VPN Interoperability guide for Windows Server 2012 R2

Introduction

Microsoft® Windows® Server 2012 R2 industry standard IKEv2 tunnel for VPN connectivity (both point-to-site and site-to-site). This enables customers with existing third party VPN devices to easily deploy the Windows Server 2012 R2 VPN gateway and interoperate with these devices to perform branch-site networking.

This document covers the working configurations for some of the popular third party VPN devices that can be deployed to work with Windows Server 2012 R2 VPN. The configuration for a Windows gateway is also included to server as a guideline for an interoperable deployment with the third party devices.

Windows Server Gateway

Windows Server 2012 R2 gateway can be configured for point-to-site (P2S) VPN, site-to-site (S2S) VPN, dynamic BGP Routing or a combination of these features. The P2S VPN support and its interoperability on the Windows Server 2012 R2 remains unchanged and the details are available here. The dynamic BGP Routing support is the implementation of standard BGP4 protocol. This enables the dynamic BGP routing to be configured between the Windows gateway and the secondary branch site (provided the site is using a Windows or a third party BGP4 router).

To establish a S2S VPN connection between a multi-tenant Windows Server 2012 R2 VPN gateway and your third party device, you will have to make sure the third party device supports IKEv2 tunnelling protocol and that the IPSec parameter configuration is compatible to that of the Windows configuration.

IPSec Configuration

This section lists the various IPSec configuration parameters for IKEv2 tunnel available on the Windows Server 2012 R2 S2S VPN Gateway.

Configuration via SC-VMM

Configuration via SC-VMM offers even more customizable IPSec configuration options like can be seen in this VM Network Properties window (SC-VMM > VM and Service > VM Networks > Tenant Network > Properties)

Figure 1: SC-VMM VPN connection configuration

The different IPSec properties and their values for configuration here are as below (default values are in bold) –

Authentication Method

Encryption method

Integrity check

Cipher Transform

Authentication Transform

PFS Group

DH Group

· PSK Only

· Machine Certificate

· DES

· 3DES

· AES128

· AES192

· AES256

· MD5

· SHA1

· SHA256

· SHA384

· DES

· 3DES

· AES128

· AES192

· AES256

· GCMAES128

· GCMAES192

· GCMAES256

· SHA-256-128

· MD5-96

· SHA1-96

· GCMAES128

· GCMAES192

· GCMAES256

· None

· PFS-1

· PFS-2

· PFS-2048

· ECP-256

· ECP-384

· PFS-MM

· PFS-24

· None

· Group1

· Group2

· Group14

· ECP-256

· ECP-384

· Group24

Manual configuration

Windows Server 2012 R2 Gateway offers the following encryption options –

1. No Encryption

2. Optional Encryption

3. Require Encryption (Default)

4. Strong Encryption

The following tables presents the different proposals that are associated with these encryption options –

