Configuring IKEv2 VPN profiles for Windows devices using Configuration Manager and Microsoft Intune
First published on CLOUDBLOGS on Dec 18, 2014
James Lieurance, Software Engineer, Enterprise Client and Mobility
Microsoft Intune and Configuration Manager provide extensive support for managing Windows 8.1, and one commonly utilized feature is the ability to configure VPN profiles so that devices can seamlessly connect to secure corporate resources. This article outlines the process for setting up an IKEv2 VPN profile and deploying it to Windows 8.1 devices.
Creating a VPN Profile for Windows 8.1
Because Configuration Manager and Intune support multiple VPN profile types across various platforms, it is important to understand which input parameters and values are normally required for Windows 8.1. The following are three commonly configured profiles.
IKEv2 VPN using password-based authentication and full-tunneling
Wizard page 1: Create new VPN profile, providing a name that will be used to identify it in the Admin Console.
This name is used in the Admin Console and is displayed on the VPN screen of the Windows device. You can also provide a description (optional). The screen size for Windows devices does not allow for displaying of long strings. Shorter names will make it easier to see what profile you are connecting to.
Importing an existing VPN profile is not supported for Windows devices.
Wizard page 2: Configure the Connection Type (IKEv2), default server, Full-tunneling, DNS Suffix, and Bypass on corporate WIFI
You need at least one (default) server for any VPN connection.
“Send all network traffic through the VPN connection” is the checkbox that determines Full vs. Split tunneling. If unchecked, you should provide Destination Prefix Metrics (e.g. Routes) which are shown in the Split tunneling example below.
Connection specific DNS suffix is the DNS that will be used once the connection is started.
“Bypass VPN when connected on company Wi-Fi network” checked means the VPN connection will not be automatically started when the device is already on a corporate Wi-Fi connection. The user can still start the VPN connection manually.
EAP-MSCHAPv2 is a commonly used secured password authentication method.
Most EAP-based authentication methods require extra configuration provided through the “Configure” button.
For EAP-MSCHAPv2, the configuration is fairly simple. “Automatically use my Windows logon name and password” will use the currently logged on user. For a Windows device, this might be the end-user’s private account that the device was set up with (BYOD). The end-user would then enroll using their workplace credentials which would not be considered the logged in user. A suggestion would be to leave that box unchecked so the end-user can provide their workplace credentials when prompted on their BYOD Windows 8.1 device.
You can check “Remember the user credentials at each logon” so that the end-user will have their credentials saved once they have provided them for the initial VPN connection.
Wizard page 4: Configure proxy settings
Proxy settings are optional. If your VPN connection / environment requires a proxy for the VPN connection then this is where you would configure it for your Window 8.1 profile.
Wizard page 4: Configure DNS Suffix Search List
Intune only supports the DNS Suffix search list setting for VPN profiles deployed to Windows 8.1 devices. Each entry is a specific DNS suffix that will be searched when connecting to a website using a short name. For example: “http://MyWebSite” would be searched for as MyWebSite.contoso.com, MyWebSite.childdomain1.contoso.com, etc…)
Wizard page 5: Configure applicable platforms
VPN profile deployment is supported on Windows 8.1.
Configure routes to enable Split-tunneling:
“Send all network traffic…” box checked – enables force tunneling; unchecked - enables split-tunneling
Routes will need to be set to tell device when to use the VPN connection. If the network traffic has a destination that matches a Route/Destination Prefix, then the device will split that traffic onto the VPN connection. Any other traffic that does not match a route will not use the VPN connection.
All other wizard pages would be configured the same as above
Smart-card or other Certificate option (EAP-TLS)
Configure EAP-TLS (cert-based) authentication
Smart Card or other certificate is the EAP-TLS authentication method.
For the device to be able to find and use the correct certificate for the connection you need to configure EAP-TLS properties for your environment including the “Advanced” page.
Verifying the server’s identity is not required but is recommended.
Having the EKU set correctly with Client Authentication added under the “AnyPurpose” section is required.
All other wizard pages from above would be configured the same.
Deploying and monitoring a VPN Profile for Windows 8.1
Deployment Wizard: Deploy to User or Device collection
We support deploying VPN profiles to User or Device collections.
You can configure an alert to be generated if compliance does not meet SLA (Optional)
Schedule: This pertains to only the Windows on-premises client evaluation schedule. Windows devices sync with the server and evaluate policies on their own schedule (default of every 8 hours).
Monitoring deployment of VPN profile
Compliant results look like this:
In this instance various settings failed to remediate. If these types of errors are seen then the suggested step would be to check the device for the profile. If only one setting reported failure that could just be due to a setting or value that is not supported by the Windows 8.1 device and the profile may have been placed on the device anyway. If you see various remediation errors like the example above then most likely the profile was not able to be placed on the device because of some issue with the device itself.
Checking the Window 8.1 device for the profile:
You can find the VPN profiles under Settings -> VPN
Deploy to User collection (use defaults)
Log on user to a client device as a user from the collection deployed to.
This should be as whoever you enrolled the device under.
Verify policy is evaluated correctly on client
You can run “c:Windowssystem32MDMAgent.exe” to trigger policy sync.
When policy sync is completed you should see the new VPN profile on the device. If you are not seeing the profile arrive during sync then check that your profile is correctly targeted, deployed, and for Hybrid environment that your policy has been synced from On-premises database to Intune.
Verify that VPN profile is created on target Windows device.
You can also check the properties of the profile to confirm your settings were configured as you intended:
(Optional): Verify that VPN profile can be used to connect to VPN server that allows the type of connection configured in profile.
This step can only be done if you configured the VPN profile correctly for a particular VPN server and you have the proper credentials to connect. Skip this step otherwise.
Verify correct results in monitor console reports.
VPN profile deployments should always be Compliant (Green). If you see any error (red) results then there was some problem with the Intune service and/or device. Check the “Error” tab to get more information about where the error is occurring.