Configuring IPsec IKEv2 Remote Access VPN Clients on Windows¶

This document demonstrates how to configure an IKEv2 connection on Windows. This procedure was performed on Windows 11, but the procedure is identical on Windows 10.

This involves use of PowerShell to configure the VPN because using the Windows GUI to add a VPN is severely limited. Using PowerShell allows Windows to use settings which match TNSR instead of forcing TNSR to match the default, potentially weaker, settings from Windows.

Prerequisites¶

Setup TNSR as an IKEv2 server as described in either IPsec Remote Access VPN using IKEv2 with EAP-TLS or IPsec Remote Access VPN using IKEv2 with EAP-RADIUS.
Export the CA certificate used to sign the server certificate and save it as a .crt file (EAP-TLS and EAP-RADIUS)
Export a PKCS#12 bundle for the user certificates (EAP-TLS only)
Copy the exported file(s) to the client

Configuration¶

On the client system, open a PowerShell window or PowerShell ISE and change to the directory containing the certificate file(s) (e.g. CA certificate and/or PKCS#12 bundle ).

Warning

Some commands may require Administrator access, such as importing the CA certificate. Run these commands at an Administrator-level PowerShell prompt or use an alternate method.

The commands in this section will import certificates and setup the VPN on the client workstation.

Copy and paste the commands below into a text editor and adjust them to match the settings on TNSR.

Warning

The commands here can technically be performed by a PowerShell script but running PowerShell scripts on Windows is disabled by default. If scripting is disabled, the commands may be copied and pasted into a PowerShell prompt individually.

Import the Server CA¶

Both EAP-TLS and EAP-RADIUS require importing the server certificate CA:

PS> Import-Certificate -FilePath "ipsec-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root\

Replace ipsec-ca.crt with the CA certificate filename.

Define the VPN Connection¶

Defining the VPN varies depending on the type of VPN, EAP-TLS or EAP-RADIUS. Follow the section which matches the method used by the remote access IPsec configuration on TNSR.

EAP-TLS¶

Configuring EAP-TLS requires a complex command setup to tell Windows which type of EAP authentication to use, as well as pointers to the appropriate certificates for the VPN.

Setup the password to decrypt the PKCS#12 bundle:

PS> $password = ConvertTo-SecureString -String "abcd1234" -AsPlainText -Force

Replace the abcd1234 password string with the password used to export the PKCS#12 bundle.

Import the user certificate PKCS#12 bundle:

PS> Import-PfxCertificate -FilePath "ipsec-myuser.p12" -CertStoreLocation Cert:\CurrentUser\My\ `
    -Password $password

Replace ipsec-myuser.p12 with the filename of the PKCS#12 bundle.

Import the User CA Certificate:

PS> Import-Certificate -FilePath "ipsec-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root\

Note

In this case the server certificate and user certificate were signed by the same CA so this step is redundant. This may not always be true, however, they could be signed by different CAs.

Replace ipsec-ca.crt with the server certificate CA filename.

Setup a custom EAP XML stream:

PS> $CustomEAP = '<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
   <EapMethod>
      <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
      <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
      <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
      <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
   </EapMethod>
   <Config>
      <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
         <Type>13</Type>
         <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
            <CredentialsSource>
               <CertificateStore>
                  <SimpleCertSelection>true</SimpleCertSelection>
               </CertificateStore>
            </CredentialsSource>
            <ServerValidation>
               <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
               <ServerNames>tnsr.example.com</ServerNames>
               <TrustedRootCA>2C 9B 57 D0 A6 70 E2 BD 37 A0 D8 95 C9 FD B3 A0 2C 53 8C D0</TrustedRootCA>
            </ServerValidation>
            <DifferentUsername>false</DifferentUsername>
            <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
            <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName>
         </EapType>
      </Eap>
   </Config>
</EapHostConfig>'

Replace the items in the XML block above as follows:

Replace the ServerNames content with the hostname or IP address of TNSR, (e.g. tnsr.example.com).

