Hi folks,
My boss has tasked me with trying to get Always On VPN working to replace our Directaccess solution. I'd like to configure device tunnels using machine certs rather than user certs for a variety of reasons but am having cert difficulties, apparently.
First, the configuration:
1) Two-tier AD-integrated PKI running on server 2016. Machine certs for clients are being auto-enrolled after having duplicated and modified the computer template. Root and issuing CA certs are present on both client and server. Client and server certs use the RSA encryption algorithm, along with SHA256 signature and hash algorithms (problem?). The client cert contains the client and server auth EKU's. The server cert contains these, as well as the 'IP security IKE intermediate' EKU. CRL's are verifiable from the client on the internet. The Root and issuing CA's CRL's can be seen in the cache on server and client by running 'certutil -urlcache crl'.
2) The server uses the same name internally as externally, has RRAS and NPS cohosted and has its FQDN in the SAN and CN of the cert. RRAS is set to use Radius auth pointing the local NPS instance. This is tested working with a PSK L2TP VPN from my phone. 'Allow machine certificate authentication for IKEv2' is checked in the RRAS server's authentication methods.
3) A custom 'Always On VPN' Network policy has been created using 'Microsoft: smart card or other certificate' and 'Microsoft: Protected EAP (PEAP)' (not sure which to use), both configured with the server cert as authentication methods, and using a Windows group containing the Client computer as a condition:
4) I've downloaded and modified the sample ProfileXML file from Configure VPN Device Tunnels, then used the PS script available at the same URL to create the VPN object on the client using psexec as described here. The client is domain-joined Windows 10 Enterprise, build 1803.
The client repeatedly attempts to connect every 5-10 minutes, but each attempt terminates with an error 20227 from source RASClient:
Trying to manually initiate the connection from an admin command prompt with rasdial gives:
I've Googled the heck out of 13801 and 'IKE auth creds are unacceptable' to no avail. All hits point to problems with the server cert, such as the CN being inconsistent with the name used in the connection object, being expired, or having the incorrect EKU's. I'm not able to find much other guidance on creating device tunnels around.
Anybody got any ideas? I'm beginning to think this doesn't quite work yet... Thanks muchly,
ianc