Configuring IPsec IKEv2 Remote Access VPN Clients on Windows¶
This document demonstrates how to configure an IKEv2 connection on Windows. This procedure was performed on Windows 11, but the procedure is identical on Windows 10.
This involves use of PowerShell to configure the VPN because using the Windows GUI to add a VPN is severely limited. Using PowerShell allows Windows to use settings which match TNSR instead of forcing TNSR to match the default, potentially weaker, settings from Windows.
Prerequisites¶
Setup TNSR as an IKEv2 server as described in either IPsec Remote Access VPN using IKEv2 with EAP-TLS or IPsec Remote Access VPN using IKEv2 with EAP-RADIUS.
Export the CA certificate used to sign the server certificate and save it as a
.crt
file (EAP-TLS and EAP-RADIUS)Export a PKCS#12 bundle for the user certificates (EAP-TLS only)
Copy the exported file(s) to the client
Configuration¶
On the client system, open a PowerShell window or PowerShell ISE and change to the directory containing the certificate file(s) (e.g. CA certificate and/or PKCS#12 bundle ).
Warning
Some commands may require Administrator access, such as importing the CA certificate. Run these commands at an Administrator-level PowerShell prompt or use an alternate method.
The commands in this section will import certificates and setup the VPN on the client workstation.
Copy and paste the commands below into a text editor and adjust them to match the settings on TNSR.
Warning
The commands here can technically be performed by a PowerShell script but running PowerShell scripts on Windows is disabled by default. If scripting is disabled, the commands may be copied and pasted into a PowerShell prompt individually.
See also
Local policies may override that behavior. See the PowerShell Execution Policies Documentation for details.
Import the Server CA¶
Both EAP-TLS and EAP-RADIUS require importing the server certificate CA:
PS> Import-Certificate -FilePath "ipsec-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root\
Replace
ipsec-ca.crt
with the CA certificate filename.
Define the VPN Connection¶
Defining the VPN varies depending on the type of VPN, EAP-TLS or EAP-RADIUS. Follow the section which matches the method used by the remote access IPsec configuration on TNSR.
EAP-TLS¶
Configuring EAP-TLS requires a complex command setup to tell Windows which type of EAP authentication to use, as well as pointers to the appropriate certificates for the VPN.
Setup the password to decrypt the PKCS#12 bundle:
PS> $password = ConvertTo-SecureString -String "abcd1234" -AsPlainText -Force
Replace the
abcd1234
password string with the password used to export the PKCS#12 bundle.
Import the user certificate PKCS#12 bundle:
PS> Import-PfxCertificate -FilePath "ipsec-myuser.p12" -CertStoreLocation Cert:\CurrentUser\My\ `
-Password $password
Replace
ipsec-myuser.p12
with the filename of the PKCS#12 bundle.
Import the User CA Certificate:
PS> Import-Certificate -FilePath "ipsec-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root\
Note
In this case the server certificate and user certificate were signed by the same CA so this step is redundant. This may not always be true, however, they could be signed by different CAs.
Replace
ipsec-ca.crt
with the server certificate CA filename.
Setup a custom EAP XML stream:
PS> $CustomEAP = '<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config>
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames>tnsr.example.com</ServerNames>
<TrustedRootCA>2C 9B 57 D0 A6 70 E2 BD 37 A0 D8 95 C9 FD B3 A0 2C 53 8C D0</TrustedRootCA>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName>
</EapType>
</Eap>
</Config>
</EapHostConfig>'
Replace the items in the XML block above as follows:
Replace the
ServerNames
content with the hostname or IP address of TNSR, (e.g.tnsr.example.com
).Warning
This value must match a SAN in the server certificate.
Replace the
TrustedRootCA
tag contents with the SHA1 fingerprint of the CA certificate. This value can be determined using OpenSSL on TNSR:$ openssl x509 -noout -fingerprint -sha1 -in ipsec-ca.crt sha1 Fingerprint=2C:9B:57:D0:A6:70:E2:BD:37:A0:D8:95:C9:FD:B3:A0:2C:53:8C:D0
Take the part of the result string after the
=
and replace the:
separators with spaces.
