Always On VPN non join domain

Question

Hello,

So I deploy a Always on VPN on Windows Server 2019.
I follow guidance from this YouTube video
https://www.youtube.com/watch?v=aZ-thDAfuBM&t=2027s

Basically I'm deploying 3 windows server (RAS, NPS, and AD with CA) and all of this server is join domain.
I setting the VPN to use IKE protocol and authenticate to radius server.
I create 2 policy on radius server, first one is authenticate using certificate and the second one is authenticate using user and password only.

For join domain endpoint there's a auto enroll certificate policy and can connect to the VPN seamlessly.
But I have problem to connect VPN for non join domain endpoint.
I've import the client certificate from join domain endpoint and also CA certificate and then export it to non join domain endpoint and setting the VPN like this but not work with the error IKE authentication credentials are unacceptable
https://social.technet.microsoft.com/Forums/en-US/001e8311-37b8-46ae-9d73-96ae690785f2/ikev2peap-for-nondomain-computers?forum=winserverNIS

Can someone give me enlightenment of what could be wrong?

Note:
Both radius policy (using user or certificate for authentication) is tested with join domain endpoint and it works fine.

Answer 1

Hi @Marlis Septian Nurhalim

The problem occurs if the version of Windows does not have support for IKE fragmentation or the client certificate is missing from Certificates - Current User\Personal\Certificates.

IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2, you must install updates and set a registry key value locally. OS versions prior to Windows 10 are not supported and can only use SSTP.

Here is a link for a detailed description of the process that you must follow.
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems

Hope this resolves your Query!!

----------

--If the reply is helpful, please Upvote and Accept it as an answer--