All posts tagged virtual private networking

Always On VPN IPsec Root Certificate Configuration Issue

Always On VPN Device Tunnel Status IndicatorWhen configuring a Windows Routing and Remote Access Service (RRAS) server to support Internet Key Exchange version 2 (IKEv2) VPN connections, it is essential for the administrator to define the root certification authority for which to accept IPsec security associations (SAs). Without defining this setting, the VPN server will accept a device certificate issued by any root certification authority defined in the Trusted Root Certification Authorities store. Details about configuring IKEv2 security and defining the root certification authority can be found here.

Multiple Root Certificates

Administrators may find that when they try to define a specific root certification authority, the setting may not be implemented as expected. This commonly occurs when there is more than one root certificate in the Trusted Root Certification Authorities store for the same PKI.

Always On VPN IPsec Root Certificate Configuration Issue

Certificate Selection

When running the PowerShell command Set-VpnAuthProtocol to define the root certification authority, PowerShell may ignore the administrator-defined certificate and choose a different one, as shown here. This will result in failed IPsec VPN connections from Windows 10 Always On VPN clients using IKEv2.

Always On VPN IPsec Root Certificate Configuration Issue

Certificate Publishing

This issue can occur when root certification authority certificates are published using Active Directory group policy. It appears that Windows prefers Active Directory group policy published certificates over those published directly in the Certification Authorities Container in Active Directory. To resolve this issue, remove any group policy objects that are publishing root certification authority certificates and ensure those root certificates are published in the Certification Authorities container in Active Directory.

PowerShell Script

A PowerShell script to configure this setting that can be found in my Always On VPN GitHub repository here. I have updated this script to validate the defined root certification authority certificate and warn the user if it does not match.

Additional Information

Set-Ikev2VpnRootCertificate.ps1 PowerShell script on GitHub

Windows 10 Always On VPN IKEv2 Security Configuration

Windows 10 Always On VPN IKEv2 Load Balancing and NAT

Windows 10 Always On VPN IKEv2 Features and Limitations

Windows 10 Always On VPN IKEv2 Fragmentation

Windows 10 Always On VPN IKEv2 Certificate Requirements

12 Comments
by Richard M. Hicks on October 19, 2020  •  Permalink
Posted in Always On VPN, AOVPN, certificates, device tunnel, Encryption, Enterprise, enterprise mobility, GitHub, IKEv2, PKI, PowerShell, public key infrastructure, Remote Access, routing and remote access service, RRAS, Security, troubleshooting, user tunnel, VPN, Windows 10, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 19, 2020

https://directaccess.richardhicks.com/2020/10/19/always-on-vpn-ipsec-root-certificate-configuration-issue/

Enterprise Networking Magazine Top 10 VPN Consulting Services 2020

It is with great pleasure that I announce Richard M. Hicks Consulting, Inc. has been included in Enterprise Networking Magazine’s Top 10 VPN consulting services for 2020! Enterprise Networking Magazine is a leading magazine and web site dedicated to the enterprise networking industry and its professionals.

Enterprise Networking Magazine Top 10 VPN Consulting Services 2020

You can read the full write-up on Richard M. Hicks Consulting, Inc. at Enterprise Networking’s web site here.

8 Comments
by Richard M. Hicks on May 18, 2020  •  Permalink
Posted in Always On VPN, AOVPN, Consulting Services, Enterprise, enterprise mobility, Mobility, Professional Services, Security, VPN, Windows 10
Tagged , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on May 18, 2020

https://directaccess.richardhicks.com/2020/05/18/enterprise-networking-magazine-top-10-vpn-consulting-services-2020/

Always On VPN Client Connections Fail with Status Connecting

Administrators who have deployed Windows 10 Always On VPN may encounter a scenario in which an Always On VPN connection fails, yet the connectivity status indicator perpetually reports a “Connecting” status.

Always On VPN Client Connections Fail with Status Connecting

Affected Clients

This is a known issue for which Microsoft has recently released updates to address. Affected clients include Windows 10 1909, 1903, and 1809.

Updates Available

The following Windows updates include a fix to resolve this problem.

KB4541335 – Windows 10 1909 and 1903

KB4541331 – Windows 10 1809

Additional Information

Always On VPN Hands-On Training

28 Comments
by Richard M. Hicks on March 25, 2020  •  Permalink
Posted in Always On VPN, AOVPN, Enterprise, enterprise mobility, Mobility, Remote Access, user tunnel, VPN, Windows 10
Tagged , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 25, 2020

https://directaccess.richardhicks.com/2020/03/25/always-on-vpn-client-connections-fail-with-status-connecting/

« Older Posts