Configure IKEv2-based Remote Access
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
Routing and Remote Access Service (RRAS) supports Internet Key Exchange version 2 (IKEv2), a VPN tunneling protocol described in RFC 4306. The primary advantage of IKEv2 is that it tolerates interruptions in the underlying network connection. For example, if the connection is temporarily lost, or if a user moves a client computer from one network to another, IKEv2 automatically restores the VPN after the network connection is reestablished — all without intervention on the part of the user. This feature is referred to as VPN Reconnect or Agile VPN. IKEv2 is supported by remote access clients running Windows 7, and by VPN servers running Windows Server 2008 R2.
Deploying IKEv2-based remote access consists of the following:
Configure the connection to the Internet
Configure the connection to the intranet
Join the VPN server to the corporate domain
Configure the VPN server as a corporate intranet router
Install Active Directory Certificate Services and Web Server (IIS)
Create and install the Server Authentication certificate
Install the root certificate on the remote access clients
Configure the VPN Server
Configure NPS to Grant Access for EAP-MSCHAPv2 Authentication
The connection to the Internet from a computer running Windows Server 2008 R2 is a dedicated connection – a WAN adapter installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, Frame Relay adapter, or an adapter for another high-speed, dedicated connection. Verify that the WAN adapter is compatible with Windows Server 2008 R2. The WAN adapter includes drivers that are installed so that the WAN adapter appears as a network adapter.
You need to configure the following TCP/IP settings on the WAN adapter:
IP address and subnet mask assigned from your Internet service provider (ISP).
Default gateway of the ISP router.
For more information, see Configure TCP/IP on the VPN Server.
To enable VPN clients to connect to your VPN server by name rather than by IP address, ask your ISP to register the VPN server in DNS.
The connection to the intranet from a computer running Windows Server 2008 R2 is a LAN adapter installed in the computer.
You need to configure the following TCP/IP settings on the LAN adapter:
IP address and subnet mask assigned from the network administrator.
DNS and WINS name servers of corporate intranet name servers.
For more information, see Configure TCP/IP on the VPN Server.
If the VPN server is not already a member of the Active Directory domain, use the Active Directory Users and Computers MMC snap-in to join the server to the domain.
For the VPN server to properly forward traffic on the corporate intranet, you must configure it as a router with either static routes or routing protocols — such as Routing Information Protocol (RIP) — so that all of the locations on the intranet are reachable from the VPN server. For information about configuring routing, see Configure Routing on a VPN Server.
For an IKEv2-based VPN connection, you must install and configure the Active Directory Certificate Services and Web Server (IIS) server roles to enable Web enrollment of a computer certificate.
For more information, see Appendix A: Computer Certificates for VPN Connections in the Routing and Remote Access Services Design Guide.
After you install and configure the Active Directory Certificate Services and Web Server (IIS) server roles, you must do the following:
Create a certificate template with the required Enhanced Key Usage (EKU) options
Issue the certificate template
Configure ActiveX control settings to allow certificate publishing
Request a Server Authentication certificate
Move the certificate to the machine store
Generate the trusted root certificate
For more information, see Active Directory Certificate Services.
If a remote access client is a member of the same Active Directory domain as the VPN server, the client can obtain the trusted root certificate through auto-enrollment.
To enable remote access clients to acquire the root certificate through auto-enrollment, see Configure Certificate Autoenrollment (https://go.microsoft.com/fwlink/?LinkID=133948).
Install the root certificate for the CA that issued the server authentication certificate. This is required for the client computer to trust the server authentication certificate in order to complete the VPN connection.
You can configure your VPN server by running the Routing and Remote Access Server Setup Wizard. You can use the wizard to configure the following settings:
The method by which the VPN server assigns IP addresses to remote access clients (either using addresses that the VPN server obtains from a DHCP server or by using addresses from a specified range of addresses that you configure).
Forwarding of authorization and authentication messages to a Remote Authentication Dial-In User Service (RADIUS) server (configuration of the VPN server as a RADIUS client).
Use Network Policy Services (NPS) to enable and configure the remote access policies required for an IKEv2-based VPN connection.
注意
You can install NPS on the domain controller or on a separate, dedicated server.
IKEv2 supports computer certificate and Extensible Authentication Protocol (EAP)-based authentication. NPS is required only when using EAP-based authentication.