All posts in category IKEv2

Considerations for Always On VPN with Azure VPN Gateway and Virtual WAN

Always On VPN Device Tunnel and Custom Cryptography Native Support Now in Intune

Organizations migrating on-premises applications, data, and infrastructure to the cloud may also consider terminating Always On VPN connections there. Using one of the native Azure VPN services might be compelling at first glance. After all, having an Azure-managed VPN gateway service sounds intuitive. However, some severe limitations exist for using Azure VPN services for Always On VPN deployments.

Azure VPN Gateway

The following are limitations for Always On VPN with Azure VPN gateway.

Authentication Methods

Azure VPN gateway supports both EAP and machine certificate authentication. However, it can only support one authentication method at a time. With only EAP or certificate authentication, administrators must choose between a device or user tunnel. A single Azure VPN gateway cannot support both at the same time. For native Entra ID joined devices, this is not a problem. However, for native on-premises Active Directory or hybrid Entra ID joined devices, this is a problem, as the device tunnel is essential in these scenarios.

Note: Technically speaking, administrators could deploy another Azure VPN gateway to work around this limitation. However, Azure limits VPN gateway deployments to one per virtual network. This requires administrators to deploy a second VPN gateway in a separate virtual network, which then requires virtual network peering to be enabled, complicating the configuration greatly.

SSTP

Although the Azure VPN gateway supports SSTP, it is, unfortunately, a second-class citizen. Today, all SKUs of the Azure VPN gateway are limited to just 128 SSTP connections (256 in active/active mode). There is currently no way to increase this. If more than 256 connections are required, you must use IKEv2.

RADIUS

In addition, there is currently no option to change the default timeout value (30 seconds) for RADIUS authentication requests. This short timeout value presents a challenge when using MFA with the NPS extension or with Azure Conditional Access, as users may be unable to respond to the push notification before the timeout expires, resulting in failed authentication attempts.

In addition, Azure does not support routing traffic to on-premises RADIUS servers over ExpressRoute connections. In this scenario, administrators must route RADIUS traffic to on-premises servers over a site-to-site connection.

Geographic Redundancy

Geographic redundancy using Azure Traffic Manager (or another global server load balancer) with two or more gateways is not supported when using the Azure VPN gateway. Azure manages the certificate used on the gateway, which includes a certificate with the subject name of the individual gateway. There is no option to supply a custom certificate with a global hostname in the subject, which is required to support geographic redundancy. With that, administrators are limited to the redundancy provided natively by the Azure VPN gateway.

IPv6

Azure does not support Azure VPN gateway in a virtual network that includes IPv6 addressing.

Azure Virtual WAN

Azure Virtual WAN includes many of the same limitations as the Azure VPN gateway, in addition to the following.

SSTP

Unlike the Azure VPN gateway, there is no support for SSTP in Azure Virtual WAN.

IPv6

IPv6 is not currently supported at all in Azure Virtual WAN.

Summary

Intuitively, it seems that leveraging native Azure VPN gateway services would be ideal. However, due to the limitations outlined in this article, administrators must decide carefully if any of these prevent adoption in their environment. Although not formally supported, many organizations deploy Windows Server Routing and Remote Access (RRAS) servers in Azure to address these limitations.

Additional Information

Always On VPN Options for Azure Deployments

Always On VPN with Azure Gateway

Always On VPN Device Tunnel with Azure VPN Gateway

Always On VPN and RRAS in Azure

What is Azure VPN Gateway?

What is Azure Virtual WAN?

Leave a comment
by Richard M. Hicks on January 31, 2024  •  Permalink
Posted in AADJ, Active Directory, administration, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, Azure MFA, Azure Virtual WAN, Azure VPN, Azure VPN Gateway, certificates, cloud, Cloud Service, Conditional Access, Deployment, device tunnel, EAP, Enterprise, enterprise mobility, Entra, Entra ID, extensible authentication protocol, global server load balancer, GSLB, HAADJ, High Availability, Hybrid Azure AD Join, IKEv2, Infrastructure, IPv6, MFA, Microsoft, Microsoft Entra, Microsoft Entra ID, Mobility, Multifactor Authentiction, multisite, network policy server, NPS, OTP, public cloud, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSTP, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 31, 2024

https://directaccess.richardhicks.com/2024/01/31/considerations-for-always-on-vpn-with-azure-vpn-gateway-and-virtual-wan/

Always On VPN October 2023 Security Updates

Once again, it’s time to patch! After several quiet months, there are a few crucial updates Always On VPN administrators will want to get deployed soon. Thankfully, the impact of the security updates related to Always On VPN is low this time, as there is only one Remote Code Execution (RCE) vulnerability, and it’s for a legacy protocol that should be in limited use today.

IKEv2

CVE-2023-36726 addresses a security vulnerability in Windows Internet Key Exchange (IKE) that can lead to privilege escalation. An attacker who successfully exploits this vulnerability can elevate privileges to that of the local SYSTEM.

