As a follow up to my article a few days ago on Always on VPN vs DA – http://www.hayesjupe.com/always-on-vpn-and-da-a-comparison/ – an employee of mine was having a test with some spare time today and came up with the following findings.
- Configured and tested the VPN server using L2TP/IPSec + PSK, User/Pass using MS-CHAP-V2
- Attempted to export the VPN profile using the Microsoft script MakeProfile.ps1 (https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#bkmk_fullscript)
- Doesn’t work if you’re using Folder Redirection, as it tries to write to C:\User\UserID\Desktop instead of using %desktop%
- Adjusted the script to just write to C:\Temp and it works fine
- Ran the generated VPN_Profile.ps1 and it comes back with “A general error occurred that is not covered by a more specific error code”. After doing some troubleshooting and googling, worked out that the MakeProfile.ps1 has “<AlwaysOn>true</AlwaysOn>” in it, when it actually needs to be “<AlwaysOn>True</AlwaysOn>” (upper-case T). Thanks Microsoft.
- Finally got it imported. Attempted to connect and received an error that the destination address didn’t exist.
- Checked the XML, the “Servers” item was populated correctly
- Checked the VPN connection in Windows, the “Server” item wasn’t populated. Awesome.
- Populated the Server field manually, tried to connect, failed.
- The export also didn’t bring across the PSK
- Populated the PSK, works.
To sum up:
- Microsoft’s MakeProfile.ps1 is helpful, but isn’t even remotely reliable for exporting all of the settings
- No idea why the server isn’t be populated. It’s in the XML, it just doesn’t populate it
- There doesn’t seem to be a way of using PSK instead of certs – the XML doesn’t seem to have any options for specifying a PSK (that I’ve been able to find)
So let me revise my earlier “its very much a v1 product” to “its very much a v0.1 product”