Deploying IKE VPN for WatchGuard with user authentication via Intune

I thought I’d do a post on this because I struggled to find info on it. What I've shown below will replicate what the windows client batch file and PowerShell scripts do.

In Intune, deploy the WatchGuard certificate:

  • Create a new configuration profile for windows using the ‘Trusted certificate’ template
  • Upload the rootca.crt from the WatchGuard client package
  • Set the destination store to: Computer certificate store – Root
  • Assign the policy to a user group containing your VPN users (a elected to deploy to all users)

Next, create a VPN policy:

  • Create a new configuration profile for windows from the ‘VPN’ template
  • Scope: User
  • Connection type: IKEv2
  • Connection name: Your connection name
  • Servers: Your WatchGuard endpoint/s
  • Remember credentials at each logon: Enabled
  • Authentication method: EAP
  • EAP XML: (You can determine the EAP XML from a windows machine that has the IKE client configure using the powershell command: (Get-VpnConnection -Name " Your connection name ").EapConfigXmlStream.InnerXml)
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
    <EapMethod>
        <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type>
        <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
        <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
        <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
    </EapMethod>
    <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
        <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
            <Type>26</Type>
            <EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
                <UseWinLogonCredentials>false</UseWinLogonCredentials>
            </EapType>
        </Eap>
    </Config>
</EapHostConfig>
  • Encryption algorithm: AES-256
  • Integrity check algorithm: SHA2-256
  • Diffie-Hellman group: 14
  • Cipher transform algorithm: CBC-AES-256
  • Authentication transformation algorithm: HMAC-SHA1-96
  • Assign to you VPN user group.

Configure other values as you need and substitute you own configuration where it differs from the above. You can test what has been configured on the client using the PowerShell commands:
get-vpnconnection -ConnectionName “Your connection name” for connection config
and
(get-vpnconnection -ConnectionName “Your connection name”). ipseccustompolicy for ipsec config

Sign In to comment.