Table of Contents

Routing and Remote Access server as VPN server

IKEv2

Restrict accepted Client Certificates

This applies only if you are going to use IKEv2 and certificate authentication. When UserAuthProtocolAccepted contains Certificate. If you are using only EAP, you don't need or cannot even apply these settings.

By default RRAS is bit too permissive with certificate authentication. It accepts any certificate from client which is signed by any Root CA in Computers Trusted Root Certification Authorities, and there are all Root CA:s Microsoft delivers with Windows. So either you would need to delete those certificates and break all outbound https traffic or set RRAS accept only the one you use. This needs to be done from Powershell, first check your settings: 

PS C:\Windows\system32> Get-VpnAuthProtocol

UserAuthProtocolAccepted      : {EAP, Certificate}
TunnelAuthProtocolsAdvertised : Certificates
RootCertificateNameToAccept   :
CertificateAdvertised         :
CertificateEKUsToAccept       :

As we can see RootCertificateNameToAccept is empty, lets add your root CA. Check that the CA is installed in your Computers Trusted Root Certification Authorities under Computer Account, take note of its Thubmprint.Then Powershell again: 

$cert = (get-childitem -path cert:Localmachine\root | where-object {$_.Thumbprint -like "thumbprintwithoutspaces"})

Set-VpnAuthProtocol -RootCertificateNameToAccept $cert -PassThru
WARNING: Configuration parameters will be modified after the Remote Access service is restarted.

UserAuthProtocolAccepted      : {EAP, Certificate}
TunnelAuthProtocolsAdvertised : Certificates
RootCertificateNameToAccept   : [Subject]
                                  CN=yourcert

                                [Issuer]
                                  CN=yourcert

                                [Serial Number]
                                  22222Serial

                                [Not Before]
                                  2.6.2020 12.00.38

                                [Not After]
                                  2.6.2030 12.10.38

                                [Thumbprint]
                                  FFFFThumprint

CertificateAdvertised         :
CertificateEKUsToAccept       :

Then you need to restart Routing and Remote Access service: 

Restart-Service RemoteAccess

And its done: 

 Get-VpnAuthProtocol

UserAuthProtocolAccepted      : {EAP, Certificate}
TunnelAuthProtocolsAdvertised : Certificates
RootCertificateNameToAccept   : [Subject]
                                  CN=yourcert

                                [Issuer]
                                  CN=yourcert

                                [Serial Number]
                                  22222Serial

                                [Not Before]
                                  2.6.2020 12.00.38

                                [Not After]
                                  2.6.2030 12.10.38

                                [Thumbprint]
                                  FFFFThumprint

CertificateAdvertised         :
CertificateEKUsToAccept       :