WatchGuard Support Center

Knowledge Base - Article

 How can I create and deploy custom IKEv2 and L2TP VPN profiles for Windows computers?

To create and deploy custom IKEv2 and L2TP VPN profiles to Windows user computers, and to configure pre-logon VPN connections, you can use Microsoft PowerShell scripts and Microsoft Group Policy. 

For Mobile VPN with IKEv2, you can download a batch file from your Firebox that automatically creates an IKEv2 VPN profile. However, if you want to create a custom IKEv2 profile for silent automatic deployment, such as a profile configured for VPN pre-logon or split tunneling, you must edit the script or create a new script.

For Mobile VPN with L2TP, you cannot download a batch file from your Firebox that creates an L2TP VPN profile. However, you can create a new L2TP VPN script for automatic deployment or you can edit the L2TP script sample in this article.

The instructions in this article explain how to edit or create custom IKEv2 and L2TP scripts.

Note: To implement and support custom IKEv2 and L2TP deployment scripts on your network, you must understand Microsoft PowerShell, Active Directory, and Group Policy. We provide these scripts as samples only and cannot guarantee compatibility with all networks. On some networks, Active Directory restrictions might affect these sample scripts. If you need more information or technical support about how to configure Microsoft products, see the Microsoft documentation and support resources.

How It Works

To create a script, you must use Microsoft PowerShell or a text editor such as Notepad. With PowerShell or a text editor, you can:
  • Create a custom script that automatically configures an IKEv2 or L2TP profile on a Windows computer.
  • Specify a parameter that allows users to log in to the VPN before they log on to Windows. This feature is known as pre-logon. 
  • Configure a split-tunnel VPN. By default, IKEv2 and L2TP VPNs are configured as full tunnel VPNs. 
  • Specify a domain suffix so users can resolve local host names through the VPN. IKEv2 and L2TP clients do not inherit a domain suffix from the Firebox. For more information about domain suffixes for IKEv2 and L2TP, see Configure DNS server and suffix settings in IKEv2 and L2TP VPN clients .
  • Specify other parameters, such as parameters that you cannot configure in the user interface for the VPN adapter.

After you create the script, you can use Microsoft Group Policy (GPO) to remotely deploy the script to Active Directory groups on your network. You can also deploy the script manually. This article covers remote deployment through GPO.

Note: To run the sample scripts included in this article, computers on your network must have Windows 8.1 or higher.


Step 1 — Create a Microsoft PowerShell script

  • Mobile VPN with IKEv2 — We recommend that you download a pre-configured script from your Firebox. You can use the instructions in this article to customize the script. This method helps you save time because you reuse parts of the pre-configured script.
  • Mobile VPN with L2TP — Open Windows PowerShell ISE or open a text editor such as Notepad. Specify the extension .ps1 to save the file.

Step 2 — Customize the PowerShell script

In the sample scripts in this section, we show several parameters that you might want to configure. You can append additional parameters to the script. Here are a few optional parameters:

-AllUserConnection Enables the pre-logon function.
-DnsSuffix Specifies the DNS suffix used on the network behind the Firebox.
-SplitTunnelingDisables the full-tunnel option on the VPN adapter.
-RememberCredentialAllows users to store their logon credentials for the VPN adapter.

For encryption settings, we recommend that you copy those commands from the WatchGuard IKEv2 script that you can download from your Firebox. This helps to make sure the client transform settings match the Firebox transform settings. For example, copy these parameters and values from the WatchGuard IKEv2 script:

ParameterExample ValueAssociated Firebox Setting
-AuthenticationTransformConstants'GCMAES128'IKEv2 Shared Settings > Phase 1 Authentication
-CipherTransformConstants'GCMAES128'IKEv2 Shared Settings > Phase 1 Encryption
-DHGroup'ECP384'IKEv2 Shared Settings > Phase 1 Key Group
-EncryptionMethod'AES256'Phase 2 Proposals > Encryption
-IntegrityCheckMethod'SHA256'Phase 2 Proposals > Authentication
-PfsGroup'None'Phase 2 Proposals > Perfect Forward Secrecy

These parameters apply to both IKEv2 and L2TP.

