none
Computer Configuration - Create VPN connection with Preshared Key

    Question

  • Hi all,

    I'm about at my wit's end to getting this GPO working.  Any help or pointers would be much appreciated.

    What I want to do:

    Apply a GPO that creates a L2TP VPN connection with a preshared key on my test computer "ADM-72-8B" in a given Security Group.

    What I have tried:

    Made a test OU in AD and added my test user and computer into the OU.  Created a security group with the computer "ADM-72-8B" and test user in it.  Created a GPO, added the SGroup to security filtering and delegation (read and apply GP enabled).  Set up the Settings of the GPO as per https://social.technet.microsoft.com/Forums/windowsserver/en-US/e92cafd0-6e0a-4757-b3c8-9f5bfd108fb8/deploy-ipsec-vpn-with-preshared-key-via-gp .  The GPO is link enabled and enforced (just in case).  Ran "gpupdate /force", restart machine, the works, on the test machine.  "gpresult /h report.html" does not show the GP being pulled.

    Please let me know if I'm missing any bits of information to help you help me.  The policy is set up to be computer configuration because the CompConfig/Policies/Windows Settings/IP Security feature for pre-shared keys.  is not available through User Configuration.

    Thank you!

    Wednesday, April 19, 2017 6:54 PM

Answers

All replies

  • Hi,
    Please run gpresult /r command as administrator to see if you could see the GPO in the result.
    If the GPO is not applying, you could check the following article for common reasons to try troubleshooting:
    10 Common Problems Causing Group Policy To Not Apply
    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 20, 2017 6:57 AM
    Moderator
  • Thank you very much for your help Wendy.  

    Some additional info: PC is running Win7 32bit.  Main DC server is running Server 2008 and backup DC is running Server 2003.  

    The command you suggested ("gpresult /r") lists the GPO as applying, however I do not see the connection as an option in Network Connections.  I do have the "Show icon in notification area when connected" check-marked in the GPO.  This network option when applied through the User Configuration will work when I log in as the test user, unfortunately the user configuration lacks the ability to do a pre-shared key so I am stuck with Computer Configuration.  The user and computer I am testing on are both part of the OU the GPO is linked to, as well as part of a security group that has the GPO linked.  The same applies for the delegation.

    The settings can be seen here: https://pastebin.com/cZr0ammp .  I have altered the hostname for privacy purposes.

    I have checked and double-checked the 10 common reasons link and none of the above is the problem.  Are there are any ways of diagnosing the problem that anyone knows of?  Most bizarrely- it creates the VPN connection when in a User Config but not Computer Config.

    edit: The result of "gpresult /scope computer /z show" is here: https://pastebin.com/T2qxU4YF  Strangely it lists the policy but not under Resultant Set of Policies?



    • Edited by DCole377 Thursday, April 20, 2017 3:34 PM
    Thursday, April 20, 2017 2:22 PM
  • Breakthrough!

    I got the connection to be created but it has not configured the pre-shared key properly.

    What I did to fix (some of) it:

    • Within my test OU, created a group and added my computer to that group.
    • In my GPO added that group to security filtering.
    • Within my GPO settings (Computer Config/Policies/Pref./Control Panel Settings/Network Options), changed the setting to apply to "All users connection".

    Now to get the preshared key working...

    • Edited by DCole37 Thursday, April 20, 2017 4:03 PM
    Thursday, April 20, 2017 4:03 PM
  • Found a suggestion that appears to be working somewhat...  Editing the C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk file using http://www.grouppolicy.biz/2012/02/how-to-use-group-policy-to-configured-ini-files/ as a guide.  

    I can't seem to find the field in that rasphone.pbk file that forces it the connection to use a pre-shared key rather than a certificate.  My pbk file currently looks like: https://pastebin.com/58i6YHJs

    edit: For reference on the rasphone.pbk file: https://msdn.microsoft.com/en-us/library/ee808196.aspx


    • Edited by DCole37 Thursday, April 20, 2017 7:24 PM
    Thursday, April 20, 2017 7:20 PM
  • > I got the connection to be created but it has not configured the pre-shared key properly.
     
    You cannot deploy PSK through GPO. Not for VPN, not for WLAN.
     
    Friday, April 21, 2017 10:05 AM
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 24, 2017 1:16 PM
    Moderator