Static VPN Routes not applied via Windows login screen

Question

Hi,

Can someone confirm that this commandlet works when using an '-AllUsersConnection' VPN via Windows 10 login screen?
<SNIPPET>
Foreach ($Destination in $RouteList)
{
Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination
}
*This is the Meraki VPN split tunnel script.

The routing works fine when VPN is connected during a current user's login session, and that is also true for any user that is currently logged in, yet the routes are not being applied when connected via the Remote Connections login from Windows Login screen.

Answer 1

It seems I have found a solution.

Try to set DeviceTunnel=1 in alluser's rasphone.pbk file. I'm using sstp (not l2tp) but I think it should work too.

I have noticed a small drawback of that - a user does not see that vpn connection is actually connected, but that's ok for me.

Answer 2

at the end of the day, it looks like the issue is device vpn profile vs user vpn profile

device vpn profile does NOT load routes. when using L2TP VPNs with 'alluserconnection', during the control-alt-delete screen when you connect to this vpn it will use a device vpn profile.
after the user profile loads, it will use a user vpn profile, and this does use (and loads) the routes.

I don't fully understand the details of how that transition works.

Microsoft said one solution is to not use L2TP. Also, PROPERLY use device VPN profiles (i.e. in your VPN architecture design) will prevent this issue. Using additional routes with L2TP vpns in the pre-logon environment (which is a device VPN profile) is not supported.
At least - this is my current understanding.

Again, here's the link I was given. This is more specific to always on VPN, but it's not ONLY for always on vpn. The info for device vs user vpn is still very relevant.
https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config

Answer 3

Microsoft has said this is expected behavior. The issue is the "VPN profile". There is 'device' profile, and 'user' profile.
They gave me an article that describes this, but it is specific to 'always on vpn'. I'm not using always on VPN.
Despite not using always on vpn, I believe the issue is likely the same. VPN operates in a different way when it's in 'device' mode vs 'user' mode. In the pre-logon environement, or if you are using the computer/system account to initiate the vpn, it uses the 'device' VPN profile.

The problem I have is there's no reference or understanding of these 2 different modes of operation, when they're used, how they're used, or how the interact.

https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config

I'm going to have a call and try to understand this better.

Answer 4

This sound 100% like a furfy! Using IKEV2 makes no sense as to why there would be a difference with the way a global address book connection it is meant to work as per the purpose of the AllUserConnection parameter. Further, nowhere in any literature says that L2TP is not supported. This 100% is a bug within the OS and should be fixed, not worked around.

Answer 5

Possible way to deal with this issue, per Microsoft:

Use a IKEv2 tunnel, not L2TP. MS said they can see the issue with L2TP, but the issue seems to NOT be a problem with IKEv2. Using powershell to create the vpn connection, you would use the paramenter "-tunneltype ikev2" instead of "-tunneltype l2tp"

https://learn.microsoft.com/en-us/powershell/module/vpnclient/add-vpnconnection?view=windowsserver2022-ps

Unfortunately, in my current environment, I can't use ikev2 for my client VPNs.