Configure IKEv2-based Remote Access

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

Routing and Remote Access Service (RRAS) supports Internet Key Exchange version 2 (IKEv2), a VPN tunneling protocol described in RFC 4306. The primary advantage of IKEv2 is that it tolerates interruptions in the underlying network connection. For example, if the connection is temporarily lost, or if a user moves a client computer from one network to another, IKEv2 automatically restores the VPN after the network connection is reestablished — all without intervention on the part of the user. This feature is referred to as VPN Reconnect or Agile VPN. IKEv2 is supported by remote access clients running Windows 7, and by VPN servers running Windows Server 2008 R2.

Deploying IKEv2-based remote access consists of the following:

  • Configure the connection to the Internet

  • Configure the connection to the intranet

  • Join the VPN server to the corporate domain

  • Configure the VPN server as a corporate intranet router

  • Install Active Directory Certificate Services and Web Server (IIS)

  • Create and install the Server Authentication certificate

  • Install the root certificate on the remote access clients

  • Configure the VPN Server

  • Configure NPS to Grant Access for EAP-MSCHAPv2 Authentication

Configure the connection to the Internet

The connection to the Internet from a computer running Windows Server 2008 R2 is a dedicated connection – a WAN adapter installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, Frame Relay adapter, or an adapter for another high-speed, dedicated connection. Verify that the WAN adapter is compatible with Windows Server 2008 R2. The WAN adapter includes drivers that are installed so that the WAN adapter appears as a network adapter.

You need to configure the following TCP/IP settings on the WAN adapter:

  • IP address and subnet mask assigned from your Internet service provider (ISP).

  • Default gateway of the ISP router.

For more information, see Configure TCP/IP on the VPN Server.

To enable VPN clients to connect to your VPN server by name rather than by IP address, ask your ISP to register the VPN server in DNS.

Configure the connection to the intranet

The connection to the intranet from a computer running Windows Server 2008 R2 is a LAN adapter installed in the computer.

You need to configure the following TCP/IP settings on the LAN adapter:

  • IP address and subnet mask assigned from the network administrator.

  • DNS and WINS name servers of corporate intranet name servers.

For more information, see Configure TCP/IP on the VPN Server.

Join the VPN server to the corporate domain

If the VPN server is not already a member of the Active Directory domain, use the Active Directory Users and Computers MMC snap-in to join the server to the domain.

Configure the VPN server as a corporate intranet router

For the VPN server to properly forward traffic on the corporate intranet, you must configure it as a router with either static routes or routing protocols — such as Routing Information Protocol (RIP) — so that all of the locations on the intranet are reachable from the VPN server. For information about configuring routing, see Configure Routing on a VPN Server.

Install Active Directory Certificate Services and Web Server (IIS)

For an IKEv2-based VPN connection, you must install and configure the Active Directory Certificate Services and Web Server (IIS) server roles to enable Web enrollment of a computer certificate.

For more information, see Appendix A: Computer Certificates for VPN Connections in the Routing and Remote Access Services Design Guide.

Create and install the Server Authentication certificate

After you install and configure the Active Directory Certificate Services and Web Server (IIS) server roles, you must do the following:

  • Create a certificate template with the required Enhanced Key Usage (EKU) options

  • Issue the certificate template

  • Configure ActiveX control settings to allow certificate publishing

  • Request a Server Authentication certificate

  • Move the certificate to the machine store

  • Generate the trusted root certificate

For more information, see Active Directory Certificate Services.

Install the root certificate on the remote access clients

If a remote access client is a member of the same Active Directory domain as the VPN server, the client can obtain the trusted root certificate through auto-enrollment.

To enable remote access clients to acquire the root certificate through auto-enrollment, see Configure Certificate Autoenrollment (https://go.microsoft.com/fwlink/?LinkID=133948).

Install the root certificate for the CA that issued the server authentication certificate. This is required for the client computer to trust the server authentication certificate in order to complete the VPN connection.

Configure the VPN Server

You can configure your VPN server by running the Routing and Remote Access Server Setup Wizard. You can use the wizard to configure the following settings:

  • The method by which the VPN server assigns IP addresses to remote access clients (either using addresses that the VPN server obtains from a DHCP server or by using addresses from a specified range of addresses that you configure).

  • Forwarding of authorization and authentication messages to a Remote Authentication Dial-In User Service (RADIUS) server (configuration of the VPN server as a RADIUS client).

Configure NPS to Grant Access for EAP-MSCHAPv2 Authentication

Use Network Policy Services (NPS) to enable and configure the remote access policies required for an IKEv2-based VPN connection.

Note

You can install NPS on the domain controller or on a separate, dedicated server.

IKEv2 supports computer certificate and Extensible Authentication Protocol (EAP)-based authentication. NPS is required only when using EAP-based authentication.