Now add the VPN connection:
PS> Add-VpnConnection -Name "TNSR Remote Access" -TunnelType "Ikev2" `
-EncryptionLevel Required -ServerAddress tnsr.example.com -DnsSuffix "example.com" `
-AuthenticationMethod EAP -EapConfigXmlStream $CustomEAP -PassThru
Replace the items the command as follows:
Replace the Name with a specific string to identify the VPN.
Warning
The same Name string must be used in all commands which alter the VPN.
Replace the ServerAddress with the hostname of TNSR.
Replace the DnsSuffix with the domain or subdomain of hosts on the TNSR side of the VPN.
EAP-RADIUS¶
Since EAP-RADIUS shares most of its settings with defaults on Windows, there is very little to configure (especially compared to EAP-TLS).
Run the following command to define the VPN connection:
PS> Add-VpnConnection -Name "TNSR Remote Access" -TunnelType "Ikev2" `
-EncryptionLevel Required -ServerAddress tnsr.example.com -DnsSuffix "example.com" `
-PassThru
Replace the items the command as follows:
Replace the Name with a specific string to identify the VPN.
Warning
The same Name string must be used in all commands which alter the VPN.
Replace the ServerAddress with the hostname of TNSR.
Replace the DnsSuffix with the domain or subdomain of hosts on the TNSR side of the VPN.
Note
Windows will prompt for the username and password when connecting to the VPN.
VPN Encryption Parameters¶
The encryption paramters are set the exact same way for EAP-TLS and EAP-RADIUS:
PS> Set-VpnConnectionIPsecConfiguration -Name "TNSR Remote Access" `
-EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 `
-CipherTransformConstants GCMAES256 -AuthenticationTransformConstants GCMAES256 `
-PfsGroup PFS2048 -PassThru -Force
Replace the Name with the same name as the previous command.
Replace any of the encryption parameters as needed to match TNSR
See also
For a full list of parameters compatible with Windows clients, see the Microsoft Documentation for Set-VpnConnectionIPsecConfiguration.
Tip
Windows 11/10 PowerShell cmdlets can change various advanced settings. The available commands are explained on the Microsoft PowerShell VpnClient module reference.
Split Tunneling¶
Windows does not respect traffic selectors configured on the VPN automatically. When the server has traffic selectors configured the Windows client will still try to send all of its traffic across the VPN. In this situation, traffic for networks not listed in traffic selectors, such as for the Internet in general, will fail.
Using PowerShell commands it is possible to enable split tunneling so that the client does not send all of its traffic across the VPN:
PS> Set-VPNconnection -name "TNSR Remote Access" -SplitTunneling $true
Replace the Name with the same name as the previous commands.
Split tunneling requires routes to send specific subnets through the VPN as the Windows IKEv2 client is not capable of importing these networks from the VPN traffic selectors automatically. To add a VPN connection route:
PS> Add-VpnConnectionRoute -ConnectionName "TNSR Remote Access" -DestinationPrefix 10.2.0.0/16
Replace
TNSR Remote Access
with the actual connection name.Replace
10.2.0.0/16
with the desired destination network.
Repeat the command for each network to route over the VPN. The list of routes should be equivalent to the list of traffic selectors in the IPsec server configuration.
Note
Routes added in this way are persistently associated with the VPN
connection and they do not need to be reconfigured at each login. Other
methods of adding routes, such as with the route
command, are not
persistent and will only last for the duration of a single connection.
Connecting and Disconnecting¶
To Connect:
Click the Network icon in the system tray
Click VPN
Click the VPN Name in the list
Click the Connect button
To Disconnect:
Click the Network icon in the system tray
Click VPN
Click the VPN Name in the list
Click the Disconnect button
The VPN can also be connected and disconnected from within the System Settings:
Open Settings (e.g. Click Start > All Apps > Settings, or right click Start then click Settings)
Click on Network & Internet
Click VPN
Find the correct VPN entry in the list
Click the Connect or Disconnect button on the entry
Tip
Clicking on the VPN in the list at this location also presents an Advanced Options button which can be used to fine-tune a small number of options for the tunnel.
Although the best practice is to enter EAP-RADIUS credentials for every connection, Windows can also store the credentials if necessary by using the options in this section.
See also
For more information, see PowerShell VpnClient module reference