For information about other parameters, see VPN Client-specific cmdlets on the Microsoft website.

In these sample scripts, commands are highlighted gray and comments are prefaced with a # symbol.

Sample 1 (IKEv2 VPN with pre-logon)

Get-ChildItem -Path .\rootca.crt | Import-Certificate -CertStoreLocation cert:\LocalMachine\root

<#Install the required rootca.crt certificate and import it into the Local Machine Store, which is the required location. Do not use the default location, which is the User Store. Save the certificate in the same location as the script.#>

Add-VpnConnection -Name 'MyCompany IKEv2' -ServerAddress '' -TunnelType 'IKEv2' -EncryptionLevel 'Required' -AuthenticationMethod Eap -AllUserConnection -Force


<#Add an IKEv2 VPN connection named "MyCompany IKEv2" that connects to a Firebox at Require EAP authentication. Create a pre-logon option (with the command -AllUserConnection). Force this script to run on user computers and ignore errors so users do not see installation notifications.#>

Set-VpnConnectionIPsecConfiguration -ConnectionName 'MyCompany IKEv2' -AuthenticationTransformConstants 'GCMAES128' -CipherTransformConstants 'GCMAES128' -DHGroup 'ECP384' -EncryptionMethod 'AES256' -IntegrityCheckMethod 'SHA256' -PfsGroup 'None' -Force

<#Configure the transform sets. Configure Phase 1 settings with -AuthenticationTransformConstants, -CipherTransformConstants, and -DHGroup; configure Phase 2 settings with -EncryptionMethod, -IntegrityCheckMethod, and -PfsGroup. Disable PFS, which is typically not supported by mobile devices.#>


Sample 2 (L2TP VPN with pre-logon and split tunneling)

Add-VpnConnection -Name 'MyCompany L2TP' -ServerAddress '' -TunnelType L2tp -EncryptionLevel Required -L2tpPsk ie0J%$V%8&eY -AuthenticationMethod Mschapv2 -DnsSuffix '' -AllUserConnection -RememberCredential -SplitTunneling -Force

<#Add an L2TP VPN adapter named "MyCompany L2TP" that connects to a Firebox at
Require encryption and the specified pre-shared key. Users cannot select to see this pre-shared key in the UI.
Require MSCHAPv2, which is required for connections to the Firebox.
Specify the domain suffix "" so users can resolve local host names through the VPN.
Create a pre-logon option with the command -AllUserConnection.
Remember the user credentials.
Configure split tunneling instead of full tunneling.
Force this script to run on user computers and ignore errors so users do not see installation notifications.#>  

To define routes for a split-tunnel VPN, specify this command:

Add-VpnConnectionRoute -ConnectionName "MyCompany L2TP" -DestinationPrefix "x.x.x.x/xx"

You can add this command to your VPN script or create a separate script dedicated to route specification.

Step 3 — Apply the script(s) to a policy and deploy to users

From Windows Server:

  1. In Group Policy Management, create or edit a policy to which you will apply the script(s).
  2. In the Security Filtering section of the policy, add Active Directory groups that will receive this policy. 
  3. In Group Policy Management Editor, select Computer Configuration > Policies > Windows Settings > Scripts.
  4. Double-click Startup.
    The Startup Properties dialog box opens.
  5. Click Show Files. Do not click Add to browse to your script. Windows Explorer opens to a folder in the Windows SysVol. You must place your scripts in this folder. 
  6. (Required for Mobile VPN with IKEv2) Copy the script(s) and the rootca.crt certificate to this folder. 
  7. On the Startup Properties dialog box, click Add > Browse.
    The Add a Script dialog box opens.
  8. Select a script and click Open.
    The script name appears in the Script Name text box. In most cases, you do not need to specify script parameters.
  9. To add more scripts, click Add.
  10. To force user computers to receive this policy immediately, refresh Group Policy on the computers or reboot the computers.


If your script includes parameters for pre-logon, after the computer receives the updated policy, a Network Sign-In icon appears on the Windows logon screen. Users can click this icon to see a list of VPNs configured on the computer. To log in, users can click a VPN connection and specify credentials.

See Also

Configure Windows Devices for Mobile VPN with IKEv2 in Fireware Help