Always On VPN Device Tunnel with Azure VPN Gateway

Always On VPN Device Tunnel with Azure VPN GatewayAlways On VPN is infrastructure independent, which allows for many different deployment scenarios including on-premises and cloud-based. In Microsoft Azure, the Azure VPN gateway can be configured to support Windows 10 Always On VPN client connections in some scenarios. Recently I wrote about using the Azure VPN gateway for Always On VPN user tunnels. In this post I’ll describe how to configure the Azure VPN gateway to support an Always On VPN device tunnel.

Limitations

There are a few crucial limitations that come with using the Azure VPN gateway for Always On VPN. Importantly, the Azure VPN gateway can support either user tunnels or device tunnels, not both at the same time. In addition, Azure supports only a single VPN gateway per VNet, so deploying an additional VPN gateway in the same VNet to support Always On VPN user tunnels is not an option.

Root CA Certificate

The Always On VPN device tunnel is authenticated using a machine certificate issued to domain-joined Windows 10 Enterprise edition clients by the organization’s internal Certification Authority (CA). The CA’s root certificate must be uploaded to Azure for the VPN gateway to authorize device tunnel connections. The root CA certificate can be exported using the Certification Authority management console (certsrv.msc) or via the command line.

Export Certificate – GUI

Follow the steps below to export a root CA certificate using the Certification Authority management console.

1. On the root CA server, open the Certification Authority management console.
2. Right-click the CA and choose Properties.
3. Select the CA server’s certificate and choose View Certificate.
4. Select the Details tab and click Copy to File.
5. Click Next.
6. Choose Base-64 encoded X.509 (.CER).

Always On VPN Device Tunnel with Azure VPN Gateway

7. Click Next.
8. Enter a location to save the file to.
9. Click Next, Finish, and Ok.

Export Certificate – Command Line

Follow the steps below to export a root CA certificate using the command line.

1. On the root CA server, open an elevated command window (not a PowerShell window).
2. Enter certutil.exe -ca.cert root_certificate.cer.
3. Enter certutil.exe -encode root.cer root_certificate_base64.cer.

Copy Public Key

1. Open the saved root certificate file using Notepad.
2. Copy the file contents between the BEGIN CERTIFICATE and END CERTIFICATE tags, as shown here. Use caution and don’t copy the carriage return at the end of the string.

Always On VPN Device Tunnel with Azure VPN Gateway

Point-to-Site Configuration

The Azure VPN gateway must be deployed as a Route-Based gateway to support point-to-site VPN connections. Detailed requirements for the gateway can be found here. Once the VPN gateway has been provisioned, follow the steps below to enable point-to-site configuration for Always On VPN device tunnels.

1. In the navigation pane of the Azure VPN gateway settings click Point-to-site configuration.
2. Click the Configure now link and specify an IPv4 address pool to be assigned to VPN clients. This IP address pool must be unique in the organization and must not overlap with an IP address ranges defined in the Azure virtual network.
3. From the Tunnel type drop-down list select IKEv2.
4. In the Root certificates section enter a descriptive name for the certificate in the Name field.
5. Copy and paste the Base64 encoded public key copied previously into the Public certificate data field.
6. Click Save to save the configuration.

Always On VPN Device Tunnel with Azure VPN Gateway

VPN Client Configuration

To support the Always On VPN device tunnel, the client must have a certificate issued by the internal CA with the Client Authentication Enhanced Key Usage (EKU). Detailed guidance for deploying a Windows 10 Always On VPN device tunnel can be found here.

Download VPN Configuration

1. Click Point-to-site configuration.
2. Click Download VPN client.
3. Click Save.
4. Open the downloaded zip file and extract the VpnSettings.xml file from the Generic folder.
5. Copy the FQDN in the VpnServer element in VpnSettings.xml. This is the FQDN that will be used in the template VPN connection and later in ProfileXML.

Create a Test VPN Connection

It is recommended to create a test VPN connection to perform validation testing of the Azure VPN gateway before provisioning an Always On VPN device tunnel broadly. On a domain-joined Windows 10 enterprise client, create a new VPN connection using IKEv2 with machine certificate authentication. Use the VPN server FQDN copied from the VpnSettings.xml file previously.

Always On VPN Device Tunnel with Azure VPN Gateway

Create an Always On VPN Connection

Once the VPN has been validated using the test profile created previously, an Always On VPN profile can be created and deployed using Intune, SCCM, or PowerShell. The following articles can be used for reference.

Deploy Always On VPN device tunnel using PowerShell

Deploy Always On VPN device tunnel using Intune

IKEv2 Security Configuration

The default IKEv2 security parameters used by the Azure VPN gateway are better than Windows Server, but the administrator will notice that a weak Diffie-Hellman (DH) key (Group 2 – 1024 bit) is used during IPsec phase 1 negotiation.

Always On VPN Device Tunnel with Azure VPN Gateway

Use the following PowerShell commands to update the default IKEv2 security parameters to recommended baseline defaults, including 2048-bit keys (DH group 14) and AES-128 for improved performance.