Warning

This value must match a SAN in the server certificate.
Replace the TrustedRootCA tag contents with the SHA1 fingerprint of the CA certificate. This value can be determined using OpenSSL on TNSR:
```
$ openssl x509 -noout -fingerprint -sha1 -in ipsec-ca.crt
sha1 Fingerprint=2C:9B:57:D0:A6:70:E2:BD:37:A0:D8:95:C9:FD:B3:A0:2C:53:8C:D0
```
Take the part of the result string after the = and replace the : separators with spaces.

Now add the VPN connection:

PS> Add-VpnConnection -Name "TNSR Remote Access" -TunnelType "Ikev2" `
    -EncryptionLevel Required -ServerAddress tnsr.example.com -DnsSuffix "example.com" `
    -AuthenticationMethod EAP -EapConfigXmlStream $CustomEAP -PassThru

Replace the items the command as follows:

Replace the Name with a specific string to identify the VPN.

Warning

The same Name string must be used in all commands which alter the VPN.
Replace the ServerAddress with the hostname of TNSR.
Replace the DnsSuffix with the domain or subdomain of hosts on the TNSR side of the VPN.

EAP-RADIUS¶

Since EAP-RADIUS shares most of its settings with defaults on Windows, there is very little to configure (especially compared to EAP-TLS).

Run the following command to define the VPN connection:

PS> Add-VpnConnection -Name "TNSR Remote Access" -TunnelType "Ikev2" `
    -EncryptionLevel Required -ServerAddress tnsr.example.com -DnsSuffix "example.com" `
    -PassThru

Replace the items the command as follows:

Replace the Name with a specific string to identify the VPN.

Warning

The same Name string must be used in all commands which alter the VPN.
Replace the ServerAddress with the hostname of TNSR.
Replace the DnsSuffix with the domain or subdomain of hosts on the TNSR side of the VPN.

Note

Windows will prompt for the username and password when connecting to the VPN.

VPN Encryption Parameters¶

The encryption paramters are set the exact same way for EAP-TLS and EAP-RADIUS:

PS> Set-VpnConnectionIPsecConfiguration -Name "TNSR Remote Access" `
    -EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 `
    -CipherTransformConstants GCMAES256 -AuthenticationTransformConstants GCMAES256 `
    -PfsGroup PFS2048 -PassThru -Force

Replace the Name with the same name as the previous command.
Replace any of the encryption parameters as needed to match TNSR

Split Tunneling¶

Windows does not respect traffic selectors configured on the VPN automatically. When the server has traffic selectors configured the Windows client will still try to send all of its traffic across the VPN. In this situation, traffic for networks not listed in traffic selectors, such as for the Internet in general, will fail.

Using PowerShell commands it is possible to enable split tunneling so that the client does not send all of its traffic across the VPN:

PS> Set-VPNconnection -name "TNSR Remote Access" -SplitTunneling $true

Replace the Name with the same name as the previous commands.

Split tunneling requires routes to send specific subnets through the VPN as the Windows IKEv2 client is not capable of importing these networks from the VPN traffic selectors automatically. To add a VPN connection route:

PS> Add-VpnConnectionRoute -ConnectionName "TNSR Remote Access" -DestinationPrefix 10.2.0.0/16

Replace TNSR Remote Access with the actual connection name.
Replace 10.2.0.0/16 with the desired destination network.

Repeat the command for each network to route over the VPN. The list of routes should be equivalent to the list of traffic selectors in the IPsec server configuration.

Note

Routes added in this way are persistently associated with the VPN connection and they do not need to be reconfigured at each login. Other methods of adding routes, such as with the route command, are not persistent and will only last for the duration of a single connection.

Connecting and Disconnecting¶

To Connect:

Click the Network icon in the system tray
Click VPN
Click the VPN Name in the list
Click the Connect button

To Disconnect:

Click the Network icon in the system tray
Click VPN
Click the VPN Name in the list
Click the Disconnect button

The VPN can also be connected and disconnected from within the System Settings:

Open Settings (e.g. Click Start > All Apps > Settings, or right click Start then click Settings)
Click on Network & Internet
Click VPN
Find the correct VPN entry in the list
Click the Connect or Disconnect button on the entry

Tip

Clicking on the VPN in the list at this location also presents an Advanced Options button which can be used to fine-tune a small number of options for the tunnel.

Although the best practice is to enter EAP-RADIUS credentials for every connection, Windows can also store the credentials if necessary by using the options in this section.