPN gateway will use 172.28.10.0/24 for dishing out vpn client addresses.
        I’m not using certificates.
        My VPN connection on the Windows 10 client will connect successfully using my AD username and password.
        I create a file share on the file server in vnet 10.10.0.0/21.
        This share is not accessible from my vpn client. And servers are not able to be pinged. Created a quick website on same server and unable to access this either.
        I have no NSG’s setup in my test lab. No firewalls are enabled on the servers.
        Not sure where else to look for troubleshooting.
        Before I look to next stage about using makeprofile.ps1deploy – I need to solve this issue first.

      • Not sure what’s up there to be honest. If you are using the Azure VPN gateway, Azure takes care of routing for you so you shouldn’t have to configure that manually. It simply knows that whatever subnet you define for the point-to-site VPN connections needs to be routed, so it does that automatically. Why that’s not happening here I have no idea. :/

      • Grant Wilson

         /  March 13, 2020

        Interestingly enough – if I install and run the VpnClientSetupAmd64 application from the “DownloadVPN client” in the P2S cofiguration page -it works perfectly well! I guess this means something is up with the manual VPN creation using the Windows 10 built-in VPN. Theres not much to configure there – so I’m not sure whats up!

  13. Many Thanks Richard.
    Your Instructions have been REALLY helpful. I was able to deploy Device Tunnels using Azure Gateway. Everything seems to be working well so far. I was wondering if there is any way to get Specific connection statistics from the Azure Gateway. I could not find any Azure cmdlet specific to connection details for P2S. If not on Azure is it possible to get connection stats from win 10 Machine? I know the Metrics in Azure does give some information but would like to get more information, like connection duration per client etc.

    and I would really request if you can create an online course covering Always On Vpn, OnPrem / Azure in depth.

    Reply
    • To my knowledge there isn’t anything available to provide user activity information when using the Azure VPN gateway. As for the online course, I’m considering that as we speak. No ETA yet but I’ll probably have something done before the end of the year. 🙂

      Reply
  14. Hello Richard,

    We have the following scenario
    * Azure Vnet in Azure with VPN gateway
    * 2 Site-to site-VPNs terminating at each datacentre based on BGP
    * Device Tunnels configured with Certificate Authentication on Azure Gateway
    * All the Devices are windows 10 (1909) Device Tunnels deployed and managed via Intune.
    * In future we will be combining this with User Tunnels

    We face one of the following issues
    * When we increase the no of routes more than 25 the client VPN disconnects and never connect due to Traffic Selectors. is there any way to circumvent this issue without reducing the total no or routes advertised?
    * can we use OpenVpn as AlwaysOn Vpn Device Tunnel?

    Lastly, we are based in Brisbane (+10 GMT) if we wanted to hire your consulting services what would be the process?

    Many Thanks
    Rana Banerjee

    Reply
    • I’ve heard others complain that having more than 25 routes breaks VPN when using the Azure VPN gateway. I don’t believe there is a workaround for this limitation yet. I don’t believe this affects RRAS or third-party NVAs in Azure though.

      I have many customers in Australia. Reach out to me via email and we can talk about a consulting engagement in more detail. 🙂

      Reply
  15. Many thanks for your reply and sure, I will be reaching out to you in the coming near future, and one last question can Open VPN be used for always-on VPN ? as a user tunnel?

    Reply
  16. Jakob Strøm

     /  June 10, 2020

    Hi Richard.
    I’m looking at options to deploy AOVPN in Azure. The minimal VM deployment is important for us, as we are implementing SaaS solutions where possible.

    I like the Ikev2 Device tunnel + SSTP User tunnel that we are currently testing. It works a charm really. But the 128 max SSTP connections is a deal breaker, and a VPN not connecting on 443 is also a deal breaker. So we really need the following:

    Device tunnel for hybrid environment.
    User tunnel on 443 and both tunnels need “Auto connect”.
    400-500 users.
    Deployed via Intune.

    Is this at all possible with Always On VPN in Azure?

    The only way I can see this work would be with several VM’s and a load balancer to get the SSTP limit up?

    Reply
    • Using the Azure VPN gateway prevents you from using the same gateway for device tunnel and user tunnel. And yes, the default 128 port limit for SSTP is a showstopper for most. You can easily deploy Windows Server RRAS in Azure, although it is not formally supported. If you can accept that limitation it works quite well. Details here: https://directaccess.richardhicks.com/2019/09/09/always-on-vpn-and-rras-in-azure/.

