Tip

This is the documentation for the 23.11 version. Looking for the documentation of the latest version? Have a look here.

Configuring IPsec IKEv2 Remote Access VPN Clients on Windows¶

This document demonstrates how to configure an IKEv2 EAP-TLS connection on Windows. This procedure was performed on Windows 11, but the procedure is identical on Windows 10.

This involves use of PowerShell to configure the VPN because using the Windows GUI to add a VPN is severely limited. Using PowerShell allows Windows to use settings which match TNSR instead of forcing TNSR to match the default, potentially weaker, settings from Windows.

Prerequisites¶

Setup TNSR as an EAP-TLS server as described in IPsec Remote Access VPN using IKEv2 with EAP-TLS
Export a PKCS#12 bundle for the user certificates
Export the CA certificate used to sign the server certificate and save it as a .crt file
Copy the PKCS#12 bundle and CA certificate file to the client

Configuration¶

On the client system, open a PowerShell window or PowerShell ISE and change to the directory containing the PKCS#12 bundle and CA certificate files.

Warning

Some commands may require Administrator access, such as importing the CA certificate. Run these commands at an Administrator-level PowerShell prompt or use an alternate method.

The commands in this section will import certificates and setup the VPN on the client workstation.

Copy and paste the commands below into a text editor and adjust them to match the settings on TNSR.

Warning

The commands here can technically be performed by a PowerShell script but running PowerShell scripts on Windows is disabled by default. If scripting is disabled, the commands may be copied and pasted into a PowerShell prompt individually.

See also

Local policies may override that behavior. See the PowerShell Execution Policies Documentation for details.

Import the User CA Certificate:

PS> Import-Certificate -FilePath "ipsec-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root\

Replace ipsec-ca.crt with the CA certificate filename.

Setup the password to decrypt the PKCS#12 bundle:

PS> $password = ConvertTo-SecureString -String "abcd1234" -AsPlainText -Force

Replace the abcd1234 password string with the password used to export the PKCS#12 bundle.

Import the user certificate PKCS#12 bundle:

PS> Import-PfxCertificate -FilePath "ipsec-myuser.p12" -CertStoreLocation Cert:\CurrentUser\My\ `
    -Password $password

Replace ipsec-myuser.p12 with the filename of the PKCS#12 bundle.

Import the Server Certificate CA:

PS> Import-Certificate -FilePath "ipsec-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root\

Note

In this case the server certificate and user certificate were signed by the same CA so this step is redundant. This may not always be true, however, they could be signed by different CAs.

Replace ipsec-ca.crt with the server certificate CA filename.

Setup a custom EAP XML stream:

PS> $CustomEAP = '<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
   <EapMethod>
      <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
      <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
      <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
      <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
   </EapMethod>
   <Config>
      <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
         <Type>13</Type>
         <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
            <CredentialsSource>
               <CertificateStore>
                  <SimpleCertSelection>true</SimpleCertSelection>
               </CertificateStore>
            </CredentialsSource>
            <ServerValidation>
               <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
               <ServerNames>tnsr.example.com</ServerNames>
               <TrustedRootCA>2C 9B 57 D0 A6 70 E2 BD 37 A0 D8 95 C9 FD B3 A0 2C 53 8C D0</TrustedRootCA>
            </ServerValidation>
            <DifferentUsername>false</DifferentUsername>
            <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
            <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName>
         </EapType>
      </Eap>
   </Config>
</EapHostConfig>'

Replace the items in the XML block above as follows:

Replace the ServerNames content with the hostname or IP address of TNSR, (e.g. tnsr.example.com).

Warning

This value must match a SAN in the server certificate.
Replace the TrustedRootCA tag contents with the SHA1 fingerprint of the CA certificate. This value can be determined using OpenSSL on TNSR:
```
$ openssl x509 -noout -fingerprint -sha1 -in ipsec-ca.crt
sha1 Fingerprint=2C:9B:57:D0:A6:70:E2:BD:37:A0:D8:95:C9:FD:B3:A0:2C:53:8C:D0
```
Take the part of the result string after the = and replace the : separators with spaces.

Now add the VPN connection:

PS> Add-VpnConnection -Name "TNSR Remote Access" -TunnelType "Ikev2" `
    -EncryptionLevel Required -ServerAddress tnsr.example.com -DnsSuffix "example.com" `
    -AuthenticationMethod EAP -EapConfigXmlStream $CustomEAP -PassThru

Replace the items the command as follows:

Replace the Name with a specific string to identify the VPN.

Warning

The same Name string must be used in all commands which alter the VPN.
Replace the ServerAddress with the hostname of TNSR.
Replace the DnsSuffix with the domain or subdomain of hosts on the TNSR side of the VPN.

Set the VPN encryption parameters:

PS> Set-VpnConnectionIPsecConfiguration -Name "TNSR Remote Access" `
    -EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 `
    -CipherTransformConstants GCMAES256 -AuthenticationTransformConstants GCMAES256 `
    -PfsGroup PFS2048 -PassThru -Force

Replace the Name with the same name as the previous command.
Replace any of the encryption parameters as needed to match TNSR

Split Tunneling¶

Windows does not respect traffic selectors configured on the VPN automatically. When the server has traffic selectors configured the Windows client will still try to send all of its traffic across the VPN. In this situation, traffic for networks not listed in traffic selectors, such as for the Internet in general, will fail.

Using PowerShell commands it is possible to enable split tunneling so that the client does not send all of its traffic across the VPN:

PS> Set-VPNconnection -name "TNSR Remote Access" -SplitTunneling $true

Replace the Name with the same name as the previous commands.

Split tunneling requires routes to send specific subnets through the VPN as the Windows IKEv2 client is not capable of importing these networks from the VPN traffic selectors automatically. To add a VPN connection route:

PS> Add-VpnConnectionRoute -ConnectionName "TNSR Remote Access" -DestinationPrefix 10.2.0.0/16

Replace TNSR Remote Access with the actual connection name.
Replace 10.2.0.0/16 with the desired destination network.

Repeat the command for each network to route over the VPN. The list of routes should be equivalent to the list of traffic selectors in the IPsec server configuration.

Note

Routes added in this way are persistently associated with the VPN connection and they do not need to be reconfigured at each login. Other methods of adding routes, such as with the route command, are not persistent and will only last for the duration of a single connection.

Connecting and Disconnecting¶

To Connect:

Click the Network icon in the system tray
Click VPN
Click the VPN Name in the list
Click the Connect button

To Disconnect:

Click the Network icon in the system tray
Click VPN
Click the VPN Name in the list
Click the Disconnect button

The VPN can also be connected and disconnected from within the System Settings:

Open Settings (e.g. Click Start > All Apps > Settings, or right click Start then click Settings)
Click on Network & Internet
Click VPN
Find the correct VPN entry in the list
Click the Connect or Disconnect button on the entry