To create and deploy custom IKEv2 and L2TP VPN profiles to Windows user computers, and to configure pre-logon VPN connections, you can use Microsoft PowerShell scripts and Microsoft Group Policy.
For Mobile VPN with IKEv2, you can download a batch file from your Firebox that automatically creates an IKEv2 VPN profile. However, if you want to create a custom IKEv2 profile for silent automatic deployment, such as a profile configured for VPN pre-logon or split tunneling, you must edit the script or create a new script.
For Mobile VPN with L2TP, you cannot download a batch file from your Firebox that creates an L2TP VPN profile. However, you can create a new L2TP VPN script for automatic deployment or you can edit the L2TP script sample in this article.
The instructions in this article explain how to edit or create custom IKEv2 and L2TP scripts.
Note: To implement and support custom IKEv2 and L2TP deployment scripts on your network, you must understand Microsoft PowerShell, Active Directory, and Group Policy. We provide these scripts as samples only and cannot guarantee compatibility with all networks. On some networks, Active Directory restrictions might affect these sample scripts. If you need more information or technical support about how to configure Microsoft products, see the Microsoft documentation and support resources.
How It WorksTo create a script, you must use Microsoft PowerShell or a text editor such as Notepad. With PowerShell or a text editor, you can:
After you create the script, you can use Microsoft Group Policy (GPO) to remotely deploy the script to Active Directory groups on your network. You can also deploy the script manually. This article covers remote deployment through GPO.
Step 1 — Create a Microsoft PowerShell script
Step 2 — Customize the PowerShell script
In the sample scripts in this section, we show several parameters that you might want to configure. You can append additional parameters to the script. Here are a few optional parameters:
For encryption settings, we recommend that you copy those commands from the WatchGuard IKEv2 script that you can download from your Firebox. This helps to make sure the client transform settings match the Firebox transform settings. For example, copy these parameters and values from the WatchGuard IKEv2 script:
These parameters apply to both IKEv2 and L2TP.
For information about other parameters, see VPN Client-specific cmdlets on the Microsoft website.
In these sample scripts, commands are highlighted gray and comments are prefaced with a # symbol.
Sample 1 (IKEv2 VPN with pre-logon)
Get-ChildItem -Path .\rootca.crt | Import-Certificate -CertStoreLocation cert:\LocalMachine\root
<#Install the required rootca.crt certificate and import it into the Local Machine Store, which is the required location. Do not use the default location, which is the User Store. Save the certificate in the same location as the script.#>
Add-VpnConnection -Name 'MyCompany IKEv2' -ServerAddress '203.0.113.2' -TunnelType 'IKEv2' -EncryptionLevel 'Required' -AuthenticationMethod Eap -AllUserConnection -Force
<#Add an IKEv2 VPN connection named "MyCompany IKEv2" that connects to a Firebox at 203.0.113.2. Require EAP authentication. Create a pre-logon option (with the command -AllUserConnection). Force this script to run on user computers and ignore errors so users do not see installation notifications.#>
Sample 2 (L2TP VPN with pre-logon and split tunneling)
Add-VpnConnection -Name 'MyCompany L2TP' -ServerAddress '203.0.113.2' -TunnelType L2tp -EncryptionLevel Required -L2tpPsk ie0J%$V%8&eY -AuthenticationMethod Mschapv2 -DnsSuffix 'example.net' -AllUserConnection -RememberCredential -SplitTunneling -Force
<#Add an L2TP VPN adapter named "MyCompany L2TP" that connects to a Firebox at 203.0.113.2.
To define routes for a split-tunnel VPN, specify this command:
Add-VpnConnectionRoute -ConnectionName "MyCompany L2TP" -DestinationPrefix "x.x.x.x/xx"
You can add this command to your VPN script or create a separate script dedicated to route specification.
Step 3 — Apply the script(s) to a policy and deploy to users
From Windows Server:
Pre-LogonIf your script includes parameters for pre-logon, after the computer receives the updated policy, a Network Sign-In icon appears on the Windows logon screen. Users can click this icon to see a list of VPNs configured on the computer. To log in, users can click a VPN connection and specify credentials.
See AlsoConfigure Windows Devices for Mobile VPN with IKEv2 in Fireware Help