none
Deploy IPSec VPN with preshared key via GP?

    Question

  • Trying to standup a new VPN box (Celestix MSA that is essentially a glorified Forefront Threat Management Gateway 2010 system) that uses IPSec, however the GP Network Settings don't have an area to input the preshared key, like the client settings on 7/XP. How do I deploy this with no preshared key option?

    I see that's there's a some preshared key options in the IP Security Policies GPs, but will the VPN connection look there for the key?

    Tuesday, June 26, 2012 2:06 AM

All replies

  • Hello, 

    Create a separate OU for the users, to whom you want to Deploy.

    GPO steps are:

    1. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\IP Security Policies on Active Directory(abc.com)
    2. Select create new IP Security Policy and follow the steps of setup wizard.

    3. Please check Activate the default response rule>set the initial authentication rule as shown in below figure>finish

    4. Finish GP configuration settings and Start>run>cmd>gpupdate/force


    Thank you and feel free to write here again if you need any other help.


    Regards, Ravikumar P

    Tuesday, June 26, 2012 7:02 AM
  • Hi eric,

    Yes, you can can use Preshared Key when you deploy IPSec VPN. You can specify it on the Authentication Methods tab as picture showed above.

    However, preshared key authentication is not recommended by Microsoft because it is a relatively weak authentication method. See "Do not use preshared keys" section in this article:

    IPSec Best practices:
    http://technet.microsoft.com/en-us/library/cc739472(v=WS.10).aspx

    A way to increase the security of a preshared key is encrypting it with a PIN. Check this:

    Including a Preshared Key:

    http://technet.microsoft.com/en-us/library/dd672872(v=WS.10).aspx

    In additon to preshared key, IPSec allows other two ways for authentication: Kerberos V5 protocol and certificate-based authentication. Kerberos version 5 authentication protocol is the default authentication technology in Windows Server 2008 R2. For more information please refer to below link:

    IPsec Authentication:

    http://technet.microsoft.com/en-us/library/cc772338.aspx

    Regards,
    Cicely


    Tuesday, June 26, 2012 9:32 AM
    Moderator
  • Thanks for the reply. Should my new IP Security Policy show up in the 'IP Security Policies on Local Computer' of the client's Local Security Policy? It's not at the moment. (Yes it's assigned)

    The GPP pushed VPN connection doesn't seem to want to use the key for connecting, I get error 781 meaning it's looking for a certificate and not a preshared key.

    "The encryption attempt failed because no valid certificate was found."



    • Edited by eric87m Wednesday, June 27, 2012 2:39 AM
    Wednesday, June 27, 2012 2:22 AM
  • Hi,

    Error 781 doesn't mean it's not looking for a preshared key, preshared key is also a method of certificate although it is not recommended. See this: http://technet.microsoft.com/en-us/library/cc773153(v=WS.10).aspx#BKMK_781

    You can run RSoP.msc or gpresult /v to check whether the setting is configured properly or GPO is applied successfully.

    And also check if this KB could help:
    Event ID 20111, Error 792 or Error 781 When Establishing an L2TP/IPSec Connection
    http://support.microsoft.com/kb/247231

    Regards,
    Cicely

    Wednesday, June 27, 2012 5:22 AM
    Moderator
  • Ah ok, It's being applied and still can't connect, but in the IP Security Monitor I see the name of a IKE Policies increase by 1 number if I gpupdate. Nothing by the name of my IP Security Policy in there though.
    Wednesday, June 27, 2012 5:39 PM
  • Still getting Error 781. If I plug in the preshared key manually though, it connects fine. So the machines still aren't getting the key.

    The GP with the settings Ravikumar Pulagouni provided IS getting applied though.

    Thursday, June 28, 2012 5:26 PM
  • Ok looks like I'm getting there, key shows up in IP Security Monitor:

    but still getting Error 781 when trying to connect to VPN

    Thursday, June 28, 2012 7:36 PM
  • Hi,

    You should configure the client and the server to use pre-shared key instead of the certificate. If you use certificate to connect L2TP/IPsec VPN and you haven't installed valid certificate on your client and server, the error 781 will occur.

    The group policy cannot assign the pre-shared key to the client. It is by design because it is not a safe behavior to tell client the pre-shared key via network. If somebody capture the network trace between DC and client, he may get the pre-shared key. If you want to use pre-shared key, you need to manually configure it on all clients and server.

    Best Regards

    Scott Xie

    Friday, June 29, 2012 8:26 AM
  • Ok screw this. I made a silent exe installer with CMAK (Connection Manager Administration Kit). It has the preshared key integrated into it. Pretty lame that it didn't make an msi though

    Anyway, is there a way to deploy it with GP, like so?:

    If VPN1 is found, remove and replace with VPN2.exe
    If no VPN is found, install VPN2.exe
    If VPN2 is found, stop processing



    • Edited by eric87m Friday, June 29, 2012 8:26 PM
    Friday, June 29, 2012 8:25 PM
  • Hi,

    Based on my knowledge, there isn't such way to deploy it.

    Best Regards

    Scott Xie

    Thursday, July 05, 2012 10:18 AM
  • I know this is an older post, but I am trying to do this now.

    I tried the original posters idea below (CMAK) and that works nicely for connecting to the VPN. However we don't like this approach as there is no good way to change the key other than creating and pushing a new CMAK installer each time. Would love to get the above GPO-based solution to push out our PSK.

    I can have the GPO create an IP Policy (I can see it in my IP Security Monitor). However, like the original poster, I can't get it to apply to the VPN connection I created.

    Has anyone had any success with the above approach?

    Target machines are Win8.1 and 7, though we could get by as long as just 8.1 worked.

    Tuesday, March 10, 2015 1:53 AM