PowerShell Script - Configure VPN

---

@Waqkas-Ahmed ,

If you are running an older operating system, let me know so I can test it. But as far as I remember, this is the way it has always been.

@Mike-Rodrick We will be running this on Windows 7 onwards.

We use a Meraki setup via the following link; https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

I have been setting this up to use 'Require encryption' and 'PAP' together fine via the interface and connects.

@Waqkas-Ahmed ,

I learned something new! If you change the VPN type to L2TP/IPsec specifically (not the default automatic), it will allow the use of PAP as the only authentication method and allow you to require encryption. Since the IPsec tunnel is established first, the credentials are still protected, even when using PAP. Nice!

So we just need to adjust the script to set the VPN type as well as the authentication method. I'll post a new script once I test it.

@Mike-Rodrick Thanks appreciate it.

@Waqkas-Ahmed,

I believe you have found the one thing you can do in the GUI and cannot do through PowerShell. I have tried several ways, and cannot get PowerShell let me change the encryption level to required. I've tried setting the tunnel type first, set the encryption level first, none of which worked. Yet I was able to set the encryption level to required in the GUI using PAP as long as I set the tunnel type to L2TP first. I have not been able to find a way to launch the dialog box either.

I'll keep trying to figure out a solution. What are you using with L2TP, certificates or PSK?

@Mike-Rodrick Thanks for the update. We are using PSK

@Waqkas-Ahmed ,

Take a look at this solution. I haven't tested it using packet capture to verify the encryption.

I've used Add-VpnConnection to create the VPN, configured to use L2TP and PAP. Then I used Set-VpnConnectionIPsecConfiguration to set a custom configuration. It doesn't change the drop down list in the GUI, but when you do a Get-VpnConnection, it lists encryptionLevel as custom.

Add-VpnConnection `
    -Name 'test' `
    -ServerAddress '1.2.3.4' `
    -TunnelType L2tp `
    -L2tpPsk 'Pa$$w0rd' `
    -AllUserConnection `
    -AuthenticationMethod Pap `
    -WarningAction SilentlyContinue `
    -InformationAction SilentlyContinue `
    -Force

Set-VpnConnectionIPsecConfiguration `
    -ConnectionName 'test' `
    -AuthenticationTransformConstants SHA256128 `
    -CipherTransformConstants AES128 `
    -EncryptionMethod AES256 `
    -IntegrityCheckMethod SHA256 `
    -PfsGroup None `
    -DHGroup ECP256 `
    -PassThru `
    -Force `
    -WarningAction SilentlyContinue

Get-VpnConnection -AllUserConnection -Name 'test'

@Mike-Rodrick Thanks for this script, really appreciate it.

The only thing is the VPN conection will aleady be setup and the issue is the 'PAP' option dissapers after updates due to Microsoft disabling it by default.

I have tested your script and it creates the connection with Encryption set as custom, but when trying to connect I get the following error;

'Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during intitial negotiations with the remote computer.'

Is there no way to have the VPN's security adaptor dialog box apperar to have the end user just check the correct options?

Waqkas

@Mike-Rodrick Hi, I was wondering if there was any updates on this please? As I have had a look around and can't see the option to open the dialog. Also, this does not have to be in a PowerShell script.

@Waqkas-Ahmed ,

I don't know of a way to open the VPN dialog box. That might need to be done in C, C++, or C#, I don't think you can with PowerShell.

You might look into ras.h. I am not familiar with C programming, but that header contains the APIs to work with VPN connections in Windows.

I'm not sure what is causing the error, you will need to examine the log files. Maybe an issue during the main mode negotiation? Password mismatch? Possibly some of the encryption choices (AuthenticationTransformConstants, IntegrityCheckMethod, etc) don't match the receiving end.

Mike