Community Test Lab Guide – Demonstrate Windows Server 2008 R2 VPN Reconnect


Microsoft introduced the Test Lab Guide as a new form of documentation that provides valuable hands-on experience with new technologies using a pre-defined and tested methodology. The Test Lab Guide format is designed to be extensible, serving as a framework that can be adapted by members of the IT community to serve their documentation needs. This community test lab guide will take you through the process of setting up the exciting new VPN Reconnect feature in Windows 7 and Windows Server 2008 R2, which relies on IPsec tunnel mode with IKEv2 to enable a VPN tunnel to remain active even when the client system switches from one access point to another, or Internet service is otherwise temporarily interrupted.

Before you get started, make sure that you have completed the configuration in the Base Configuration Test Lab Guide and take a snapshot of the Base Configuration. If you have already completed the Base Configuration, then start all the machines in the Base Configuration, which include DC1, EDGE1, APP1, INET1 and CLIENT1. While we won’t use APP1 in this lab, it’s a good idea to always start all the machines in the Base Configuration when doing a Test Lab Guide so that everything is in sync.

You can find the Base Configuration here.

Make sure that you do both the Corpnet and Internet subnets as we will want to move CLIENT1 to the simulated Internet.

Configure User 1 with Remote Access Permissions on DC1

First, let’s make sure that we enable User1 for remote access. Open the Active Directory Users and Computers console and click User in the left pane and then double click on User1 in the right page. Then click on the Dial-in tab, which is shown in Figure 1.  In the Network Access Permission section, select the Allow access option and click OK.

Figure 1

Configure an IPsec Certificate Template on DC1

Now we need to create a certificate template on DC1 that supports IKEv2 connectivity. We will then publish this certificate so that EDGE1 can request it later.

  1. On DC1, click Start, click Administrative Tools, and then click Certification Authority.

  2. In the left pane of the console, expand corp-DC1-CA.

  3. Right-click Certificate Templates, and then click Manage. The Certificate Templates Console appears.

  4. Right-click the IPsec template in the list, and then click Duplicate Template.

  5. In the Duplicate Template dialog box, select Windows Server 2003 Enterprise, and then click OK.

  6. On the General tab, change the Template display name to VPN Reconnect.

  7. On the Request Handling tab, shown in Figure 2, select Allow private key to be exported.

Figure 2

  1. On the Subject Name tab, shown in Figure 3, select Supply in the request. If a warning message appears, click OK.

Figure 3

  1. On the Extensions tab, select Application Policies, and then click Edit. This brings up the Edit Application Policies Extensions dialog box that’s shown in Figure 4.

  2. The IP security IKE intermediate policy is already present. If there are any others, select them and click Remove.

  3. Click Add, select Server Authentication, and then click OK.

Figure 4

  1. Click OK to return to the Extensions tab.

  2. Select Key Usage, shown in Figure 5, and then click Edit.

  3. In the Signature section, ensure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK.

Figure 5

  1. Click the Security tab, shown in Figure 6. In the Group or user names list, click Authenticated Users. In the Permissions for Authenticated Users permissions box, put a checkmark in the Enroll checkbox and click Apply.

Figure 6

  1. Click on the Domain Computers(CORP\Domain Computers) entry in the list. In the Permissions for Domain Computers section, put a checkmark in the Read checkbox. Confirm that there is a checkmark in the Enroll checkbox.

  2. Click OK to save your completed template.

  3. Close the Certificate Templates Console window.

  4. In the Certification Authority console window, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  5. In the Enable Certificate Templates dialog box that’s shown in Figure 7, select VPN Reconnect, and then click OK.

Figure 7

Install the Certificate on EDGE1

Now that the certificate template for the IKEv2 connection is available, let’s request the certificate and install it in the machine certificate store on EDGE1.

  1. On EDGE1, log on as User1 and then click Start and click Run. In the Run text box, enter mmc and click OK.
  2. In the mmc console, click File and then click Add/Remove Snap in.
  3. In the Available snap-ins section, click Certificates and click Add.
  4. On the Certificates snap-in page, shown in Figure 8, select the Computer account option and click Next.