      FYI, if you deploy RRAS in Azure you can set the max number of SSTP ports to whatever you want. You could easily get 500 users on a single RRAS VM in that case. 🙂

      Reply
      • Jakob Strøm

         /  June 10, 2020

        Hi Richard.

        Thanks for the response. It’s the virtual machine that bugs me a little. But if that’s they only way to go, we could live with a VM.

  17. Justin

     /  June 24, 2020

    Hi Richard, thanks for another great post! Just to add to this, forced tunneling isn’t supported in Azure P2S VPN & just ran into the same limitation in Azure Virtual WAN P2S VPN. Hopefully this changes soon – https://feedback.azure.com/forums/217313-networking/suggestions/7027397-use-p2s-vpn-connection-as-default-gateway-like-st

    Reply
  18. Hi Richard,
    do you know whether the device OR user tunnel only issue is still present? I’ve found that it seems to work with dual IKEv2 tunnel with azure certificate authentication but goes nowhere with RADIUS as the device auth never seems to reach the NPS server.

    Reply
    • The device tunnel can’t use NPS, so not surprised that doesn’t work. As stated, when using the Azure VPN gateway for Always On VPN you can only configure it for device tunnel or user tunnel, not both. This is because only one authentication scheme can be selected, either certificate authentication (device tunnel) or RADIUS (user tunnel).

      Reply
  19. Phil

     /  December 9, 2020

    Is there any way to show the Azure VPN Gateway active node? We are experiencing routing issues due to a UDR with a next hop as the IP address of the active node which fails when the standby node takes over. Using a runbook we could identify and switch routes but without a way of seeing the active node the runbook can’t check. An expensive NVA would help but I don’t see it being required if we can check the status.

    Reply
  20. Steve Slack

     /  January 1, 2021

    Richard, Thanks for taking the time and putting this article together. I’ve been able to successfully connect and also communicate with the resources in Azure, so I know routing is working. However, although in my profileXML I have specified the DNS server, its not setting this on the VPN IPV4 connection. Although I can perform DNS lookups due to having the DNS suffix in place.

    Have you come across this issue?

    Reply
    • The DNS server assigned to the VPN interface always comes from the VPN gateway. If you are using the NRPT (DomainNameInformation element in XML) then Windows will use the DNS servers defined there, but the DNS servers on the interface will still be whatever the VPN gateway is using.

      Reply
      • Moritz

         /  November 14, 2024

        Hello Richard

        How would one configure the DNS Server if it’s always coming from the VPN interface? In the scenario described in this post, the interface would be on the Virtual Network Gateway, which offers no option to configure a DNS Server as far as I know?

        Best Regards
        Moritz

      • The Azure VPN gateway will use the DNS servers assigned to the Vnet to which it belongs. 🙂

  21. Hi Richard – thanks for posting all this great info on AOVPN. I recently deployed it using VPN Gateway and NPS. One issue I have is that when I deploy user tunnel AOVPN from Intune to AAD joined devices it gets pushed successfully but asks for credentials (says action required), even though my eap xml has winlogoncredentials set to true. Once the user enters the credentials one time it retains and works fine, even after reboots. I know I’m missing a step somewhere – any help would be appreciated!

    Reply
    • That’s unusual. Not sure what’s up, to be honest. If you have the option to use your Windows logon credentials set in your EAP configuration I would expect it to work. This isn’t something I’ve tested myself using AAD credentials, however. It might have something to do with the way AAD authenticates, I’m not sure.

      Reply
  22. Leigh

     /  July 25, 2021

    Hello richard. My question is in azure gw and azure ad with win 10 Pro do you also need a radius server to configure aovpn in intune? I have configured ikev2 but I do not see how to create eap xml for intune config from successful vpn connection on laptop.

    Reply
    • What authentication method are you using?

      Reply
      • leigh

         /  July 26, 2021

        I have been using certs but would want either AAD or cert. Issue im having is creating AOVPN in intune eap xml.

      • Certificate authentication will require NPS. Always On VPN doesn’t support using native AAD accounts though. They must be on-premises AD accounts that have been synced to AAD.

  23. Simon

     /  August 20, 2021

    Hi Richard,
    Thank you for these blog posts, they are invaluable and I consult them all the time when configuring or troubleshooting AOVPN.

