All posts in category IKEv2

Always On VPN CSP Updates

Always On VPN DNS Registration Update Available

Administrators can deploy Always On VPN client configuration settings in several ways. The simplest method is to use the native Microsoft Intune UI and the VPN device configuration profile template. Optionally, administrators can create an XML file that can be deployed with Intune using the Custom template. In addition, the XML file can be deployed using PowerShell, either interactively or with System Center Configuration Manager (SCCM). Administrators can also deploy the XML file using PowerShell via Active Directory group policy startup script or another software provisioning platform.

Custom XML

While using the native Intune VPN device configuration template to deploy and manage Always On VPN client configuration settings is easy and convenient, it lacks support for many crucial configuration settings. Deploying Always On VPN client settings using the Custom template is helpful to overcome these limitations as it enables additional configuration settings not exposed in the Intune VPN template.

VPNv2CSP

The VPNv2 Configuration Service Provider (CSP) is the interface used by Intune to deploy Always On VPN client configuration settings to the endpoint. The WMI-to-CSP bridge enables settings deployment using PowerShell. In either scenario, administrators must create an XML file that includes the settings used for the Always On VPN profile. A reference for all supported settings in the VPNv2 CSP can be found here.

New Settings

Microsoft recently introduced some new settings in the VPNv2 CSP. Beginning with Windows 11 22H2, administrators can disable the disconnect button and prevent access to the advanced settings menu for device and user tunnels in the Windows UI by adding the following entries in the XML configuration file.

<DisableDisconnectButton>true</DisableDisconnectButton>

<DisableAdvancedOptionsEditButton>true
</DisableAdvancedOptionsEditButton>

Additional Updates

Microsoft also added options to define encryption settings, disable IKEv2 fragmentation support, update IPv4 and IPv6 interface metrics, adjust IKEv2 network outage time, and disable the use of RAS credentials in XML for device and user tunnels. These new options eliminate the need to use Intune Proactive Remediation to adjust these VPN client configuration settings post-deployment.

Unfortunately, these settings are not supported in any current release of Windows 10 or 11 today. However, they are available in the latest Windows Insider build (development channel) if you want to test them. I’ve provided example settings below. These settings will be supported in a public release of Windows in the future.

<DataEncryption>Max</DataEncryption>
<DisableIKEv2Fragmentation>true</DisableIKEv2Fragmentation>
<IPv4InterfaceMetric>3</IPv4InterfaceMetric>
<IPv6InterfaceMetric>3</IPv6InterfaceMetric>
<NetworkOutageTime>0</NetworkOutageTime>
<UseRasCredentials>false</UseRasCredentials>

Note: At the time of this writing, the VPNv2 CSP indicates these settings apply to Windows 11 21H2 and later. That is incorrect. Microsoft is aware of the issue and will hopefully correct it soon.

Intune Support

At some point, Microsoft may add these features to the Intune VPN device configuration template. However, XML with the Custom template is the only way to enable these new settings today.

Additional Information

Always On VPN VPNv2 CSP Reference

Deploying Always On VPN with Intune using Custom ProfileXML

Always On VPN and Intune Proactive Remediation

Microsoft Intune Learning Resources for Always On VPN Administrators

Example Always On VPN User Tunnel ProfileXML

Example Always On VPN Device Tunnel ProfileXML

15 Comments
by Richard M. Hicks on March 6, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, Device Management, device tunnel, Endpoint Manager, Enterprise, enterprise mobility, Group Policy, IKEv2, Infrastructure, InTune, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, OMA-DM, Operational Support, PowerShell, ProfileXML, Remote Access, SCCM, Security, System Center Configuration Manager, systems management, Update, VPN, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 6, 2023

https://directaccess.richardhicks.com/2023/03/06/always-on-vpn-csp-updates/

Always On VPN Error 13868

Troubleshooting Always On VPN Error 691 and 812 – Part 2

The Internet Key Exchange version 2 (IKEv2) VPN protocol is the protocol of choice for Microsoft Always On VPN deployments where the highest levels of security and assurance are required. However, as I’ve written about in the past, often the default IKEv2 security settings are less than desirable. Before using IKEv2 VPN in a production environment the administrator will need to update these security settings accordingly.