Figure 8

  1. On the Select Computer page, select Local Computer and click Finish.
  2. In the Add or Remove Snap-ins dialog box, click OK.
  3. In the mmc console, expand the Certificates (Local Computer) node and then expand the Personal node. Click on Certificates and then right click on Certificates. Point to All Tasks and then click Request New Certificate, as shown in Figure 9.

Figure 9

  1. On the Before You Begin page, click Next.
  2. On the Select Certificate Enrollment Policy page, shown in Figure 10, click Active Directory Enrollment Policy and click Next.

Figure 10

  1. On the Certificate Requests page, shown in Figure 11, put a checkmark in the VPN Reconnect checkbox. Then click on More information is required to enroll for this certificate. Click here to configure settings.

Figure 11

  1. In the Subject tab of the Certificate Properties dialog box, in the Subject name section, click the down-arrow for Type and select Common name, as shown in Figure 12. In the Value text box, enter edge1.contoso.comand click Add. In the Alternative name section, click the down-arrow for Type and select DNS. In the Value text box, enter and click Add.

Figure 12

  1. In the Certificate Properties dialog box, click OK.
  2. In the Certificate Enrollment dialog box, shown in Figure 13, click theEnroll button at the bottom.

Figure 13

  1. Click theFinishbutton after a successful enrollment, as shown in Figure 14.

Figure 14

Close the mmc console and do not save the changes.

Install the Network and Policy Access Server Role on EDGE1

With the certificates in place, we can now install the Routing and Remote Access service on EDGE1.

  1. On EDGE1, open the Server Manager. Click Role in the left pane of the console. Click Add Roles.

  2. On the Before You Begin page, click Next.

  3. On the Select Server Roles page, shown in Figure 15, click Network Policy and Access Services, click Next.

Figure 15

  1. On the Network Policy and Access Services page, click Next.

  2. On the Select Role Services page, select both Network Policy Server and Routing and Remote Access Services, as shown in Figure 16, and then click Next.

Figure 16

  1. On the Confirm Installation Selections page, click Install.

  2. On the Installation Results page, shown in Figure 17, click Close.

Figure 17

Configure RRAS on EDGE1

Now that the RRAS service is installed on EDGE1, we can configure RRAS to make EDGE1 a VPN server.

  1. On EDGE1, click Start, point to Administrative Tools, and then click Routing and Remote Access.

  2. In the navigation tree, right-click EDGE1 (local), and then click Configure and Enable Routing and Remote Access.

  3. On the Welcome to the Routing and Remote Access Server Setup Wizard page, click Next.

  4. On the Configuration page, click Next to accept the default setting of Remote access (dial-up or VPN), as shown in Figure 18.

Figure 18

  1. On the Remote Access page that’s shown in Figure 19, select VPN, and then click Next.

Figure 19

  1. On the VPN Connection page, shown in Figure 20, under Network interfaces, select Internet. This is the interface that will connect EDGE1 to the Internet.Clear the option Enable security on the selected interface by setting up static packet filters, and then click Next.
    Note that, in a production environment, you should leave security enabled on the public interface. For the purposes of testing lab connectivity, you should disable it.

Figure 20

  1. On the IP Address Assignment page, shown in Figure 21, select Automatically, and then click Next.

Figure 21

  1. On the Managing Multiple Remote Access Servers page, click Next to accept the default setting to not work with a RADIUS server, as shown in Figure 22. In this scenario, RRAS uses Windows Authentication.

Figure 22

  1. On the Completing the Routing and Remote Access Server Setup Wizard page, click Finish.

  2. On the warning about possible NPS policy conflicts, click OK.

  3. On the warning about the need to configure the DHCP Relay Agent, click OK.

Configure the NPS Server to Allow Access for EAP-MSCHAPv2 Authentication on EDGE1

Don’t get discouraged – we’re in the home stretch. Now we need to configure the RRAS server to allow access for EAP-MSCHAPv2 connectcions.

