
This article will guide you through the steps to set up VPN Server on Windows Server 2016.
VPN server leveraging IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2) with the functionality provided by the IKEv2 Mobility and Multihoming protocol (MOBIKE). This tunneling protocol offers inherent advantages in scenarios where the client moves from one IP network to another (for example, from WLAN to WWAN).
The scenario permits a user with an active IKEv2 VPN tunnel to disconnect a laptop from a wired connection, walk down the hall to a conference room, connect to a wireless network, and have the IKEv2 VPN tunnel automatically reconnected with no noticeable interruption to the user.
Installing Certificates on VPN Server and VPN Client
First you need to create certificate templates. Open up Certification Authority Console and from CA console, right click Certificate Templates > Manage > Right Click IPSec > Duplicate template

On Request Handling tab click Allow private key to be exported

Click Extension tab > Application Policies > Edit

Remove IP Security IKE intermediate > then click Add

and choose Server Authentication > OK

Click Key Usage > Edit

Make sure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK.

In the Security tab click Object Types > Computers > Add Domain Computers

Make sure Read, Enroll and Autoenroll is selected

In General tab provide a name to template

Now, right click Certification Template > New > Certificate Template to Issue

Choose newly created template, click OK

Enrolling Certificate on VPN Server
Now, on your VPN Server, open up Run and type mmc > Add/remove snap-in
Click Certificates > Add > Computer Account

Right click Personal > All tasks > Request New Certificate

Check Certificate templates > Properties

Click Subject tab > Subject Name > Common name (from drop-down menu) choose FQDN for VPN Server > Click Add
In the Alternative Name, choose DNS, set FQDN for VPN Server, Click Add

New certificate should be created as shown in image below.

This certificate should be exported and then imported to client machine.
To export certificate, Right-click certificate > All tasks > Export

Export private key, Set password and specify file in which certificate should be saved. Copy file to client computer

To import file on client machine, certificate should be imported into Trusted Root Certification Authority on client.
Open up Run, type mmc > Add > Certificate snap-in-local computer
Right-click Trusted Root Certification Authorities > All task > import
Browse to copied file and enter password to import it.

Installing Roles
You need to add Network Policy Server and Remote Access roles on your VPN Server. Open up Server Manager > Add Roles and Features and select the following to install.
Open up Routing and Remote Access console, right-click on Server > Configure and Enable Routing and Remote Access

Select Remote access (dial-up or VPN)

Check VPN

Select internet facing interface accordingly

Define VPN address pool according to your environment


We’ll use NPS instead of RADIUS

Right click Remote Access Logging > Launch NPS

Click Network Access Policies

Right click Connections to Microsoft Routing and Remote Access Server > Properties

Check Grant access

Click Constraints > Select Microsoft:Secured password (EAP-MSCHAP v2)

If it’s not selected Add it

Enable user VPN access
In ADUS right click Dial-in > Allow access
Client Setting
Open in notepad Windows/System32/Drivers/etc/hosts file and add entry for VPN server (name must be equal to one specified in SSL certificate)
Creating VPN client connection


Use my internet connection (VPN)

I’ll set up an internet connection later

In Internet address type your VPN Server name

Specify username/password

In Security tab,for Type of VPN select IKEv2 > Data encryption > Require encryption > Authentication:Microsoft:Secured password (EAP-MSCHAP v2)

We can see that IKEv2 is used,client got address from our VPN pool (10.10.10.3)

Here you can see one client is connected to VPN Server with user Administrator.

We have successfully completed VPN Server deployment on Windows Server 2016. I hope this article will be helpful to deploy VPN Server in your environment.
NPS far better than old RADIUS
ReplyDeleteWhat if i don't want to use DHCP pool for ip addresses instead using static?
ReplyDeletevery detailed and helpful indeed
ReplyDeleteI don't like Windows as VPN Server.
ReplyDeleteWindows VPN is Easy and effortless solution rather buying a Juniper or Cisco device
ReplyDeletewow not easier then Juniper or Cisco
ReplyDeleteI can’t exactly recall how I finally overcame this, but if I remember correctly, it had to do with the REmote Access Management Service not starting properly. I think that I had to change the account under which the service runs and make sure that the service was started before trying to re-install. It finally worked... andy michael
ReplyDelete