Help with pre-logon IKEv2 VPN

Hello everyone, I am having a lot of trouble getting the pre-logon function to work. I am following the guide from watchguard support center here:

https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bopASAQ

I've taken the pre-configured powershell script from the firebox, which works perfectly, but as soon as I try to add -AllUserConnection to allow VPN connection on the login screen I get this error:

"The configuration cannot be applied to the global user VPN connection VPN Name. : The system
could not find the phone book entry for this connection."

I've manually moved the phone book entries like suggested in this post on spiceworks:

https://community.spiceworks.com/topic/2284129-windows-10-2004-l2tp-vpn-the-system-could-not-find-the-phone-book-entry

I've tried running the shell as admin, logging in as admin then running the script, I've tried manually running each command in the script myself. I've tried creating the VPN then trying to add -AllUserConnection afterwards but I just keep getting the same error.

I'll paste in the powershell script here incase I'm missing something but again it works perfectly until I just add -AllUserConnection.

Any suggestions would be greatly appreciated!

function PrintError ($message) {
Write-Host $message -ForegroundColor Red -BackgroundColor Black
}

function SetIPSecConfiguration () {
Set-VpnConnectionIPsecConfiguration -ConnectionName 'VPN Name' -AuthenticationTransformConstants 'SHA196' -CipherTransformConstants 'AES256' -DHGroup 'Group14' -EncryptionMethod 'AES256' -IntegrityCheckMethod 'SHA256' -PfsGroup 'None' -Force
}

function AddVPNConnection () {
try {
Add-VpnConnection -Name 'VPN Name' -ServerAddress 'x.x.x.x' -TunnelType 'IKEv2' -EncryptionLevel 'Required' -AuthenticationMethod Eap -RememberCredential -AllUserConnection -Force
SetIPSecConfiguration
Write-Host "Created the 'VPN Name' VPN connection"
} catch {
PrintError "Error in creating the 'VPN Name' VPN connection!"
PrintError $_.Exception.Message
}
}

function UpdateVPNConnection () {
try {
Set-VpnConnection -Name 'VPN Name' -ServerAddress 'x.x.x.x' -TunnelType 'IKEv2' -EncryptionLevel 'Required' -AuthenticationMethod Eap -AllUserConnection -Force -WarningAction SilentlyContinue
SetIPSecConfiguration
Write-Host "Updated the 'VPN Name' VPN connection"
} catch {
PrintError "Error in updating the 'VPN Name' VPN connection!"
PrintError $_.Exception.Message
}
}

$vpn = Get-VpnConnection -Name 'VPN Name' -ErrorAction SilentlyContinue
if ($vpn -and ($vpn.Name -eq 'VPN Name')) {
PrintError "A VPN connection with the name 'VPN Name' is already configured on your system."
$message = "Do you want to update the existing 'VPN Name' VPN connection?"
$yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", "Updates the 'VPN Name' VPN connection."
$no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", "Exit without updating."
$options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
$result = $host.ui.PromptForChoice('', $message, $options, 0)
switch ($result) {
0 {UpdateVPNConnection}
1 {PrintError "The existing ‘VPN Name’ VPN connection was not updated. Remove or rename the existing VPN connection and run the script again."}
}
} else {
AddVPNConnection
}
exit

Comments

  • An update on the situation, I found this post here: https://eclat.tech/software/microsoft/powershell-add-vpnconnection-errors-in-windows-10-version-1909/

    So I was able to create the VPN via Powershell commands by adding "-SplitTunneling $true -Passthru" instead of "-AllUserConnection"

    But If I try the same in the script, access is denied (even when logged in as admin or running as admin)
    And now when attempting to connect to the VPN from the Windows log in screen I get "Unknown error 0x80420112"

  • edited April 25

    Did you resolve this? I am having the same issue.

    Well, almost the same. Mine works if I run the addvpn.ps1 in an elevated powershell session, but not when launching via the .bat file.

    Thanks.

  • edited April 25

    Remove the $true after SplitTunneling
    It doesn't seem to be needed from the MS docs.

    I modified the WG setup AddVPN.ps1 file and then ran the WGIKEv2.bat file for 2 other VPN configs, but not one for this goal.
    The ones that I added:
    . split tunneling
    . domain name suffix

  • I resolved it by running the .bat file (the certs install but the vpn is not created) then running the AddVPN.ps1 file in a separate elevated powershell session and that works perfectly.

Sign In to comment.