Connect-AzAccount
Select-AzSubscription -SubscriptionName [Azure Subscription Name]

$Gateway = [Gateway Name]
$ResourceGroup = [Resource Group Name]

$IPsecPolicy = New-AzVpnClientIpsecParameter -IpsecEncryption AES128 -IpsecIntegrity SHA256 -SALifeTime 28800 -SADataSize 102400000 -IkeEncryption AES128 -IkeIntegrity SHA256 -DhGroup DHGroup14 -PfsGroup PFS14

Set-AzVpnClientIpsecParameter -VirtualNetworkGatewayName $Gateway -ResourceGroupName $ResourceGroup -VpnClientIPsecParameter $IPsecPolicy

Note: Be sure to update the cryptography settings on the test VPN connection and in ProfileXML for Always On VPN connections to match the new VPN gateway settings. Failing to do so will result in an IPsec policy mismatch error.

Additional Information

Windows 10 Always On VPN User Tunnel with Azure VPN Gateway

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN Device Tunnel Configuration using Microsoft Intune

Windows 10 Always On VPN Device Tunnel Configuration using PowerShell

Windows 10 Always On VPN Options for Azure Deployments

Windows 10 Always On VPN IKEv2 Features and Limitations

Leave a comment

17 Comments

  1. Martyn Jones

     /  January 14, 2020

    Hi Richard,

    In the limitations section, you mention that an Azure VPN Gateway cannot support both user and device tunnels at the same time.

    Is this a single client machine connecting a user and device tunnel at the same time is unsupported?

    Or is the Gateway itself, unable to have both types of connection configured through it?

    I can’t find any mention of this in the Microsoft documentation, so I’m just looking to clarify before going any further with planning for an Always On VPN rollout.

    Thanks very much,

    Martyn.

    Reply
    • The Azure VPN gateway can only be configured to support user tunnels or device tunnels, not both. This is because device tunnels are authenticated by the VPN gateway by their device certificate, but user tunnels are authenticated by NPS. The gateway configuration supports only one authentication method, either certificate or RADIUS (NPS). With that, you have to choose one or the other. No option to do both at the same time unfortunately.

      Reply
  2. martynjones87

     /  January 14, 2020

    Hi Richard,

    In the limitations section, you mention that an Azure VPN Gateway cannot support both user and device tunnels at the same time.

    Is this a single client machine connecting a user and device tunnel at the same time is unsupported?

    Or is the Gateway itself, unable to have both types of connection configured through it?

    I can’t find any mention of this in the Microsoft documentation, so I’m just looking to clarify before going any further with planning for an Always On VPN rollout.

    Thanks very much,

    Martyn.

    Reply
  3. Patrick

     /  March 20, 2020

    Hi Richard, thank you for this. I am able to connect using the downloaded vpn profile but cannot ping any resources on any other network. Do you know if I need to create a routing table so my vpn clients can ping to other vnets and on premise devices?

    Reply
    • Absolutely. Not sure how that’s done with the downloaded VPN client, but if you are using Always On VPN you add those routes to your ProfileXML. You can also add them to the VPN connection using the Add-VpnConnectionRoute PowerShell command.

      Reply
  4. DiPersiaTech

     /  April 7, 2020

    Thanks for this info, Richard. Two items – I’m trying to get the current IPSec policy out of Azure (Just for documentation purposes in case I mess this up and have to set something back!) Can’t seem to figure out how to get this for point to site VPNs.

    Second, when I DO try to implement this and create a new IPSec policy using your powershell above – I get the following error: “New-AzVpnClientIpsecParameter: Cannot validate argument on parameter ‘PfsGroup’. The argument “PFS2048” does not belong to the set “PFS24,PFSMM,ECP384,ECP256,PFS14,PFS2,None” specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.”

    Odd. . .

    Reply
    • Sorry, that was a mistake. I’ve corrected the issue now. The correct parameter for the point-to-site connection is PFS14. Confusingly you use PFS2048 to configure the same setting on the site-to-site connection. :/

      Also, you should be able to use Get-AzVpnClientIpsecParameter to view current settings.

      Reply
      • DiPersiaTech

         /  April 8, 2020

        Cool, thanks for the update. Yes – tried Get-AzVpnClientIpsecParameter, but seems to be returning incorrect info. Like IpsecEncryption none, everything set for MD5, DES and no DH or PFS group.

      • Not sure what’s up there. :/

  5. Stephen Zammit

     /  April 15, 2020

    A quick question, does Always On VPN Device Tunnel with Azure VPN Gateway support ExpressRoute to on-premise resources?

    Reply
  6. Justin Nel

     /  June 3, 2020

    Azure Virtual WAN looks interesting! Do you know if the AVW P2S VPN can be used without the SDWAN element, where I would still be able to access on-premise resources through an existing Expressroute? Has Anyone got experience using Azure Virtual WAN P2S VPN with AOVPN?

    Reply
    • It does look interesting, but I’ve done no testing with this so far. However, I’ve been told that if you establish a point-to-site connection using Azure Virtual WAN that you can access on-premises resoruces via ExpressRoute.

      Reply
  1. Always On VPN Device Tunnel Operation and Best Practices | Richard M. Hicks Consulting, Inc.
  2. Always On VPN Device Tunnel Only Deployment Considerations | Richard M. Hicks Consulting, Inc.

Leave a Reply to Richard M. Hicks Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: