It wasn’t quick to configure a client to successfully connect to a VPN through SSTP or IKE, but here are the takeaways.
It can be easily done with three Virtual machines:
1 – Windows 2016 Server – ADSI,DHCP,DNS 192.168.100.1
2 – Windows 2016 Server – RRAS and AD Certificate with Web Enrollment. 192.168.100.111 / 10.0.3.1
3 – Windows 7 Client – 10.0.3.100 and VPN Connection
There are plenty of easy YouTube videos and even Microsoft step-by-steps to set this up, but it’s not always that clear and dry.
1 – VPN Server – Create a new certificate from a template, call cert VPNClient, copy to personal store, set CN = 10.0.3.1 and ADCA, configure extensions for server authentication, request handling make key exportable, and set Subject Name to “supply in request.”
2 – VPN Server – Configure bindings of IIS with new personal certificate. Configure RRAS with new personal certificate.
3 – VPN Client – Download CA to Trusted enterprise root store.
4 – Connect.
Problems:
1. For some reason, I was able to login to my CA with the user lab\administrator and this user was different from lab.com\administrator. This made accessing the certification templates difficult. I finally got them corrected using the lab.com\administrator.
2. My Windows client returned an error about an invalid CN name. This is where I realized making the CN name the IP Address and Computer name would be simply.
3. Windows client complained about a revocation server, I ended up Googling this message and found a nifty registry entry that fixed this problem. A reboot WAS NOT required.
4. NPS can be a pain, just configure the user to Allow dial-in privileges.
Good:
The fixes were simply and having this scenario on a few VMs was very fun. With my shields down (firewalls disabled), IKE connected without any problems.
Changes:
VPN Server: RRAS, CA, CA-Web Enroll, new private key, new trusted CA, IIS.
Client: New connection, new trusted CA.