All posts in category Azure VPN

Always On VPN and VpnStrategy

NetMotion Mobility for DirectAccess Administrators – Split vs. Force Tunneling

Always On VPN supports a variety of VPN protocols for the user tunnel. Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP) are the most common. I wrote about the advantages and disadvantages of each in this post. To summarize, IKEv2 provides the highest security options but suffers from operational limitations. SSTP offers excellent security and is generally more reliable.

VpnStrategy

Always On VPN administrators must choose between IKEv2 and SSTP when configuring the Always On VPN user tunnel. Some administrators may prefer to use IKEv2 when available but then fall back to SSTP if it is not. To accomplish this requires editing the rasphone.pbk file and setting the value of VpnStrategy to 8, as described here.

Challenges

Unfortunately, setting the VpnStrategy value to 8 poses some challenges. Updating rasphone.pbk requires editing a text file on each endpoint post-deployment. Updating rasphone.pbk can be automated using the Update-Rasphone.ps1 script or Microsoft Intune proactive remediation.

Limitations

By default, Windows will overwrite the VpnStrategy setting in rasphone.pbk when fallback occurs. For example, setting VpnStrategy to prefer IKEv2 over SSTP will be reset to use SSTP first if a connection with IKEv2 fails. There’s a registry setting available that’s supposed to prevent this, but it doesn’t always work as expected.

Windows 11

There’s good news for administrators deploying Always On VPN on Windows 11. Microsoft recently introduced support for additional NativeProtocol types in XML. Specifically, VPN protocol preference can now be defined using the ProtocolList native protocol type. When using the ProtocolList native protocol type, each supported VPN protocol is listed in order of preference using the syntax shown below.

In addition, the RetryTimeInHours value defines the time Windows will try the last successful connection protocol. Setting this value to 0 overrides this and ensures the preferred protocol (the first protocol in the list) will always be attempted first.

SSTP Only

Previously the VPNv2CSP only supported IKEv2 or Automatic as values for the native protocol type. Windows 11 now supports SSTP as a native protocol type. Administrators configuring Always On VPN user tunnel connections using SSTP exclusively can now use this option.

Caveats

While the settings above are supported in both Windows 11 21H2 and 22H2, there are some known issues when enabling these settings. Specifically, when administrators define the ProtocolList value for the native protocol type, IKEv2 is always shown as the active protocol, even when an SSTP connection is established.

Also, if ProtocolList is used, the VPN connection cannot be managed using PowerShell. The VPN profile will not be displayed when running Get-VpnConnection at the time of this writing. Hopefully Microsoft will fix this soon.

Additional Information

Always On VPN CSP Updates

Always On VPN IKEv2 and SSTP Fallback

Always On VPN and Intune Proactive Remediation

Always On VPN Protocol Recommendations for Windows Server RRAS

Always On VPN IKEv2 Features and Limitations

Leave a comment
by Richard M. Hicks on May 22, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Azure VPN, Deployment, Device Management, Enterprise, enterprise mobility, IKEv2, InTune, MDM, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Operational Support, PowerShell, Remote Access, Secure Socket Tunneling Protocol, Security, SSTP, systems management, user tunnel, VPN, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 22, 2023

https://directaccess.richardhicks.com/2023/05/22/always-on-vpn-and-vpnstrategy/

Always On VPN Error 13868

Troubleshooting Always On VPN Error 691 and 812 – Part 2

The Internet Key Exchange version 2 (IKEv2) VPN protocol is the protocol of choice for Microsoft Always On VPN deployments where the highest levels of security and assurance are required. However, as I’ve written about in the past, often the default IKEv2 security settings are less than desirable. Before using IKEv2 VPN in a production environment the administrator will need to update these security settings accordingly.

Connection Failure

When configuring Windows Server Routing and Remote Access Service (RRAS) or a third-party VPN appliance to support IKEv2 using custom security policies, the administrator may encounter a scenario in which a connection cannot be established due to a policy mismatch error. When the connection attempt fails, an error will be recorded in the Windows Application event log from the RasClient source with Event ID 20227. The error message states the following:

“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 13868.”

Always On VPN IKEv2 Policy Mismatch Error

Error Code 13868

Error code 13868 translates to ERROR_IPSEC_IKE_POLICY_MATCH. Essentially this error indicates that the IKEv2 security policy on the client did not match the configuration on the server.

Server Configuration

To view the current IKEv2 IPsec policy configuration, open an elevated PowerShell command window and run the following command.

Get-VpnServerIPsecConfiguration

Always On VPN IKEv2 Policy Mismatch Error

Client Configuration

To ensure interoperability, the VPN client must be configured to use the same IKEv2 security policy as defined on the sever. To view a VPN client’s currently configured IKEv2 security policy, open an elevated PowerShell command window and run the following command.

Get-VpnConnection -Name [connection name] | Select-Object -ExpandProperty IPsecCustomPolicy

Always On VPN IKEv2 Policy Mismatch Error

Note: If this PowerShell command returns no output, the VPN connection is not using a custom IKEv2 IPsec security policy.

