Deploying VPN Server on Windows Server 2016

Posted: January 24, 2017 in Windows Server

In this blog we’ll create VPN server wich will be leveraging IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2).With the functionality provided by the IKEv2 Mobility and Multihoming protocol (MOBIKE), this tunneling protocol offers inherent advantages in scenarios where the client moves from one IP network to another (for example, from WLAN to WWAN).For example, this permits a user with an active IKEv2 VPN tunnel to disconnect a laptop from a wired connection, walk down the hall to a conference room, connect to a wireless network, and have the IKEv2 VPN tunnel automatically reconnected with no noticeable interruption to the user.

 

 

Installing Certificates to VPN server and VPN client 

Creating certificate templates

In Certification Authority (CA),from CA console,right click Certificate Templates-Manage

1 (1)

 

 

Right-Click IPSec template-Duplicate template

 

1.png

On Request Handling tab click Allow private key to be exported

 

2.png

Click Extension tab-Application Policies-Edit

 

1-1

 

Remove IP Security IKE intermediate

 

1-1

 

then click Add and choose Server Authentication

 

1-1.png

 

Click Key Usage-Edit

 

1-1

Ensure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK.

1-1.png

In the security tab-click Object Types-Computers-Add Domain Computers

 

3

Make sure Read,Enroll and Auto-Enroll is selected

 

4

In General tab give template a name

 

5.png

Now,right click Certification Template-New-Certificate Template to issue

 

6

 

Choose new template

 

7.png

 

Enrolling certificate on VPN server

On VPN server:start-run-mmc-Add/remove snap-in

 

1-1

Click Certificates-Add-Computer Account

 

8.png

 

Right click Personal-All tasks-Request New Certificate

 

1-1.png

 

Check certificate templates-Properties

 

10

Click Subject tab-Subject Name-Common name (from drop-down menu)-FQDN for VPN server-Add

Alternative Name-choose DNS-set FQDN for VPN server-ADD

 

11

New certificate should be created

 

12.png

 

This certificate should be exported and then imported to client machine

 

Exporting certificate

Right-click certificate-All tasks-Export

 

1-1.png

 

Export private key

 

1-1.png

 

Set password and specify file in which certificate should be saved.

Copy file to client computer

 

Importing file on client machine

This certificate should be imported to Trusted Root Certification Authority on client.

Start-run-mmc-add Certificate snap-in-local computer

Right click Trusted Root Certification Authorities-All task-import

 

1-1.png

 

Browse to copied file and enter password

 

Installing Roles

 

On Server install Network Policy Server and Remote Access roles

 

1-1.png

Open Routing and Remote Access console-right click server icon-Configure and Enable Routing and Remote Access

 

 

13

Remote access (dial-up or VPN)

 

14

 

Check VPN

 

15

 

Select internet facing interface

 

16.png

 

Define VPN address pool

 

17

 

 

18

We are not using RADIUS,intead we’ll use NPS

 

19

 

Right click Remote Access Logging-Launch NPS

 

20.png

Click Network Access Policies

 

21

Right click Connections to Microsoft Routing and Remote Access Server-Properties

22.png

Check Grant access

23

Click Constraints-Select Microsoft:Secured password (EAP-MSCHAP v2)

 

24

If it’s not selected add it

 

1-1.png

 

Enable user VPN access

In ADUS right click user-Dial-in-Allow access

 

1-1.png

 

Client setting

In hosts file add entry for VPN server (name must be equal to one specified in SSL certificate)

1-1.png

Creating VPN client connection

 

1-1.png

 

1-1.png

Use my insternet connection (VPN)

 

1-1.png

 

I’ll set up an internet connection later

 

1-1.png

In Internet address type VPN server name

 

1-1.png

Specify username/password

 

1-1.png

In Security tab,for Type of VPN select IKEv2-Data encryption-Require encryption-Authentication:Microsoft:Secured password (EAP-MSCHAP v2)

 

1-1

We can see that IKEv2 is used,client got address from our VPN pool (10.10.10.3)

 

1-1.png

 

 

1-1

 

Advertisements
Comments
  1. Alex B says:

    I do NOT see a certificate templates console – no such thing on my fresh Windows Server 2016. How did you get it?

    Like

  2. Andy says:

    Hi dragan979,

    Will the VPN client internet connection then router using VPN server’s connection?

    Cheers!
    Andy

    Like

  3. Cameron Carlson says:

    I have a question, My ultimate goal is to setup my server 2016 to authenticate to a Cisco ASA 5505. A Full-Time site-to-site tunnel would be ideal. Is this even capable of it?

    Like

  4. sheikvara says:

    Reblogged this on Cloud & Virtualization Complete Guide and commented:
    Awesome

    Like

  5. Didnt work with 2016 Essentials

    Like

  6. Boris Dynin says:

    Hi Dragan,
    It connects but I can’t ping servers on private network?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s