Connection Failure

When configuring Windows Server Routing and Remote Access Service (RRAS) or a third-party VPN appliance to support IKEv2 using custom security policies, the administrator may encounter a scenario in which a connection cannot be established due to a policy mismatch error. When the connection attempt fails, an error will be recorded in the Windows Application event log from the RasClient source with Event ID 20227. The error message states the following:

“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 13868.”

Always On VPN IKEv2 Policy Mismatch Error

Error Code 13868

Error code 13868 translates to ERROR_IPSEC_IKE_POLICY_MATCH. Essentially this error indicates that the IKEv2 security policy on the client did not match the configuration on the server.

Server Configuration

To view the current IKEv2 IPsec policy configuration, open an elevated PowerShell command window and run the following command.

Get-VpnServerIPsecConfiguration

Always On VPN IKEv2 Policy Mismatch Error

Client Configuration

To ensure interoperability, the VPN client must be configured to use the same IKEv2 security policy as defined on the sever. To view a VPN client’s currently configured IKEv2 security policy, open an elevated PowerShell command window and run the following command.

Get-VpnConnection -Name [connection name] | Select-Object -ExpandProperty IPsecCustomPolicy

Always On VPN IKEv2 Policy Mismatch Error

Note: If this PowerShell command returns no output, the VPN connection is not using a custom IKEv2 IPsec security policy.

Updating Settings

Guidance for configuring IKEv2 security policies on Windows Server RRAS and Windows 10 can be found here.

NPS Policy

Another common cause of IKEv2 policy mismatch errors is a misconfigured Network Policy Server (NPS) network policy. Specifically, administrators may disable Basic and Strong encryption for MPPE in an attempt to improve security.

Always On VPN IKEv2 Policy Mismatch Error

The NPS policy for Always On VPN must include Strong encryption at a minimum. Basic and No encryption can be safely disabled.

Always On VPN IKEv2 Policy Mismatch Error

Summary

IKEv2 policy mismatch errors can be resolved easily by ensuring both the VPN server and client are configured to use the same IPsec security policies. Use the PowerShell commands in the above referenced above to validate settings and make changes when necessary.

Additional Information

Microsoft Always On VPN Error 13801

Microsoft Windows Always On VPN Error 13806

Microsoft Windows Always On VPN Certificate Requirements for IKEv2

Microsoft Windows Always On VPN IPsec Root Certificate Configuration Issue

Microsoft Windows Always On VPN IKEv2 Policy Mismatch Error

Microsoft Windows Always On VPN IKEv2 Security Configuration

Microsoft Windows Always On VPN IKEv2 Fragmentation

Microsoft Windows Always On VPN IKEv2 Load Balancing and NAT

Microsoft Windows Always On VPN IKEv2 Features and Limitations

1 Comment
by Richard M. Hicks on February 12, 2023  •  Permalink
Posted in Always On VPN, AOVPN, authentication, Azure VPN, Azure VPN Gateway, certificates, Cryptography, device tunnel, Encryption, Enterprise, enterprise mobility, IKEv2, Infrastructure, Microsoft, Mobility, network policy server, NPS, Operational Support, PKI, PowerShell, Remote Access, routing and remote access service, Security, troubleshooting, VPN, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 12, 2023

https://directaccess.richardhicks.com/2023/02/12/always-on-vpn-error-13868/

Always On VPN DPC Advanced Features

Recently I wrote about PowerON Platforms’ Always On VPN Dynamic Profile Configurator (DPC), a software solution that allows administrators to provision and manage Always On VPN client configuration settings using Active Directory and group policy. The article described the basic functionality Always On VPN DPC provides. In this post, I will describe some of its advanced capabilities that administrators will find helpful for solving common Always On VPN challenges.

Protocol Preference

The two most common VPN protocols used with Always On VPN are Internet Key Exchange version 2 (IKEv2) and Secure Socket Tunneling Protocol (SSTP). Each protocol has its advantages and disadvantages. For example, IKEv2 has better security options, but SSTP is more firewall-friendly and reliable.

IKEv2 with SSTP Fallback

Instead of selecting one protocol over the other, some administrators may choose to configure Always On VPN to prefer IKEv2, then fall back to SSTP if IKEv2 is unavailable. Unfortunately, there is no way to configure this using Intune, XML, or PowerShell. To change this setting, the administrator must update the VPN configuration file (rasphone.pbk) and change the value of VpnStrategy to 14. While editing a text file is easy, doing it at scale is more complicated. The setting can be changed using Intune proactive remediation or a PowerShell script. However, it’s even easier using Always On VPN DPC. Simply enable the VPN Protocol advanced setting in group policy and choose IKEv2 First, SSTP Fallback.

