Append suffix DNS to IKEv2 VPN connections in windows

All,
We manage ~100 fireboxes for clients and currently use SSLVPN for any remote access needs. Recently I started looking into IKEv2 and got it set up in lab but had a few issues that might make deploying this a more manual process than I would like.

For example when I connect to the VPN, the priority of the NICs is not set to where the VPN connection has the best metric. I believe this is needed or it uses the wired NICs DNS server and I can’t resolve unqualified names (like machine names).


Also when I download the IKEv2 profile from the firebox it does not set the DNS suffix so I have to put that in manually and check the register boxes.


Really it’s not that much work, but I am not going to be the only one setting these up so I have to make it a more friendly process before presenting it as an alternative to SSLVPN to management.

I tested editing the Powershell script that is in the profile and had some success adding

-DnsSuffix “example.com” to the Set-VpnConnection line (Line23) but I dont believe there is a way to check the boxes in powershell?

This is still a manual process, but at least we could edit the script one time before deploying to a customers devices.

Am I over complicating this task?

Thanks!

Sorry, nothing to add here, I just wanted to say that I’d love to know the answer to this as well. SSLVPN seems a bit less-than-ideal in terms of security.

I noticed this issue as well. I had to manually set the interface metric for wifi. As soon as you plug in ethernet over the ikev2 tunnel, it closes the dns leak. Switch back to wifi? Bam, issues return. The netsh interface metric for wifi is equal to the ike adapter. Big problem.

No responses from WG on it.

I’m late to this show, I know, but I spent quite a bit of time looking into this yesterday. I tested it this morning to make sure that my VPN IP address was registered in our Windows DNS server before I posted here.

You need to modify the PowerShell script you mentioned in your OP. I included the -DnsSuffix, same as you (thanks for sharing). I also added the following code to the PowerShell script.

$RASPhoneBook = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk"

(Get-Content $RASPhoneBook) -Replace ‘IpDnsFlags=0’, ‘IpDnsFlags=3’ | Set-Content $RASPhoneBook

I added that after the SetIPSecConfiguration line for both the AddVPNConnection and UpdateVPNConnection functions in the PowerShell script. You can rerun the batch file for the IKEv2 VPN to update the existing VPN configuration without needing to delete it first.

Hopefully this helps.

Why not demo AuthPoint for the VPN setup?

It has an integration with SSLVPn and is cheap.

You can buy it in bundle with DNSWatch GO as well.

A lot of our clients are using AuthPoint and it appears to be working great! It’s easy to troubleshoot and does NOT wipe data. It just needs access to push notifications.

I’d like to know the answer to this too :flushed_face:

See DrinkNBHappy’s post below. It was the fix to the issue

I don’t know if I fully understand your issue, but DrinkNBHappy’s post below was able to get everything working for. Maybe give it a shot.

Excited to test. Its been indefinitely on the back burner. Will update this weekend

Fantastic! Works like a charm!

I imagine the domain name could be pulled from the firewall before the profile is built and then I wouldn’t have to touch it at all… but these workarounds are OK for now. Thanks very much for the assistance.

EDIT

To be clear on the results:

-This changed my physical NIC metric to static 4280 which is low enough that the VPN connection (still set to Automatic Metric) is more trusted. I am now using the VPN connections DNS servers.

-This did not input my DNS suffix into the VPN nic, and the register boxes are not selected, but all of my queries are getting appended properly and I am able to resolve all unqualified names over the VPN.

Works for me!