Updating Settings

Guidance for configuring IKEv2 security policies on Windows Server RRAS and Windows 10 can be found here.

NPS Policy

Another common cause of IKEv2 policy mismatch errors is a misconfigured Network Policy Server (NPS) network policy. Specifically, administrators may disable Basic and Strong encryption for MPPE in an attempt to improve security.

Always On VPN IKEv2 Policy Mismatch Error

The NPS policy for Always On VPN must include Strong encryption at a minimum. Basic and No encryption can be safely disabled.

Always On VPN IKEv2 Policy Mismatch Error

Summary

IKEv2 policy mismatch errors can be resolved easily by ensuring both the VPN server and client are configured to use the same IPsec security policies. Use the PowerShell commands in the above referenced above to validate settings and make changes when necessary.

Additional Information

Microsoft Always On VPN Error 13801

Microsoft Windows Always On VPN Error 13806

Microsoft Windows Always On VPN Certificate Requirements for IKEv2

Microsoft Windows Always On VPN IPsec Root Certificate Configuration Issue

Microsoft Windows Always On VPN IKEv2 Policy Mismatch Error

Microsoft Windows Always On VPN IKEv2 Security Configuration

Microsoft Windows Always On VPN IKEv2 Fragmentation

Microsoft Windows Always On VPN IKEv2 Load Balancing and NAT

Microsoft Windows Always On VPN IKEv2 Features and Limitations

1 Comment
by Richard M. Hicks on February 12, 2023  •  Permalink
Posted in Always On VPN, AOVPN, authentication, Azure VPN, Azure VPN Gateway, certificates, Cryptography, device tunnel, Encryption, Enterprise, enterprise mobility, IKEv2, Infrastructure, Microsoft, Mobility, network policy server, NPS, Operational Support, PKI, PowerShell, Remote Access, routing and remote access service, Security, troubleshooting, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 12, 2023

https://directaccess.richardhicks.com/2023/02/12/always-on-vpn-error-13868/

Always On VPN DPC with Intune

In the past, I’ve written about PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC), a software solution administrators can use to provision and manage Always On VPN client configuration settings using Active Directory and group policy. In addition to streamlining the deployment and management of Always On VPN client settings, DPC has many advanced features and capabilities to ensure optimal security, performance, and connection reliability.

Optimizations

Many settings required to fine-tune and optimize Always On VPN connections are not exposed in the Intune UI or XML. They must be configured by manipulating configuration files, setting registry keys, and running PowerShell commands. Much of this can be automated using Intune Proactive Remediation, but it is far from ideal. Administrators must configure Always On VPN using one method, then deploy optimizations using another. In addition, Proactive Remediation suffers from timing issues where some settings are not applied immediately, resulting in degraded or inoperable VPN connections until changes take effect.

Always On VPN DPC

Always On VPN DPC allows administrators to configure many advanced settings quickly and conveniently using the familiar Group Policy Management console (gpmc.msc). DPC dramatically reduces the administrative burden associated with Always On VPN client management. In addition, DPC enables many of these options by default, ensuring optimal security and reliable operation. Also, DPC immediately implements all configuration settings, eliminating the need to reboot to apply configuration changes.

Intune and ADMX

Historically, Always On VPN DPC could only be used when managing endpoints exclusively with Active Directory group policy. However, DPC can now be used with Microsoft Endpoint Manager/Intune thanks to a new feature that allows administrators to import custom ADMX and ADML administrative templates to Microsoft Endpoint Manager (MEM).

Note: This feature is in public preview at the time of this writing.

DPC and Intune

The combination of DPC and Intune brings with it many advantages. Using DPC with Microsoft Endpoint Manager/Intune offers administrators simplified deployment and many advanced features provided by Always On VPN DPC. In addition, customers who have deployed DPC on-premises can now migrate seamlessly to Microsoft Endpoint Manager/Intune management without giving up DPC’s valuable features.

Learn More

Enter your contact details in the form below for more information regarding Always On VPN DPC. Also, visit https://aovpndpc.com/ to register for a free Always On VPN DPC trial.

Additional Information

Always On VPN with Active Directory Group Policy

Introduction to Always On VPN DPC

Always On VPN DPC Advanced Features

Always On VPN DPC Video Demonstrations

What’s New in Always On VPN DPC v3.0

Always On VPN DPC Free Trial

2 Comments
by Richard M. Hicks on October 10, 2022  •  Permalink
Posted in AADJ, Active Directory, administration, Always On VPN, AOVPN, AovpnDPC, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure VPN, Azure VPN Gateway, cloud, Deployment, Device Management, device tunnel, DPC, Dynamic Profile Configurator, Endpoint Manager, Enterprise, enterprise mobility, Group Policy, HAADJ, Hybrid Azure AD Join, MDM, MEM, MEMCM, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, OMA-DM, Operational Support, PowerShell, ProfileXML, public cloud, Remote Access, SCCM, System Center Configuration Manager, systems management, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 10, 2022

https://directaccess.richardhicks.com/2022/10/10/always-on-vpn-dpc-with-intune/

« Older Posts
Newer Posts »