Windows 10 Always On and Fortinet

Hi, we are standing up a VPN for doing Always On and already we are hitting an unusual roadblock that we are trying to sort out. The Windows 10 VPN client config is simple enough for me to set up but I am being asked to configure a PSK for the connection which Windows 10 does not support for IKEv2 connections.

I thought it would be easy to ask for the connection to not require a PSK and we could rely on the Microsoft authentication stack to handle the authentication transparently to the user. I am reaching out because we are at a point where it seems like we cannot remove the phase one authentication from our configuration and I am not the expert here.

Has anyone had to configure the backend for Always On? I figure we can’t be far off, we already worked through some of the encryption negotiation fun but I am not sure why the Fortigate wants a PSK.

This is a little dense/long but hopefully some of this will be helpful.

Example with a FortiOS 6.2 device (Win 10 user tunnel):

https://www.delapcpa.com/cybersecurity/ikev2-vpn-guide/

FortiOS CLI

https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/791036/vpn-ipsec-phase1-interface-phase1

https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/487941/vpn-ipsec-phase2-interface-phase2

Windows 10 stuff:

https://directaccess.richardhicks.com/2017/12/11/always-on-vpn-windows-10-device-tunnel-step-by-step-configuration-using-powershell/

https://directaccess.richardhicks.com/2018/07/23/always-on-vpn-routing-configuration/

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config

https://www.configjon.com/always-on-vpn-device-tunnel/

Things to consider with a device tunnel:

https://directaccess.richardhicks.com/2020/04/06/always-on-vpn-device-tunnel-only-deployment-considerations/

Enable device tunnel status in Windows 10:

https://directaccess.richardhicks.com/2020/08/27/always-on-vpn-device-tunnel-status-indicator/

Name Resolution Policy Table:

https://directaccess.richardhicks.com/2018/04/23/always-on-vpn-and-the-name-resolution-policy-table-nrpt/

https://serverfault.com/questions/925901/windows-10-always-on-vpn-split-dns-nrpt-and-how-to-configure-which-dns-server

Troubleshooting:

https://www.imab.dk/my-always-on-vpn-configuration-with-microsoft-intune-and-configuration-manager-explained/

https://msendpointmgr.com/2020/04/29/keeping-always-on-vpn-always-on/

https://www.configjon.com/always-on-vpn-troubleshooting/

Some Client info:

Get info on the status of a device tunnel VPN connection

Get-VpnConnection -AllUserConnection

​

You can see if a VPN tunnel exists by looking at the list of networking adapters in the GUI. It will show up as a networking adapter. Do not change the config on the adapter via the GUI.

​

The service ‘IKE and AuthIP IPsec Keying Modules’ (IKEEXT) has to have a startup type as Automatic in order for the VPN to work. This service is not on a lot of the time. Also, after a Feature Update or monthly patch it may go back to manual or disabled. So it should have a GPO setting to change the service to automatic.

Set-Service -Name "IKEEXT" -StartupType Automatic

Start-Service -Name "IKEEXT"

Get-Service -Name "IKEEXT"

​

Need this PowerShell module in order to install/update the VPN as the System user for device tunnels (instead of having to use psexec).

Install-Module -Name Invoke-CommandAs

​

Install the VPN connection or overwrite an existing config (as the system user)

Invoke-CommandAs -ScriptBlock {c:\AOVPN\New-AovpnDeviceTunnel.ps1 -xmlFilePath c:\AOVPN\AOVPN.xml} -AsSystem

​

Manually Remove the Device Tunnel VPN Connection:

rasdial.exe "Always On VPN Device Tunnel" /disconnect

Remove-VPNConnection -Name "Always On VPN Device Tunnel" -AllUserConnection -Force -PassThru

​

Make a device tunnel VPN connection visible via the GUI by adding a registry key:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Flyout\VPN]
"ShowDeviceTunnelInUI"=dword:00000001

​

Repair an Always-On VPN, including device tunnel and show some info along the way:

Write-Host "Fixing the IKEEXT Service"
Set-Service -Name "IKEEXT" -StartupType Automatic
Start-Service -Name "IKEEXT"
Get-Service -Name "IKEEXT"
Write-Host "Importing the registry key so the VPN shows up in the task bar connections list."
reg import "C:\AOVPN\VPNStatusForUser.reg"
Write-Host "Checking for the AutoTriggerDisabledProfileList reg key and deleting it if necessary. Disregard error messages."
$regkeypath="HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Config"
$regkeyitem="AutoTriggerDisabledProfilesList"
$regkeyvalue="Always On VPN Device Tunnel"
$value1 = (Get-ItemProperty $regkeypath).$regkeyitem -eq $regkeyvalue 
If ($value1 -eq $False) {Remove-ItemProperty -path $regkeypath -name $regkeyitem} 
Else {Write-Host "The value does not exist"}
Write-Host "Use the rest of the script with caution - resets all IPv4, IPv6, and Winsock settings."
Write-Host "Close the script if you don't want these things reset."
pause
Write-Host "Resetting all NIC IPv4, IPv6, and Winsock settings"
netsh int ip reset
netsh int ipv6 reset
netsh winsock reset
pause

edit: added some more content

Give this guide a shot, I used it successfully to deploy AOVPN for a client of ours.

You’ll need to give more info for some help.

How do you plan on authenticating? Is this a device or user tunnel? Are you going to use a device and separate user tunnel?

I have amassed a lot of links regarding useful documentation available on the subject. I’ll try to find time to post it tomorrow.

Are you forwarding requests to a windows rras/vpn server? If the vpn server isnt domain joined, you can forward radius requests to your domain controllers. We’re using PEAP-mschap v2 and a second ikev2 tunnel for the device. Works well, trying to implement fortigate sso firewall rules now.

MS documentation is decent.

A good blog on ms always on vpn

Post pandemic I figure the ikev2 tunnel will have issues at hotels, but might help in device management if you don’t have an cloud management solution.

Also, I forgot to say a couple of things about always-on VPNs that have been made by powershell script. You can repair some that break by just running the install script again. Some have to be removed and the script ran again in order for them to work. In the case of a device tunnel vpn, reboot after a reinstall or removal/install cycle to know if it worked or not.

With SCCM or Intune deployment, just remove the vpn connection and the management tool should recreate it given the proper prompting.

Later on we will go user + device tunnel but for now we are using a user tunnel with with Microsoft Protected EAP for authentication.

The device tunnel is for pre-authentication traffic which will be fun and involve a machine certificate. The PKI and certificate is in place so hopefully that won’t be too much trouble to slide in.