Join Log in
Score:0
Nik avatar Server

Always-On VPN profile does not add custom route

in flag
Nik

My server is 2012R2. I deployed AOVPN according to Microsoft manual using PowerShell for clients deployment. It all works except custom route just does not appear on a client (tried on multiple Windows 10 and Windows 11 PCs) without any hints anywhere. DisableClassBasedDefaultRoute works.

I tried to modify recommended MakeProfile.ps1 with adding VPN connection via MDM_VPNv2_01 WMI class and add VPN connection with classic Add-VpnConnection instead with custom route like this Add-VpnConnectionRoute. It works, route does appear but the logon script doesn't run when a client is not connected to the network as it's usually is for remote clients. It seems like "incorrect" ProfileXML overrides the route added with Add-VpnConnection after few client reboots (I don't fully understand a logic) and custom route disappears, so it works but unreliable.

Please help to find an error in ProfileXML or anywhere else:

<VPNProfile>

   <AlwaysOn>true</AlwaysOn>
   <RememberCredentials>true</RememberCredentials>   
   <DnsSuffix>mydomain.local</DnsSuffix>
   <RegisterDNS>true</RegisterDNS>
   <TrustedNetworkDetection>mydomain.local</TrustedNetworkDetection>
   
   <DomainNameInformation>
      <DomainName>.mydomain.local</DomainName>
      <DnsServers>192.168.99.1,192.168.99.100</DnsServers>
   </DomainNameInformation>

   <NativeProfile>
      <Servers>vpn.external.com</Servers>
      <RoutingPolicyType>SplitTunnel</RoutingPolicyType>    
      <NativeProtocolType>IKEv2</NativeProtocolType>
      <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>

      <CryptographySuite>
         <AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
         <CipherTransformConstants>AES256</CipherTransformConstants>
         <EncryptionMethod>AES256</EncryptionMethod>
         <IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
         <DHGroup>Group14</DHGroup>
         <PfsGroup>None</PfsGroup>
      </CryptographySuite>
      
     <Authentication>
         <UserMethod>Eap</UserMethod>
         <Eap>
            <Configuration>
               <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                  <EapMethod>
                     <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type>
                     <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
                     <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
                     <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
                  </EapMethod>
                  <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                     <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                        <Type>26</Type>
                        <EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
                           <UseWinLogonCredentials>true</UseWinLogonCredentials>
                        </EapType>
                     </Eap>
                  </Config>
               </EapHostConfig>
            </Configuration>
         </Eap>
      </Authentication>  
    </NativeProfile>  

    <Route>
      <Address>192.168.96.0</Address>
      <PrefixSize>20</PrefixSize>
      <Metric>1</Metric>
    </Route>
       
</VPNProfile>
187
0 + 0
vpn
Score:0
Beau avatar Server
cn flag
Beau

You should 100% be able to have the routes configured in the XML. 2 things are different with your XML compared to the ones I run that work perfectly:

  1. I have <RememberCredentials> set to faslse
  2. I don't use <Metric> in the <Route> configuration

Number 2 is likely the culprit here.

Additionally, are you only configuring a User Tunnel? Because if you're also configuring a device tunnel, and something is configured incorrectly in that, it can affect the User Tunnel as well.

e.g. Don't configure <DomainNameInformation> in a device tunnel. Or if you absolutely have to, make sure all <DomainNameInformation> are identical in both profiles.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.