Interface Metric

Another common problem Always On VPN administrators encounter is name resolution, specifically when the endpoint uses a wired local connection. Here, name resolution queries may fail or return incorrect IP addresses. This happens because the wired connection has a lower network interface metric than the VPN tunnel adapter. Once again, there is no option for changing this setting using Intune or XML. Administrators can update the interface metrics using PowerShell, but it is not persistent. To fully resolve this, the administrator must edit the rasphone.pbk file. With Always On VPN DPC, enable the VPN Tunnel Metric group policy setting and enter a value lower than the wired connection to solve this problem.

IKE Mobility

The Windows VPN client includes support for IKE Mobility, which allows an IKEv2 VPN connection to reconnect automatically after a loss of network connectivity. IKE Mobility is enabled by default, and the network outage time is set to 30 minutes. However, this setting can have negative side effects, especially when VPN servers are behind a load balancer. Reducing the network outage time or disabling it completely can improve failover if a VPN server goes offline. Here again, this setting cannot be changed using Intune, XML, or PowerShell; it is only configurable in rasphone.pbk. With Always On VPN DPC, enable the Network Outage Time advanced setting in group policy and choose a value that meets your requirements.

Exclusion Routes for Office 365

Force tunneling ensures that all network traffic on the client is routed over the VPN tunnel, including Internet traffic. However, Always On VPN supports exclusion routes which allow administrators to exempt selected traffic from the VPN tunnel when force tunneling is enabled. Commonly this is configured for trusted cloud applications like Microsoft Office 365. Defining exclusion routes for cloud services is more complicated than it sounds. Many cloud services, including Microsoft Office 365, have multiple IP addresses that are constantly changing. This makes keeping Always On VPN clients updated with the correct list of IP address exclusions quite challenging. With Always On VPN DPC, administrators can enable the Exclude Office 365 from VPN group policy setting, allowing the endpoint to automatically configure the necessary exclusion routes for Office 365 IP addresses. Importantly, Always On VPN DPC periodically monitors this list of IP addresses and ensures that endpoints are continually updated with Office 365 exclusion routes as they change to ensure reliable connectivity.

IP Routing

Always On VPN administrators must define which IP addresses and networks are routed over the VPN tunnel when split tunneling is enabled. However, Intune has a known issue that may pose a challenge in some environments.

IPv6

Although IPv4 routes can be configured using the Intune UI, IPv6 routes cannot. This is because the Intune UI does not correctly validate the default IPv6 prefix length, insisting that the administrator use a value between 1 and 32. 🤦‍♂️

However, the Always On VPN DPC Allowed Routes group policy setting happily accepts the proper IPv6 prefix.

Route Metrics

In addition, there is no option to define the metric values for routes configured using Intune. Assigning non-default route metrics is required to resolve routing conflicts in some scenarios. Defining route metrics requires custom XML. The Always On VPN DPC Route Metric group policy settings allow administrators to define route metrics as required.

Video

I have published a demonstration video on my YouTube channel showing some of the advanced features PowerON Platforms Always On VPN Dynamic Profile Configurator (DPC) provides. Be sure to subscribe to stay up to date as I’ll be releasing more videos in the future.

Learn More

Are you interested in learning more about PowerON Platforms Always On VPN DPC? Fill out the form below, and I’ll contact you with more information. In addition, you can visit aovpndpc.com to register for an evaluation license.

Additional Information

Always On VPN with Active Directory and Group Policy

Always On VPN Video Demonstration

PowerON Platforms Always On VPN Dynamic Profile Configurator (DPC)

1 Comment
by Richard M. Hicks on April 28, 2022  •  Permalink
Posted in Active Directory, administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Deployment, Device Management, DPC, Enterprise, enterprise mobility, Group Policy, IKEv2, IPv6, Mobility, Operational Support, ProfileXML, Remote Access, Secure Socket Tunneling Protocol, SSTP, systems management, video, VPN, Windows 10, Windows 11, XML
Tagged , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 28, 2022

https://directaccess.richardhicks.com/2022/04/28/always-on-vpn-dpc-advanced-features/

« Older Posts
Newer Posts »