Resources:

https://learn.microsoft.com/en-us/windows-server/remote/remote-access/tutorial-aovpn-deploy-setup

https://learn.microsoft.com/en-us/windows-server/remote/remote-access/how-to-always-on-vpn-conditional-access-network-policy-server

https://directaccess.richardhicks.com/2018/12/10/always-on-vpn-ikev2-security-configuration/

https://directaccess.richardhicks.com/2019/09/02/always-on-vpn-ikev2-policy-mismatch-error/

https://directaccess.richardhicks.com/2019/01/14/always-on-vpn-ikev2-and-sstp-fallback/

 

Steps used to build the VPN servers:

1. Delete the object from SCCM if it exists

2. Check DNS for static forward and reverse entries for the server name

3. Check DHCP registration matches MAC if one exists

4. Ensure the VM has a TPM and is configured for VBS

5. Network boot with 110 disconnected and 32 connected

6. Connect using VMRC

7. Apply server 2025 image setting OSDComputerName during imaging

8. If you only had one NIC, add a second one now, disconnected

9. Set static IP (no gateway) for 0003 NIC

10. Set static IP with gateway and no DNS on 0110 NIC, disable DNS registration, LMHosts, and netbios, remove all but IPv4

11. Rename NICs to make it clear what they are

12. Connect both NICs

13. Add static route for 10.32.4.0/22 through 0003 NIC

14. Add static route for 10.1.12.0/22 through 0003 NIC # So you can manage it from your admin laptop. 

15. Can connect to RDP at this point if the firewall (check firewall rules for RDP) and fdenytsconnections (registry value defaults to 1, so no RDP) don't block it. 

16. Install VMware Tools and reboot

17. Apply all Windows Updates and reboot. Repeat until there are no more updates.

18. Add static route 10.32.4.198/32 through 0110 NIC and other NPS servers

19. New-NetRoute -AddressFamily IPv4 -DestinationPrefix 10.32.4.0/22 -InterfaceAlias 'VLAN0003' -NextHop 10.3.12.1

20. New-NetRoute -AddressFamily IPv4 -DestinationPrefix 10.3.12.0/22 -InterfaceAlias 'VLAN0003' -NextHop 10.3.12.1

21. New-NetRoute -AddressFamily IPv4 -DestinationPrefix 10.32.4.198/32 -InterfaceAlias 'VLAN0110' -NextHop 10.110.100.1

22. Enable RDP and Ping if not already done (registry HKLM Control, CurrentControlSet, Terminal Server, fDeny... -> 0

23. Make sure firewall is on (GPOs might disable if not in the correct OU or groups

24. Allow UDP 500,4500 inbound in firewall advanced

25. Request VPN auth cert

26. Add Microsoft VPN cert to trusted store (CA, int, third party?)

27. Add RRAS role for VPN (Don't forget to try with and without realm)

28. Configure custom for VPN only

29. Set to RADIUS, add srvmps900198.mps.k12.mi.us, require secure message, Standard RADIUS for vendor (required for certificate OID restriction)

30. Select 0003 NIC to pull DHCP

31. Configure ports, only IKEv2 and match number of available IPs

32. Set-VpnServerConfiguration -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000

33. Restart-Service RemoteAccess -PassThru

34. By default, it trusts all "trusted" certs, consider the next couple of steps:

35. $Thumbprint = '0093eb36152e0bca82d71dbcb812966d49c662bf' # Midlandpscaroot

36. $RootCACert = (Get-ChildItem -Path cert:\LocalMachine\root | Where-Object {$_.Thumbprint -eq $Thumbprint})

37. Set-VpnAuthProtocol -RootCertificateNameToAccept $RootCACert -PassThru

38. $Thumbprint = '2debb0dca8d6d346f203bf46fbce69544885e922' # Change this to match the actual VPN certificate issued using the MPS AOVPN VPN Authentication certificate template on midlandpsca1

39. $VPNCert = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {$_.Thumbprint -eq $Thumbprint})

40. Set-VpnAuthProtocol -CertificateAdvertised $VPNCert -PassThru

41. Set-VpnAuthProtocol -CertificateEKUsToAccept '1.3.6.1.5.5.7.3.2 ' -PassThru

43. Restart-Service RemoteAccess -PassThru # If the service gets stuck, you might have to restart the computer, which might also get stuck trying to shut down the service, in which case you can force a restart on the VM if it doesn't go automatically in a few minutes.

 

Cert event log (disabled by default, need to enable to start logging): Applications and Services Logs/Microsoft/Windows/CAPI2.

 

Only the NPS server, do NOT disable strong encryption. You can disable basic and none, but strong and strongest should be left enabled. If you disable strong, policy match will fail even if you are using "strongest" settings in your custom IPsec policy.

 

Request to NPS needs to have the source IP match the called ID in the RADIUS request. Using Wireshark on NPS, you can check the incoming IP and the content of the RADIUS request to see if they match. Routing rules can be added to the VPN server to force NPS traffic to go over the interface that matches the called ID.

 

Does TLS Extensions go between EAPTypes or inside PEAPextensions?

 

NPS Policy (Only accept specific OID attributes for certificate type, limit to AAD Conditional Access OID)

To update the Always On VPN network policy to support Entra Conditional Access, open the NPS management console (nps.msc), expand Policies, then select Network Policies and perform the following steps.

 

Right-click on the Always On VPN policy and choose Properties.

Select the Settings tab.

Select Vendor Specific in the RADIUS Attributes section.

Click Add.

Select the Allowed-Certificate-OID attribute.

Click Add.

Click Add.

Enter 1.3.6.1.4.1.311.87 in the Attribute value field.

Click Ok.

Click Ok.

Click Close.

Click Ok.

 

On NPS server (don't need this on VPN server):

Open regedit.exe on the NPS server.

 

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13.

 

Select Edit > New and select DWORD (32-bit) Value and enter IgnoreNoRevocationCheck.

 

Double-click IgnoreNoRevocationCheck and set the Value data to 1.

 

Select Edit > New and select DWORD (32-bit) Value and enter NoRevocationCheck.

 

Double-click NoRevocationCheck and set the Value data to 1.

 

Select OK and reboot the server. Restarting the RRAS and NPS services does not suffice.

 

----

Conditional Access: Enable

Single sign-on (SSO) with alternate certificate: Enable

Client Authentication

1.3.6.1.5.5.7.3.2

67d54f386083a2847768e26967dbf7d890487598

---

EAP XML for AAD EKU, no server validation

 

<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName><TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"><FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"><EKUMapping><EKUMap><EKUName>AAD Conditional Access</EKUName><EKUOID>1.3.6.1.4.1.311.87</EKUOID></EKUMap></EKUMapping><ClientAuthEKUList Enabled="true"><EKUMapInList><EKUName>AAD Conditional Access</EKUName></EKUMapInList></ClientAuthEKUList></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig>