AutoPilot Hybrid joined devices using Always-On VPN Device Tunnel

Question

Hi there,

I have successfully deployed Always On User Tunnel to a group of users for initial testing and that has been working great.

Now I have been working on the the Device Tunnel so we can use autopilot to onboard new employees remotely.
Device tunnel has been deployed and it works fine in my test environment but I have an issue where when the device tunnel is connected, user tunnel keeps reconnecting and eventually gives up.

My understanding is that both tunnels can co-exist without any issues.

The Idea is:

• Device Tunnel will provide access to limited resources so the user can login with domain credentials, push group policies etc.
• Once the user has logged in User Tunnel gets pushed out via Intune and it should connect giving access to full resources on the Corporate Network.

Setup:

All infrastructure is on-prem, certificates and vpn profile deployed using Intune, windows 10 enterprise Version 21H1.

Has anyone been able to successfully deploy this solution ?

Thanks

Answer 1

@Nitin Kumar Thanks for posting in our Q&A.

For this issue, I have done a lot of research and contact the windows team. I will share some information with you:

1. Please use different VPN for the Device Tunnel and the User Tunnel. For example, the Device Tunnel and the User Tunnel will not work if both the tunnels use same IKEv2 server.
2. This issue that the both tunnels can't exist together has occurred in Windows 10 2004, but it has fixed. It is suggested to try to deploy to windows 10 20H2 to check if it works.

Also, we appreciate your help to check if there is any error message when the user tunnel can't connect.

If there is anything update, feel free to let us know.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

@Lu Dai-MSFT , Thanks for your prompt reply.

Few details abt my environment:

• Using the same windows 2019 server for User and Device Tunnel.
• We are testing the deployment on Windows 10 Enterprise Version 21H1 so I am already using a later
  version than 20H2.
• Both Tunnels are using IKEv2.

Can I please confirm that you mean that I should use a separate server for Device and User tunnel ?

When I go through the autopilot wizard, the device tunnel connects fine and I am able to login using domain user credentials. Once I login, the user tunnel gets rolled out and connects and then it disconnects again. This keeps happening for a few attempts and then it stops connecting.

The client logs has an error 828.
The RAS server logs is just same as if a user has disconnected from the VPN:

"RoutingDomainID- {00000000-0000-0000-0000-000000000000}: CoID={C1920552-29AE-0269-961A-E8B0FED3AB50}: The user testuser@xyz .com connected on port VPN2-483 on 2/06/2021 at 9:26 AM and disconnected on 2/06/2021 at 9:27 AM. The user was active for 0 minutes 39 seconds. 37508 bytes were sent and 20711 bytes were received. The reason for disconnecting was administrative settings or explicit request. The tunnel used was WAN Miniport (IKEv2). The quarantine state was."

I can manually disconnect the Device tunnel from the server and then the user tunnel connects fine and stays connected.

Also, Is there a microsoft documentation suggesting that we should not use the same server for Device and User tunnel if using IKEv2 on both tunnels ?

Thanks