    There is an odd problem with RADIUS in NPS where it doesn’t work if you disable TLSv1.0. Do you have any concerns about this? And do you know if it is possible to implement AOVPN wiht a different RADIUS server?

    Reply
    • That’s interesting. I wasn’t aware that NPS won’t work with TLS 1.0 disabled. I will certainly look into that! However, you can use any RADIUS server you choose to provide authentication for Always On VPN.

      Reply
  24. Naveen

     /  October 14, 2021

    I am using Azure VPN for point to site connectivity. Can i enable always on Azure VPN ?

    Reply
  25. Hi Richard,
    I have read all the posts but I don’t understand, it was said:

    “to support Always On VPN connections, the Azure VPN gateway must be configured to authenticate to a RADIUS server.”

    So the NPS RADIUS server is needed to authenticate only the User Tunnel? Or is the NPS RADIUS server in Azure also mandatory for the Device Tunnel?

    ADCS is not a requirement but can machine certificates be used to authenticate the Device Tunnel? I guess via an NPS rules, correct?

    Thanks 1000 !

    Reply
    • Correct. The NPS server is only required for user tunnel connections. The device tunnel uses only a machine certificate which is validated by the VPN gateway. The gateway does not check with NPS for device tunnel connections at all.

      Reply
  26. Istvan

     /  January 5, 2022

    Hi Richard, thank you for your amazing posts and your “always on”-book. We are just now planing to switch to MS always on VPN allowing us to use the advantages of a “device tunnel”. e. g. for “first login”. One open question is, if we can use any linux VPN Gateways (e. g. StrongSwan with IKEV2). As I know it is not a problem at user tunnels. It is however not supported for device tunnels. At Device Tunnels Windows Server 2016 / 2019 must be used. Is it really so or we could use any IKEv2 capable firewalls or VPN server Software? Thank you very much for a short confirmation. I.

    Reply
    • You should be able to use any VPN gateway that supports IKEv2 and device certificate authentication. I don’t have any experience using strongSwan, but I expect it should work.

      Reply
      • Alexander Schoenbeck

         /  April 25, 2022

        i couldnt post a new reply, so i try this (nonce verification failed):

        Hi Richard, thanks for your great work. we set up an environment with your scripts. Now we are facing an issue related to the shared secret. It seems our NPS and RRAS are forget the secret or it has something to do with the characters. At first we couldnt connect to the user tunnel, client error 812. Setting the secret again and we could connect without issue. Then restart the server and again couldnt connect, then setting the secret a second time, connection possible.

        Are there any recommendations, not to use # or ! or / or something other special chars in the secret? not to start with special chars?

        Thanks alot for your advice, we are clueless.

        Best regards
        Alex

      • Hi Alex. I’m not aware of any limitations in Windows Server regarding the NPS shared secret. I typically use the automatically generated secret and haven’t had any issues to this point. However, you can always create a long random alphanumeric string to rule out any chance that special characters are causing problems. As long as the string is long enough (20 or more characters) it should be sufficiently secure.

  27. Laurent F

     /  June 8, 2022

    Hi Richard,

    Thank you for this interesting article.

    As device tunnel connections don’t use NPS and rely on the client certificate, can you confirm NPS/Radius server is used only for user authentication and is useless if we want only to authenticate devices ?

    Thank you

    Laurent

    Reply
    • That’s correct. The device tunnel uses only device certificate authentication, which is validated by the VPN gateway itself. NPS is not used at all for device tunnel connections.

      Reply
  28. Bertrand Pons

     /  February 2, 2023

    Hello Richard,

    I am not sure my question is relevant but is user tunnel more stable than device tunnel?

    All users face regular disconnections of VPN P2S device tunnel using Azure certificate as authentication type. I cannot find the root cause and I don’t understand why.

    Thank you

    Bertrand

    Reply
    • Yes, but not because of the authentication type. It has more to do with the VPN protocol. IKEv2 (required for device certificate authentication) has many known issues and limitations. Using SSTP for the user tunnel is more more stable and reliable.

      Reply
  1. Always On VPN Options for Azure Deployments | Richard M. Hicks Consulting, Inc.
  2. Always On VPN and RRAS in Azure | Richard M. Hicks Consulting, Inc.
  3. Always On VPN Load Balancing for RRAS in Azure | Richard M. Hicks Consulting, Inc.
  4. Always On VPN Device Tunnel with Azure VPN Gateway | Richard M. Hicks Consulting, Inc.

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading