When we deploy the Always On VPN Device Tunnel with the ProfileXML_Device.xml and include in that file the CryptographySuite as follows:

     <CryptographySuite>
         <AuthenticationTransformConstants>GSMAES128</AuthenticationTransformConstants>
         <CipherTransformConstants>GCMAES128</CipherTransformConstants>
         <EncryptionMethod>GCMAES128</EncryptionMethod>
         <IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
         <DHGroup>Group14</DHGroup>
         <PfsGroup>ECP256</PfsGroup>
      </CryptographySuite>

The setting EncryptionMethod is not applied correctly (at this moment only on Windows 10 21H2, not tested on Windows 11 yet). Instead of applying EncryptionMethod GCMAES128 it changes it to DES. All other settings are applied correctly.

Is this a bug or something else?

Hello Richard,

Under your Examples in the New-AovpnConnection.ps1 script the "AllUserConnection" (Line 24) and "DeviceTunnel" (Line 29) are missing the closing apostrophe on the "-xmlFilePath".

Code block with closing apostrophe:

.EXAMPLE
    .\New-AovpnConnection.ps1 -xmlFilePath 'C:\Users\rdeckard\desktop\ProfileXML_User.xml' -ProfileName 'Always On VPN' -AllUserConnection
    Creates an Always On VPN user tunnel profile named "Always On VPN" for all users.
.EXAMPLE
    .\New-AovpnConnection.ps1 -xmlFilePath 'C:\Users\rdeckard\desktop\ProfileXML_Device.xml' -DeviceTunnel
    Creates an Always On VPN device tunnel profile named "Always On VPN Device Tunnel".

Thanks for your great work!
Mitch

We recentely had to "disable" IPv6 on our AOVPN-server as we received the wrong prefix from our ISP. Now this has been resolved we have enabled IPv6 again on the server. Clients are able to connect (both through Device Tunnel and User Tunnel). They show up as clients in the RRAS - however over IPv6 they are not able to reach anything on the network.

We have enabled IPv6 routing:

We have the correct routing set on the internal NIC for IPv6, from the AOVPN server we can reach the internal network.

When we use the IPv4 address of our NAS, we can reach it through vpn, but using the IPv6 address, it doesn't work. I am really at a loss why IPv6 routing is not working. If you can help, that would be great. Or point us to the direction we have to look.

When using "Automatic" the IKEv2 configuration is not applied to the "user tunnel". If NativeProtolType is set to IKEv2 the crypto settings will be applied succesfully. I have seen this in several installations. As your ProfileXML configuration works with both a "device tunnel" configuration and a "user tunnel" configured with IKEv2, I suspect this to be a Microsoft issue, but I just thought you should know.

I tried running your script against an AOVPN connection (device tunnel- IKEv2 authenticationl) setup on my Windows 10 machine... and its failing on line 75 "Cannot call a method on a null-valued expression"--- the code implies this is erroring on the creation of the XML file (my VPN connection is configured correctly). What is the correct syntax for this function?

When I attempt deleting a device tunnel with the Remove-Aovpnconnection script, it doesn't work. I get below error:
.\Remove-AovpnConnection.ps1 -AllUserConnection -ProfileName "Device-Tunnel"
WARNING: Exception calling "DeleteInstance" with "3" argument(s): "The requested item could not be found."
WARNING: Unable to remove VPN profile "Device-Tunnel".

It works fine deleting a user tunnel

Hello

When removing a device/allusers-connection with Remove-AoVPNConnection the script will check to see if the users name is "nt authorithy\system", however this will fail if the language of the system is not English.

I suggest checking for the SID instead (S-1-5-18) which should be available in $CurrentPrincipal.Identities.User.Vale in the code.

Cheers!

Config Manager install package runs in system context for the user profile, so pbk path will default to system path instead of user path.

I've solved this by adding RasphonePath as an optional parameter and passing this from the profile install script, which already pulls the username from wmi.

