1

My server is 2012R2. I deployed AOVPN according to Microsoft manual using PowerShell for clients deployment. It all works except custom route just does not appear on a client (tried on multiple Windows 10 and Windows 11 PCs) without any hints anywhere. DisableClassBasedDefaultRoute works.

I tried to modify recommended MakeProfile.ps1 with adding VPN connection via MDM_VPNv2_01 WMI class and add VPN connection with classic Add-VpnConnection instead with custom route like this Add-VpnConnectionRoute. It works, route does appear but the logon script doesn't run when a client is not connected to the network as it's usually is for remote clients. It seems like "incorrect" ProfileXML overrides the route added with Add-VpnConnection after few client reboots (I don't fully understand a logic) and custom route disappears, so it works but unreliable.

Please help to find an error in ProfileXML or anywhere else:

<VPNProfile>

   <AlwaysOn>true</AlwaysOn>
   <RememberCredentials>true</RememberCredentials>   
   <DnsSuffix>mydomain.local</DnsSuffix>
   <RegisterDNS>true</RegisterDNS>
   <TrustedNetworkDetection>mydomain.local</TrustedNetworkDetection>
   
   <DomainNameInformation>
      <DomainName>.mydomain.local</DomainName>
      <DnsServers>192.168.99.1,192.168.99.100</DnsServers>
   </DomainNameInformation>

   <NativeProfile>
      <Servers>vpn.external.com</Servers>
      <RoutingPolicyType>SplitTunnel</RoutingPolicyType>    
      <NativeProtocolType>IKEv2</NativeProtocolType>
      <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>

      <CryptographySuite>
         <AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
         <CipherTransformConstants>AES256</CipherTransformConstants>
         <EncryptionMethod>AES256</EncryptionMethod>
         <IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
         <DHGroup>Group14</DHGroup>
         <PfsGroup>None</PfsGroup>
      </CryptographySuite>
      
     <Authentication>
         <UserMethod>Eap</UserMethod>
         <Eap>
            <Configuration>
               <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                  <EapMethod>
                     <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type>
                     <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
                     <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
                     <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
                  </EapMethod>
                  <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                     <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                        <Type>26</Type>
                        <EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
                           <UseWinLogonCredentials>true</UseWinLogonCredentials>
                        </EapType>
                     </Eap>
                  </Config>
               </EapHostConfig>
            </Configuration>
         </Eap>
      </Authentication>  
    </NativeProfile>  

    <Route>
      <Address>192.168.96.0</Address>
      <PrefixSize>20</PrefixSize>
      <Metric>1</Metric>
    </Route>
       
</VPNProfile>
Nik
  • 21
  • 3

2 Answers2

0

I use custom routes myself but I was fighting with how to Disable class based routing. Your example above pointed me in the right direction.

Anyhow: The way I added customs routes was through PowerShell:

Assuming your VPN connection is called MyVpn you could add a custom route with the Cmdlet Add-VpnConnectionRoute like so:

Add-VpnConnectionRoute -ConnectionName "MyVpn" -DestinationPrefix 192.168.96.0/20 -PassThru

The route is associated with you VPN connection, so it will only appear in your routing table while the VPN connection is up.

Lasse Michael Mølgaard
  • 947
  • 10
  • 27
0

You should 100% be able to have the routes configured in the XML. 2 things are different with your XML compared to the ones I run that work perfectly:

  1. I have <RememberCredentials> set to faslse
  2. I don't use <Metric> in the <Route> configuration

Number 2 is likely the culprit here.

Additionally, are you only configuring a User Tunnel? Because if you're also configuring a device tunnel, and something is configured incorrectly in that, it can affect the User Tunnel as well.

e.g. Don't configure <DomainNameInformation> in a device tunnel. Or if you absolutely have to, make sure all <DomainNameInformation> are identical in both profiles.

Beau
  • 11
  • 1