IKEv2 Phase 1 (Main Mode) proposal settings

Encryption Type

Diffie Hellman Group

Cipher Transform

Integrity Algorithm

No Encryption

Optional Encryption

Require Encryption

DH2

3DES

AES128

AES192

AES256

SHA1

SHA256

SHA384

Strong Encryption

DH2

3DES

AES256

SHA1

SHA256

SHA384

IKEv2 Phase 2 (Quick Mode) proposal settings

Encryption Type

PFS Group

ESP Auth Transform, ESP Cipher, AH Auth Transform

No Encryption

None

PFS-1

PFS-2

PFS-2048

PFS-ECP-256

PFS-ECP-384

PFS-MM

PFS-24

<HMAC-SHA-1-96, None, None>

<None, None, HMAC-SHA-1-96>

Optional Encryption

None

PFS-1

PFS-2

PFS-2048

PFS-ECP-256

PFS-ECP-384

PFS-MM

PFS-24

<HMAC-SHA-1-96, CBC-AES-256, None>

<HMAC-SHA-1-96, CBC-AES-128, None>

<HMAC-SHA-1-96, CBC-3DES, None>

<HMAC-SHA-1-96, CBC-DES, None>

<HMAC-SHA-1-96, None, None>

<HMAC-SHA-256-128, CBC-3DES, None>

<None, None, HMAC-SHA-1-96 >

Require Encryption

None

PFS-1

PFS-2

PFS-2048

PFS-ECP-256

PFS-ECP-384

PFS-MM

PFS-24

<HMAC-SHA-1-96, CBC-AES-256, None>

<HMAC-SHA-1-96, CBC-AES-128, None>

<HMAC-SHA-1-96, CBC-3DES, None>

<HMAC-SHA-1-96, CBC-DES, None>

Strong Encryption

None

PFS-1

PFS-2

PFS-2048

PFS-ECP-256

PFS-ECP-384

PFS-MM

PFS-24

<HMAC-SHA-1-96, CBC-AES-256, None>

<HMAC-SHA-1-96, CBC-3DES, None>

Third party VPN devices

We have validated a set of standard third party S2S VPN devices in for interoperability with Windows Server 2012 R2 VPN gateway. These compatible devices are listed below along with the example configuration for these device families to help configure your VPN device.

If you don’t see your device in the known compatible VPN device list and want to use the device for your VPN connection, you’ll need to verify that it meets the minimum requirements outlined in the previous section. Devices meeting the minimum requirements should also work well with Windows Server 2012 R2 Gateway.

Vendor

Device Family

OS Version

Example configuration

CheckPoint

Security Gateway

R75.40

R75.40VS

Configuration instructions

Cisco

ASA 5500 series

ASA v9.0 (3)

Device Manager v 7.1(2)

[View:~/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-55-08/Cisco-ASA-5510-config.txt:50:50]

Cisco

ASR

IOS 15.2

Cisco ASR templates

Cisco

ISR

IOS 15.1

Cisco ISR templates

Fortinet

FortiGate

FortiOS 5.0.7

Configuration instructions

Juniper

SRX series

JunOS 11.4

Juniper SRX templates

Juniper

SRX series

JunOS 12.1

[View:~/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-55-08/Juniper-SRX100-config.txt:50:0]

Juniper

J-Series

JunOS 11.4

Juniper J-series templates

Juniper

ISG

ScreenOS 6.3

Juniper ISG templates

Juniper

SSG

ScreenOS 6.2

Juniper SSG templates

For a more comprehensive list of devices and their corresponding configuration for connecting to Microsoft Azure, please refer to this article

Caveats / Limitations

Cisco ASA family

There is an IKEv2 implementation difference between Windows Server RRAS gateway and the Cisco ASA devices. The section 2.9 of Internet Key Exchange Protocol Version 2 (IKEv2) RFC suggests the Traffic Selector Negotiation during IKEv2 setup, and indicates that if the responder's policy does not allow it to accept any part of the proposed Traffic Selectors, it responds with a TS_UNACCEPTABLE Notify message.

Microsoft Windows RRAS is configured to initiate the IKEv2 tunnel with a proposal with “any” (*) as the Traffic Selector (TS) – indicating the responder to narrow it down to the value configured on their end. However Cisco ASA implementation does not narrow down for a “*” Traffic Selector proposal and treats it as an unacceptable offer, thereby sends a notify message and the tunnel is not established.

On the other hand if a Cisco ASA device send the TS configured on it to the Microsoft Windows gateway in the proposal, it being configured to accept all the TS (value “*”) will accept the proposal and narrow it down to Cisco ASA’s proposed TS and the tunnel is established.

This basically translates into the IKEv2 S2S VPN tunnel being established when initiated from Cisco ASA end but failing in the opposite direction.

This problem could be mitigated by making sure the tunnel once established from a Cisco ASA device always remain up by using the following

  1. Make sure the tunnel timeout values on both Cisco and Windows Server gateway are configured not to expire quickly
  2. Make sure the Dead Peer Detection is not the default value (10 seconds), but set to “infinite” on Cisco ASA
  3. If necessary, make sure some sort of keep-alive messages always flow on the IKEv2 tunnel to keep it up.