scriven_j

VPN XML / Powershell

May 15th, 2020
75
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Posted already about this, but it seems to have disappeared!
  2.  
  3. I created an XML file using your post, but the one I created doesn't appear to have included any certificate information within it.  (Detail appended)
  4.  
  5. The XML file included in the Azure Portal VPN Client download does have a <CaCert> tag but this does not seem to have been included in the output XML.
  6.  
  7. This was the exact Powershell I ran (all information sanitised):-
  8.  
  9. #
  10. # This was created using information found here - https://msfreaks.wordpress.com/2020/02/17/deploying-a-windows-10-vpn-profile-from-intune-for-azure-vpn-gateway-basic-sku/
  11. #
  12. $Name = "xxx-vNet"
  13. $Server = "azuregateway-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxxxxxxxxx.vpn.azure.com"
  14. $DnsSuffix = "xxx.local"
  15. $OutputFile = "$($env:TEMP)\VPNv2_Profile.xml"
  16. $RouteConfig = @("<Route><Address>192.168.10.0</Address><PrefixSize>24</PrefixSize></Route>
  17. <Route><Address>192.168.20.0</Address><PrefixSize>24</PrefixSize></Route>
  18. <Route><Address>192.168.30.0</Address><PrefixSize>24</PrefixSize></Route>
  19. <Route><Address>192.168.40.0</Address><PrefixSize>24</PrefixSize></Route>
  20. <Route><Address>192.168.50.0</Address><PrefixSize>24</PrefixSize></Route>")
  21.  
  22. @("<VPNProfile>
  23.  <ProfileName>$($Name.ToLower())profile</ProfileName>
  24.  <!-- the dns suffix to use for the vpn adapter -->
  25.  <DnsSuffix>$DnsSuffix</DnsSuffix>
  26.  <NativeProfile>
  27.    <!-- the azure vpn gateway address goes here -->
  28.    <Servers>$Server</Servers>
  29.    <!-- for azure vpn gateway basic sku this must be Automatic -->
  30.    <NativeProtocolType>SSTP</NativeProtocolType>
  31.    <Authentication>
  32.      <!-- this must be eap and a valid eap configuration must be supplied -->
  33.      <UserMethod>Eap</UserMethod>
  34.      <Eap>
  35.        <Configuration>
  36.          <!-- sabm eap configuration taken from template profile -->
  37.          $((Get-VpnConnection -Name $Name).EapConfigXmlStream.InnerXml)
  38.        </Configuration>
  39.      </Eap>
  40.    </Authentication>
  41.    <!-- activate splittunnel configuration -->
  42.    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
  43.    <!-- disable class based default route -->
  44.    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
  45.  </NativeProfile>
  46.  <RememberCredentials>true</RememberCredentials>
  47.  <!-- add route config for this connection -->
  48.  $RouteConfig
  49. </VPNProfile>") | Out-File -FilePath $OutputFile
  50.  
  51. XML File downloaded from Azure Portal - VPNSettings.xml:-
  52.  
  53. <?xml version="1.0"?>
  54. <VpnProfile xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  55.  <VpnServer>azuregateway-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxxxxxxxxx.vpn.azure.com</VpnServer>
  56.  <VpnType>SSTP,IkeV2</VpnType>
  57.  <CaCert>MIErzCCApexxxx=...........................................=xxxxOh3nSnKS3nsnEIM</CaCert>
  58.  <Routes>192.168.10.0/24,192.168.20.0/24,192.168.40.0/24,192.168.30.0/24,192.168.50.0/24</Routes>
  59.  <Auth>EAPTLS</Auth>
  60.  <VnetName>xxx-vNet</VnetName>
  61.  <VnetId>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</VnetId>
  62.  <ServerCertRootCn>DigiCert Global Root CA</ServerCertRootCn>
  63.  <ServerCertIssuerCn>DigiCert Global Root CA</ServerCertIssuerCn>
  64.  <VpnClientAddressPool>10.20.0.0/24</VpnClientAddressPool>
  65.  <AadIssuer />
  66.  <AadTenant />
  67.  <AadAudience />
  68. </VpnProfile>
  69.  
  70. XML File created by the script - VPNv2_Profile.xml:-
  71.  
  72. <VPNProfile>
  73.  <ProfileName>xxx-vnetprofile</ProfileName>
  74.  <!-- the dns suffix to use for the vpn adapter -->
  75.  <DnsSuffix>xxx.local</DnsSuffix>
  76.  <NativeProfile>
  77.    <!-- the azure vpn gateway address goes here -->
  78.    <Servers>azuregateway-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxxxxxxxxx.vpn.azure.com</Servers>
  79.    <!-- for azure vpn gateway basic sku this must be Automatic -->
  80.    <NativeProtocolType>SSTP</NativeProtocolType>
  81.    <Authentication>
  82.      <!-- this must be eap and a valid eap configuration must be supplied -->
  83.      <UserMethod>Eap</UserMethod>
  84.      <Eap>
  85.        <Configuration>
  86.          <!-- sabm eap configuration taken from template profile -->
  87.          <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName></EapType></Eap></Config></EapHostConfig>
  88.        </Configuration>
  89.      </Eap>
  90.    </Authentication>
  91.    <!-- activate splittunnel configuration -->
  92.    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
  93.    <!-- disable class based default route -->
  94.    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
  95.  </NativeProfile>
  96.  <RememberCredentials>true</RememberCredentials>
  97.  <!-- add route config for this connection -->
  98.  <Route><Address>192.168.10.0</Address><PrefixSize>24</PrefixSize></Route>
  99. <Route><Address>192.168.20.0</Address><PrefixSize>24</PrefixSize></Route>
  100. <Route><Address>192.168.30.0</Address><PrefixSize>24</PrefixSize></Route>
  101. <Route><Address>192.168.40.0</Address><PrefixSize>24</PrefixSize></Route>
  102. <Route><Address>192.168.50.0</Address><PrefixSize>24</PrefixSize></Route>
  103. </VPNProfile>
RAW Paste Data