How to override the IP address as the default client identity on Windows IKEv2 VPN client?

Question

How to override the IP address as the default client identity on Windows IKEv2 VPN client?

Cody Hartman 20

I am trying to manually set the client IKEv2 identity for the native Windows VPN client. The headend in this case in Cisco's FlexVPN Server, and there are specific policies that need to be applied per-user. The normal way to do this is to discriminate amongst connections using the IKE identities presented by each client. On most VPN clients, there is a way to set this value manually (e.g. to a string representing the client's FQDN). Looking at debug logs on the headend, the IKEv2 identity for the Windows client defaults to the IP address of the interface associated with the underlay connection. This is not ideal to use as a discriminator/matching criteria for the application of policies at the headend since client IP addresses are dynamic by nature (and the point of a remote access VPN is mobility). FQDN or some other static value would be preferable but I have been unable to find a way to override the default value (IP address). Is there any way to manually set the local IKE identity in the Windows IKEv2 VPN client? (Note that client-side authentication is performed using EAP, not PKI.)

Accepted answer

0 additional answers

Your answer

Answer 1

Gary Nebbett 6,216

Hello Cody,

About 5 years ago, I wrote an article about "Exploring use of Windows 10 VPN client to access Cisco AnyConnect IPsec/IKEv2" which touched on the subject of setting an IKEv2 IDi value.

When discussing the function that provides the IDi value, I wrote:

By default, it returns an ID_IPV4_ADDR ID Type but it can be persuaded (by setting the value “ExtendedIDiSupport” in the registry and meeting other requirements) to return an ID_FQDN ID Type. It is not possible to specify an arbitrary ID Type and Identification Data.

In the intervening 5 years, I have forgotten what the "other requirements" are - it is possible that they are already met in your environment.

Gary

Cody Hartman 20 Reputation points

2023-11-13T15:10:41.82+00:00

Gary,

No change after setting ExtendedIDiSupport in the registry, but good to know that RasMan is at least capable of returning an FQDN. Thanks for pointing me in the right direction -- I'll keep poking around.

Cody
Gary Nebbett 6,216 Reputation points

2023-11-14T11:44:32.31+00:00
Hello Cody,

I also "poked around" - my results were:

Certificate based authentication (machine certificates or EAP-TLS) => ID_FQDN or ID_DER_ASN1_DN (depending on certificate attributes).

TEAP, PEAP, EAP-TTLS, EAP-MSCHAPv2 => ID_RFC822_ADDR (if the identity can be parsed as an RFC 822 address), otherwise ID_IPV4_ADDR / ID_IPV6_ADDR.

As usual, Event Tracing for Windows gives some insight into what happens; providers Microsoft-Windows-RRAS, *Microsoft.Windows.Networking.Ikeext and WPP_ThisDir_CTLGUID_VpnIke are particularly useful.

Gary
Cody Hartman 20 Reputation points

2023-11-14T19:26:19.2633333+00:00

Gary,

Good information -- the ID_RFC822_ADDR (rather than ID_FQDN) being the alternate IDi for EAP-based authentication is what I wasn't seeing. After changing the remote identity match criteria to "email" at the FlexVPN headend and changing the RasMan registry settings as you advised previously, it's working as expected. Thanks again for pointing me in the right direction!

Cody
Gary Nebbett 6,216 Reputation points

2023-11-14T20:39:10.8866667+00:00

Hello Cody,

From my perspective, the search for an answer to your question was made decidedly easier by ETW - the event texts "Username specified by user is not in e-mail format" followed by "Falling back to IP address based ID payload" substantially informed my "poking around".

Gary
Cody Hartman 20 Reputation points

2023-11-15T16:02:48.5+00:00

Gary,

Yes, I saw the same messages after tracing the providers you mentioned. (I'm not much of a Windows guy and I hadn't thought to use ETW before you suggested it.) Again, your assistance is much appreciated.

Cody
Anonymous

2024-01-08T13:34:12.7+00:00

I have no idea where to find ExtendedIDiSupport in the registry. Can you give me a hint?
Gary Nebbett 6,216 Reputation points

2024-01-08T13:55:33.18+00:00

Hallo Lukas,

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\IKEv2

Gary
Anonymous

2024-01-08T14:00:19.8033333+00:00

Wow, that was fast. :-) I assume 1 means enabled and 0 disabled? So is it of type BINARY or DWORD? Thanks so far!
Anonymous

2024-01-08T14:02:30.5633333+00:00

Duplicate...
Gary Nebbett 6,216 Reputation points

2024-01-08T14:13:58.77+00:00

Hallo Lukas,

A REG_DWORD, value 1 enables the feature.

