When configuring a Windows Routing and Remote Access Service (RRAS) server to support Internet Key Exchange version 2 (IKEv2) VPN connections, it is essential for the administrator to define the root certification authority for which to accept IPsec security associations (SAs). Without defining this setting, the VPN server will accept a device certificate issued by any root certification authority defined in the Trusted Root Certification Authorities store. Details about configuring IKEv2 security and defining the root certification authority can be found here.
Multiple Root Certificates
Administrators may find that when they try to define a specific root certification authority, the setting may not be implemented as expected. This commonly occurs when there is more than one root certificate in the Trusted Root Certification Authorities store for the same PKI.
Certificate Selection
When running the PowerShell command Set-VpnAuthProtocol to define the root certification authority, PowerShell may ignore the administrator-defined certificate and choose a different one, as shown here. This will result in failed IPsec VPN connections from Windows 10 Always On VPN clients using IKEv2.
Certificate Publishing
This issue can occur when root certification authority certificates are published using Active Directory group policy. It appears that Windows prefers Active Directory group policy published certificates over those published directly in the Certification Authorities Container in Active Directory. To resolve this issue, remove any group policy objects that are publishing root certification authority certificates and ensure those root certificates are published in the Certification Authorities container in Active Directory.
PowerShell Script
A PowerShell script to configure this setting that can be found in my Always On VPN GitHub repository here. I have updated this script to validate the defined root certification authority certificate and warn the user if it does not match.
Additional Information
Set-Ikev2VpnRootCertificate.ps1 PowerShell script on GitHub
Windows 10 Always On VPN IKEv2 Security Configuration
Windows 10 Always On VPN IKEv2 Load Balancing and NAT
Windows 10 Always On VPN IKEv2 Features and Limitations
Corey Zamara
/ November 25, 2021Microsoft really needs to come up with a way to address this – I just went through this headache and have no idea why it kept reverting until I stumbled on this article.
Richard M. Hicks
/ November 29, 2021It’s really stupid, isn’t it! If I, the administrator, want to configure a specific certificate it should respect that! Terribly frustrating for sure. FYI, I have a script to configure this and added a check to warn the administrator if the configuration changes after restarting the service. π
https://github.com/richardhicks/aovpn/blob/master/Set-IKEv2VpnRootCertificate.ps1
Jason
/ December 21, 2021Is it possible to specify two different root CA’s with the set-vpnauthprotocol command? I’m working with someone who is changing root CA and this setting is currently pointing at the CA to be decommissioned, but a transition period is needed where a cert from either CA would be valid to provide VPN authentication.
Richard M. Hicks
/ December 21, 2021Unfortunately, no. You’ll have to remove this restriction during the transition, then re-enable it later after all of your clients are migrated. Not ideal, I know. :/