ObiWiki

User Tools

Site Tools

Trace: Routing and Remote Access server as VPN server
playground:microsoft:windows:rras_server

This is an old revision of the document!

Table of Contents

Routing and Remote Access server as VPN server

IKEv2

Hardnening settings

By default RRAS is bit too permissive with certificate authentication. It accepts any certificate from client which is signed by any Root CA in Computers Trusted Root Certification Authorities, and there are all Root CA:s Microsoft delivers with Windows. So either you would need to delete those certificates and break all outbound https traffic or set RRAS accept only the one you use. This needs to be done from Powershell, first check your settings: 

PS C:\Windows\system32> Get-VpnAuthProtocol

UserAuthProtocolAccepted      : {EAP, Certificate}
TunnelAuthProtocolsAdvertised : Certificates
RootCertificateNameToAccept   :
CertificateAdvertised         :
CertificateEKUsToAccept       :

As we can see RootCertificateNameToAccept is empty, lets add your root CA. Check that the CA is installed in your Computers Trusted Root Certification Authorities under Computer Account, take note of its Thubmprint.Then Powershell again: 

$cert = (get-childitem -path cert:Localmachine\root | where-object {$_.Thumbprint -like "thumbprintwithoutspaces"})

Set-VpnAuthProtocol -RootCertificateNameToAccept $cert -PassThru
WARNING: Configuration parameters will be modified after the Remote Access service is restarted.

UserAuthProtocolAccepted      : {EAP, Certificate}
TunnelAuthProtocolsAdvertised : Certificates
RootCertificateNameToAccept   : [Subject]
                                  CN=yourcert

                                [Issuer]
                                  CN=yourcert

                                [Serial Number]
                                  22222Serial

                                [Not Before]
                                  2.6.2020 12.00.38

                                [Not After]
                                  2.6.2030 12.10.38

                                [Thumbprint]
                                  FFFFThumprint

CertificateAdvertised         :
CertificateEKUsToAccept       :

Then you need to restart Routing and Remote Access service: 

Restart-Service RemoteAccess

And its done: 

 Get-VpnAuthProtocol

UserAuthProtocolAccepted      : {EAP, Certificate}
TunnelAuthProtocolsAdvertised : Certificates
RootCertificateNameToAccept   : [Subject]
                                  CN=yourcert

                                [Issuer]
                                  CN=yourcert

                                [Serial Number]
                                  22222Serial

                                [Not Before]
                                  2.6.2020 12.00.38

                                [Not After]
                                  2.6.2030 12.10.38

                                [Thumbprint]
                                  FFFFThumprint

CertificateAdvertised         :
CertificateEKUsToAccept       :
playground/microsoft/windows/rras_server.1597410751.txt.gz · Last modified: 2020/08/14 16:12 by admintomi