Help with pre-logon IKEv2 VPN
Hello everyone, I am having a lot of trouble getting the pre-logon function to work. I am following the guide from watchguard support center here:
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bopASAQ
I've taken the pre-configured powershell script from the firebox, which works perfectly, but as soon as I try to add -AllUserConnection to allow VPN connection on the login screen I get this error:
"The configuration cannot be applied to the global user VPN connection VPN Name. : The system
could not find the phone book entry for this connection."
I've manually moved the phone book entries like suggested in this post on spiceworks:
I've tried running the shell as admin, logging in as admin then running the script, I've tried manually running each command in the script myself. I've tried creating the VPN then trying to add -AllUserConnection afterwards but I just keep getting the same error.
I'll paste in the powershell script here incase I'm missing something but again it works perfectly until I just add -AllUserConnection.
Any suggestions would be greatly appreciated!
function PrintError ($message) {
Write-Host $message -ForegroundColor Red -BackgroundColor Black
}
function SetIPSecConfiguration () {
Set-VpnConnectionIPsecConfiguration -ConnectionName 'VPN Name' -AuthenticationTransformConstants 'SHA196' -CipherTransformConstants 'AES256' -DHGroup 'Group14' -EncryptionMethod 'AES256' -IntegrityCheckMethod 'SHA256' -PfsGroup 'None' -Force
}
function AddVPNConnection () {
try {
Add-VpnConnection -Name 'VPN Name' -ServerAddress 'x.x.x.x' -TunnelType 'IKEv2' -EncryptionLevel 'Required' -AuthenticationMethod Eap -RememberCredential -AllUserConnection -Force
SetIPSecConfiguration
Write-Host "Created the 'VPN Name' VPN connection"
} catch {
PrintError "Error in creating the 'VPN Name' VPN connection!"
PrintError $_.Exception.Message
}
}
function UpdateVPNConnection () {
try {
Set-VpnConnection -Name 'VPN Name' -ServerAddress 'x.x.x.x' -TunnelType 'IKEv2' -EncryptionLevel 'Required' -AuthenticationMethod Eap -AllUserConnection -Force -WarningAction SilentlyContinue
SetIPSecConfiguration
Write-Host "Updated the 'VPN Name' VPN connection"
} catch {
PrintError "Error in updating the 'VPN Name' VPN connection!"
PrintError $_.Exception.Message
}
}
$vpn = Get-VpnConnection -Name 'VPN Name' -ErrorAction SilentlyContinue
if ($vpn -and ($vpn.Name -eq 'VPN Name')) {
PrintError "A VPN connection with the name 'VPN Name' is already configured on your system."
$message = "Do you want to update the existing 'VPN Name' VPN connection?"
$yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", "Updates the 'VPN Name' VPN connection."
$no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", "Exit without updating."
$options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
$result = $host.ui.PromptForChoice('', $message, $options, 0)
switch ($result) {
0 {UpdateVPNConnection}
1 {PrintError "The existing ‘VPN Name’ VPN connection was not updated. Remove or rename the existing VPN connection and run the script again."}
}
} else {
AddVPNConnection
}
exit
Comments
An update on the situation, I found this post here: https://eclat.tech/software/microsoft/powershell-add-vpnconnection-errors-in-windows-10-version-1909/
So I was able to create the VPN via Powershell commands by adding "-SplitTunneling $true -Passthru" instead of "-AllUserConnection"
But If I try the same in the script, access is denied (even when logged in as admin or running as admin)
And now when attempting to connect to the VPN from the Windows log in screen I get "Unknown error 0x80420112"