Forum Discussion
Windows 11 Always on VPN device tunnel removed on reboot
We are having an issue with the always on device tunnels being removed on device start. Once logged in to windows, we have to do a manual sync with Intune for it to restore the connection. When the c...
I have created a workaround by using a custom Profile XML from scratch. This one does work! During a sync the profile gets replaced every time, causing it to miss one ping. As far as I can remember this was also the case in Win10. This way the sync does not log any errors and the VPN is operational.
Meanwhile I am waiting for MS support to pick up the case and fix the VPN profile issue in Win11..
Meanwhile I am waiting for MS support to pick up the case and fix the VPN profile issue in Win11..
Just received from Microsoft: "I would like to inform you that the issue which you are facing is an ongoing issue in Windows 11 and our team is working to fix it soon. For more details you can refer to the article https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-configure"
Below is the Custom Config profile XML I have used to create a working (without errors during sync) IKEv2 Split tunnel VPN with RADIUS authentication of user certificates. Beware: almost everything is case sensitive. Like the RADIUS servernames, the XML labels etc.
<VPNProfile>
<ProfileName>AOVPN</ProfileName>
<AlwaysOn>true</AlwaysOn>
<DnsSuffix>domain.com</DnsSuffix>
<TrustedNetworkDetection>domain.com</TrustedNetworkDetection>
<NativeProfile>
<Servers>vpn.domain.com</Servers>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<NativeProtocolType>IKEv2</NativeProtocolType>
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
<CryptographySuite>
<EncryptionMethod>AES128</EncryptionMethod>
<IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
<CipherTransformConstants>AES128</CipherTransformConstants>
<AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
<PfsGroup>PFS2048</PfsGroup>
<DHGroup>Group14</DHGroup>
</CryptographySuite>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
<ServerNames>RADIUS1.domain.com;RADIUS2.domain.com</ServerNames>
<TrustedRootCA>xxxxxxxxxxxxxxxx Root CA hash xxxxxxxxxxxxxxxxxxxxxxxxxx </TrustedRootCA>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
<AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName>
<TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
<FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
<CAHashList Enabled="true">
<IssuerHash>xxxxxxxxxxx Issuing CA hash xxxxxxxxx </IssuerHash>
</CAHashList>
</FilteringInfo>
</TLSExtensions>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</Configuration>
</Eap>
</Authentication>
</NativeProfile>
<DomainNameInformation>
<DomainName>.domain.com</DomainName>
<DnsServers>192.168.1.1,192.168.1.2</DnsServers>
</DomainNameInformation>
<Route>
<Address>192.168.1.0</Address>
<PrefixSize>24</PrefixSize>
</Route>
</VPNProfile>