Gary
Anonymous

2024-01-08T15:11:44.2133333+00:00

OK, it didn't change anything. My headend still tells: Searching policy based on peer's identity '192.168.220.25' of type 'IPv4 address'

Probably, the 'other requirements' were not met.

Can you tell me what the value basically is when the type changes to ID_FQDN? Is it the FQDN of the windows system? But even if I get so far, this approach wouldn't scale since I then need config for every vpn client. I really do not understand why Microsoft doesn't offer fields to fill arbitrary ID Type and Identification Data. Nevertheless, thanks for your help.
Gary Nebbett 6,216 Reputation points

2024-01-08T16:09:20.62+00:00

Hello Lukas,

As mentioned above, it depends on which authentication mechanism is in use and/or the format of the "username" (if appropriate for the authentication mechanism). The ID will be taken from a certificate subject or subject alternative name or from the username (if its syntax is compatible with an RFC822 address).

Gary
Cody Hartman 20 Reputation points

2024-01-08T16:59:57.9233333+00:00

Lukas,

I'm not sure whether you're using certificates or username/password for client authentication, but just in case this might be helpful...

My solution was to configure "match identity remote email" in the IKEv2 profile(s) at the headend router, specifying the full username including the domain (e.g. johndoe@example.com). Then, when the user attempts to connect and enters this full version of their username, the username will be recognized as an RFC 822 address and passed as the IKE identity instead of the IP address (provided ExtendedIDiSupport is enabled). In the IKEv2 profile, you can optionally specify the domain portion only, rather than the full address -- that may help with scaling.

Cody
Anonymous

2024-01-09T07:08:37.86+00:00

In my case, certificate authentitication from user cert store is desired. See the screenshot attached.

If I switch to machine certificates, the certificate subject is used correctly as IKE ID which can be parsed by my headend and the VPN comes up. But there is no further user authentication like XAUTH on L2TP/IPsec. So every logged in windows user is able to conncet with the machine certificate but without further user authentication. (A RADIUS server is not present in the current situation.)

So the goal is to move the certificate in the user cert store where it can only be used by the respective user. But if I do this as shown in the screenshot, windows is still using the LAN adapters IP address as IKE ID...

I'll try playing around with RFC 822 names... But I am not sure where to put that name in...
Anonymous

2024-01-09T07:25:33.1933333+00:00

I've ticked the bottom right checkbox "Anderen Benutzernamen für die Verbindung verwenden". It offers an additional textbox where I maybe somehow can influence the behaviour. But entering johndoe@example.com leads to the same result. ID_IPV4_ADDR ID
Gary Nebbett 6,216 Reputation points

2024-01-09T13:38:25.8666667+00:00

Hello Lukas,

The "Anderen Benutzernamen für die Verbindung verwenden" does something else that you probably don't want - it changes the "outer" EAP identity.

I just tried testing EAP-TLS with that option set to "Nobody@Home" and the subject alternative name (DNS) in the TLS certificate as "gary". Here are formatted dumps of the key IKEv2 packets:

Gary
Anonymous

2024-01-12T14:52:51.6+00:00

Hi Gary, sorry for my delayed response. But I made some progress: My cert is still in user cert store and now contains a subject alternative name of type DNS. My firewall now sees the SAN as the initiator's IKE ID: "Searching policy based on peer's identity 'lab2024' of type FQDN" By the way: ExtendedIDiSupport=1 is really required! I wonder where you've got that from...? No hits at Google... (But a reboot is not necessary after changes to ExtendedIDiSupport.) And another possible pitfall - maybe this will help someone: You wrote about EAP-TLS which should be used in my case. Windows 10 currently offers a few different EAP modes. In German Windows you won't find EAP-TLS. But EAP-TTLS! These two are not to be confused. When using the latter, Windows uses the IP address as IKE ID. The German term for EAP-TLS is "Microsoft: Smartcard oder anderes Zertifikat (Verschlüsselung aktiviert)" The VPN still doesn't come up. But now I am a step further. Thanks a lot for your help!!! Lukas
Gary Nebbett 6,216 Reputation points

2024-01-12T16:29:39.8433333+00:00

Hello Lukas,

The absence of "(EAP-TLS)" in the string "Microsoft: Smartcard oder anderes Zertifikat (Verschlüsselung aktiviert)" is not an English/German difference, but rather a Windows 10/11 difference. In Windows 11, the string seems to be "Microsoft: Smartcard- oder anderes Zertifikat (EAP-TLS) (Verschlüsselung aktiviert)".

EAP-TTLS can provide IDi in the format ID_RFC822_ADDR if the username is compatible with RFC-822 address syntax (basically, contains a "@" character).

Gary

Share via

How to override the IP address as the default client identity on Windows IKEv2 VPN client?

0 additional answers

Your answer