  1. On EDGE1, in the Routing and Remote Accessconsole’s left pane, expand EDGE1 (local).

  2. Right-click Remote Access Logging & Policies, and then select Launch NPS, as shown in Figure 23.

Figure 23

  1. In the Network Policy Server window, in the Network Access Policies section, shown in Figure 24, click the Network Access Policies link.

Figure 24

  1. Double-click Connections to Microsoft Routing and Remote Access server, as shown in Figure 25.

Figure 25

  1. On the Overview tab, in the Access Permission section, select Grant access. Grant access if the connection request matches this policy. This is shown in Figure 26.

Figure 26

  1. On the Constraints tab, in the Constraints list, select Authentication Methods, as shown in Figure 27.

Figure 27

  1. If Microsoft: Secured password (EAP-MSCHAPv2) is not present in the EAP Types list, then follow these steps:
    a.     Click Add.
    b.    In the Add EAP dialog box select Microsoft: Secured Password (EAP-MSCHAP v2), and then click OK.

  2. Select Microsoft: Smart Card or other certificate and click Removeat the bottom to remove the EAP type, as shown in Figure 28.

Figure 28

  1. Click OK to save your changes.

  2. Close the Network Policy Server window that’s shown in Figure 29.

Figure 29

Configure CLIENT1 as VPN Reconnect Client

We’re almost there! Now we need to create the VPN connectoid on CLIENT1. By default, the VPN client will use IKEv2 as its preferred VPN protocol.

  1. On CLIENT1, log on as User1, click Start, and then click Control Panel.
  2. Under Network and Internet, click View network status and tasks, as shown in Figure 30.

Figure 30

  1. In Networking and Sharing Center, click Set up a new connection or network, as shown in Figure 31.

Figure 31

  1. Click Connect to a workplace, and then click Next, as shown in Figure 32.

Figure 32

  1. Click Use my Internet connection (VPN), which is shown in Figure 33.

Figure 33

  1. Click I’ll set up an Internet connection later.
  2. In Internet address, type In Destination name, type VPN Reconnect Connection and then click Next as shown in Figure 34.

Figure 34

  1. In the Type your user name and password dialog box, type the following information:
    ·      In User name, type user1.
    ·      In Password, enter User1’s password.
    ·      Click Remember this password.
    ·      In Domain, enter CORP.
  2. Click Create, and then click Close

Test the Connection

Fun time! Let’s see if it actually works.

  1. Move CLIENT1 to the Internet subnet.
  2. Open the Network Connections window from the Control Panel, as shown in Figure 35.

Figure 35

  1. Double click on the VPN Reconnect Connection entry.
  2. In the Connect VPN Reconnect Connection dialog box that’s shown in Figure 36, click Connect. You will see a dialog box indicating that authentication is being attempted and then it will disappear after the connection is established.

Figure 36

  1. Right click on VPN Reconnect Connectionas shown in Figure 37 and click Status.

Figure 37

  1. In the VPN Reconnect Connection Status dialog box, shown in Figure 38, click the Details tab. Confirm that the Device name is WAN Miniport (IKEv2).

Figure 38

  1. Go to EDGE1. In the Routing and Remote Access console, shown in Figure 39, expand EDGE1 (local) and then click on Ports. Click the Status head in the right pane of the console to change the sort order. Double click on the Active connection as noted in the Status column. Note that IKEv2 is the active port.

Figure 39

  1. Close the Routing and Remote Access Console.

Shut Down the Virtual Machine and Snapshot the Test Lab

One of the big advantages of Test Lab Guides is that you can save the working test lab and come back to it later if you want. The last step is to shut down all the machines in the Test Lab and then save a snapshot of each of the machines. Name the snapshot TLG IKEv2 VPN. Then later if we want to build on this test lab, we can restore the TLG IKEv2 VPN snapshot and start from there. Thanks! –Deb.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top