Forum Discussion

Konstantin_Yanson's avatar
Konstantin_Yanson
Copper Contributor
Nov 01, 2023

AlwaysOnVPN Device Tunnel (IKE) Certificate selection problem

We are using AlwaysOnVPN and configuring device tunnel at Windows 10/11 clients.

(not to be confused with user tunnel)

At server side we are using EKU filtering (CertificateEKUsToAccept parameter)

Everything works well until clients have 2 or more device certificates. Windows randomly takes first one and in most cases, it is no valid without correct EKU. So authentication failed: “Verifying username and password...IKE authentication credentials are unacceptable”

 

From first sight, this problem could be solved by adding section to client’s config:

<NativeProtocolType>IKEv2</NativeProtocolType>

     <Authentication>

           <MachineMethod>Certificate</MachineMethod>

           <Certificate>

                <EKU>1.3.6.1.5.5.7.3.7</EKU>

           </Certificate>

     </Authentication>

 

and there is a section at VPNv2 CSP:

Device/{ProfileName}/NativeProfile/Authentication/Certificate/Eku

 

But is says “Reserved for future use.” And there is no any Allowed Values.

 

Without much hope, I wanted to ask the community are there any ways to chose right device certificate at client side?

 

And hope MS will enable this feature as well.

 

No RepliesBe the first to reply

Resources