This is small, but it caught me out at first when testing the tunnel configured correctly after migrating from using your separate Device and non-Device scripts to the single new-aovpnconnection script.

The success message has "user tunnel" hard coded even though the script also now configures device tunnels.

Write-Output "Always On VPN user tunnel profile ""$ProfileName"" created successfully."

I have been having issues getting this to work properly and the deltas from April 30 to June 4 do not seem to address this. The file attached was created using the April 30 version.
rasphone.pbk.corrupt.txt
rasphone.pbk.txt

Invoking via SCCM as a Package, deployed to a User, so it runs in the user context.

The computer is currently running 1809, with a User based Always On VPN connection that is connected at the time of running.

It is invoked as a bat file as such:
@echo OFF
SET MyDirectory=%~dp0
SET PowerShellScriptPath=%~dp0Update-RasPhone.ps1
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& '%PowerShellScriptPath%' -ProfileName 'REDACTED_VPN' -InterfaceMetric 1"

Attached is a working rasphone.pbk prior to running the script and the corrupt pbk from after the script running. Notice the increased size and "Collections.ArrayList" entries.

Any ideas?

The CimInstance commands give an unspecified error.

The logic for CleanUpOnly doesn't appear to work anymore. We only do the cleanup if If ($ProfileRemoved) which is always false unless we've run the code in the first if block, which is skipped when CleanUpOnly is true.

On 2016 i am able to configure my custom cert OIDs for user/device tunnel certificates using:

CertificateEKUsToAccept : {Contoso AlwaysOnVPN, Contoso AlwaysOnVPN - DeviceTunnel}

I am unable to use this same configuration on server 2022

I have tried using the oid values as well without success.

Do you have any insight on this issue?
Thanks for your time,

Cipher Block Chaining (CBC) was hacked back in 2013 and is now considered weak encryption.

For Windows this only leaves a few cipher suits using GCM. On Windows Server 2012, where none of the ECDSA ciphers are usable with standard Microsoft applications, so have to enable two RSA ciphers without perfect forward secrecy to still be able to remotely access the server with RDP.

	'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521',
	'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
	'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521',
	'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',
	'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256'
	'TLS_RSA_WITH_AES_256_GCM_SHA384',
	'TLS_RSA_WITH_AES_128_GCM_SHA256'

For Windows 2016 and higher, there are only 4 secure ciphers left.

	'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
	'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
	'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
	'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'

Windows Server 2022 should start to support TLS1.3, but it's not enabled by default.

from https://ciphersuite.info

Cipher Block Chaining:
In 2013, researchers demonstrated a timing attack against several TLS implementations using the CBC encryption algorithm (see isg.rhul.ac.uk). Additionally, the CBC mode is vulnerable to plain-text attacks in TLS 1.0, SSL 3.0 and lower. A fix has been introduced with TLS 1.2 in form of the GCM mode which is not vulnerable to the BEAST attack. GCM should be preferred over CBC.

Thank you for posting this script. We are running into the duplicate clients issue with device tunnel and thought this script would be cleaner than restarting the service regularly.

However, since the Disconnect-VpnUser command targets the username, it closes out all connections with that name, not just ones that we consider stale.

The solution I recommend is disconnecting by HostIpAddress instead of Username (see changes below). However, please correct me as I understand there may be something I am missing.

OLD
$Connections = Get-RemoteAccessConnectionStatistics | Where-Object ConnectionDuration -ge $MaxAge | Select-Object -ExpandProperty UserName -Unique

NEW
$Connections = Get-RemoteAccessConnectionStatistics | Where-Object ConnectionDuration -ge $MaxAge | Select-Object Username, ClientIPAddress | Sort-Object UserName

OLD
Write-Verbose "Removing VPN connections older than $MaxAge seconds..."
Disconnect-VpnUser -UserName $User

NEW
Write-Verbose "Removing VPN connections older than $MaxAge seconds..." $User.Username
Disconnect-VpnUser -HostIPAddress $User.ClientIPAddress.IPAddressToString