L2TP

This month’s update discloses several Layer Two Tunneling Protocol (L2TP) vulnerabilities. The following CVEs all address a vulnerability where an attacker can send a specially crafted protocol message to a Windows Routing and Remote Access Service (RRAS) server, which could lead to remote code execution on the server.

Mitigation

The impact of the L2TP security vulnerabilities should be minimal in most organizations. L2TP is a legacy VPN protocol not commonly used for Always On VPN. However, misconfiguration can leave vulnerable RRAS servers exposed. Administrators must ensure that inbound UDP port 1723 is not open from the Internet. In addition, L2TP should be disabled on the RRAS server if not in use. See the article on the May 2023 security updates for details.

Additional Information

October 2023 Security Updates

Leave a comment
by Richard M. Hicks on October 10, 2023  •  Permalink
Posted in Always On VPN, AOVPN, Enterprise, enterprise mobility, Hotfix, IKEv2, Infrastructure, Microsoft, Mobility, Operational Support, Remote Access, routing and remote access service, RRAS, Security, Security Update, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 10, 2023

https://directaccess.richardhicks.com/2023/10/10/always-on-vpn-october-2023-security-updates/

Always On VPN and the PSPKI PowerShell Module

Certificates are a crucial part of a secure Always On VPN implementation. Certificates are phishing-resistant forms of authentication that, when configured correctly, provide robust and multifactor authentication for remote access users and devices.

AD CS

Most commonly, certificates are issued by an on-premises Microsoft Active Directory Certificate Services (AD CS) server. Administrators configure and deploy a Certification Authority infrastructure to issue and manage user and device authentication certificates in their organization. CA certificates are also required on the VPN server to support Always On VPN device tunnel connections and IKEv2 user tunnel connections. The NPS server also requires an enterprise CA certificate. Of course, the CA can issue certificates for other purposes, including Wi-Fi authentication, document signing, and code signing, just to name a few.

PSPKI

PSPKI is a PowerShell module available in the PowerShell Gallery for configuring, managing, and troubleshooting Microsoft AD CS. Created by Vadims Podans of PKI Solutions, PSPKI includes over 100 functions for various AD CS and certificate-related tasks. Always On VPN administrators will find this PowerShell module helpful when configuring and troubleshooting certificate-related issues for their Always On VPN deployments.

Note: The AD CS remote server administration tools (RSAT) must be installed to access all of the PSPKI module’s functionality.

Installation

Run the following PowerShell command to install the PSPKI PowerShell module.

Install-Module -Name PSPKI

Always On VPN and PSPKI

Always On VPN Administrators will immediately find a few PSPKI functions helpful when implementing and supporting Always On VPN.

Test-WebServerSSL – This function will connect to a remote web server and display details about the TLS certificate included in the response. This can be especially helpful when troubleshooting SSTP VPN connections.

Convert-PfxToPem – This is a handy utility for converting a PFX file to the PEM format. This is commonly required when importing CA certificates on non-Microsoft platforms, security devices, and load balancers.

Convert-PemToPfx – Occasionally, administrators must convert a certificate and private key in PEM format to PFX to install on a Windows server. This tool allows administrators to perform this task easily.

Get-CertificationAuthority – This function quickly enumerates all enterprise CA servers and displays information about their hostname, accessibility, service status, and type.

Ping-ICertInterface – This function helps troubleshoot CA connectivity issues. Administrators can quickly determine if a CA is reachable and capable of issuing a certificate using this command.

Get-CaTemplate – This command displays a list of certificate templates published on the specified target CA server. The certificate template’s display name and the minimum support CA version are provided. In addition, the output indicates if certificate autoenrollment is enabled on the template.

Much More

The PSPKI PowerShell module for AD CS has many tools for configuring and managing AD CS. PSPKI recently received a major update to version 4.0. Download and install PSPKI today. It will make your life easier, I can assure you!

Additional Information

PSPKI PowerShell Module – PowerShell Gallery

PSPKI PowerShell Module – GitHub

AOVPNTools PowerShell Module – PowerShell Gallery

AOVPNTools PowerShell Module – GitHub

InboxAccountingDatabaseManagement PowerShell Module

InboxAccontingDatabaseManagement – PowerShell Gallery

InboxAccountingDatabaseManagement – GitHub

4 Comments
by Richard M. Hicks on June 20, 2023  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, certificates, Deployment, Encryption, Enterprise, enterprise mobility, GitHub, IKEv2, Infrastructure, Microsoft, Mobility, Multifactor Authentiction, NPS, Operational Support, PEAP, PKI, PowerShell, Protected EAP, public key infrastructure, Remote Access, routing and remote access service, RRAS, Secure Socket Tunneling Protocol, Security, SSL, SSL and TLS, SSTP, systems management, TLS, Transport Layer Security, troubleshooting, Update, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 20, 2023

https://directaccess.richardhicks.com/2023/06/20/always-on-vpn-and-the-pspki-powershell-module/

« Older Posts