Windows 10: Override IP address as default client identity on Windows IKEv2 VPN client.

I am trying to manually set the client IKEv2 identity for the native Windows VPN client. The headend in this case in Cisco's FlexVPN Server, and there are specific policies that need to be applied per-user. The normal way to do this is to discriminate amongst connections using the IKE identities presented by each client. On most VPN clients, there is a way to set this value manually e.g. to a string representing the client's FQDN. Looking at debug logs on the headend, the IKEv2 identity for the Windows client defaults to the IP address of the interface associated with the underlay connection

:)

 

A problem of Windows 10 VPN (Ikev2) connection

I agree that something changed in Windows 10 here... I've been looking into this and it appears that Windows 10 isn't configuring the routing correctly or forcing split tunneling (but only using the client IP range as the source for the split tunneling).
For example, if I connect to my ikev2 vpn server, all my traffic is routed over my NIC, except when I try to use an IP in the virtual IP range of the client. And since only the virtual IP range gets routed over to the VPN server, the VPN is pretty much useless.

Has anyone heard of functionality changes in the ikev2 VPN implementation?

 

Cisco VPN N85 using Nokia Mobile VPN client policy tool

I moved futher with change of configuration on the router and no I get IP from virtual pool but unable to get any further as IPSEC does not negotiate.

My configuration is as following

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key aaabbb address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local vpn2

crypto isakmp client configuration group VPNCLIENTGROUP

key aaabbb

dns a.b.c.d

domain wr

pool vpn2

save-password

crypto isakmp profile VPNclient

description VPN clients profile

match identity group VPNCLIENTGROUP

match identity address 0.0.0.0

client authentication list userlist

isakmp authorization list groupauthor

client configuration address initiate

client configuration address respond

client configuration group VPNCLIENTGROUP

crypto ipsec transform-set 3des esp-3des esp-sha-hmac

crypto dynamic-map SDM_CMAP_1 99

set transform-set 3des

set isakmp-profile VPNclient

reverse-route

crypto map SDM_CMAP_1 99 ipsec-isakmp dynamic SDM_CMAP_1





When I run the debug on the router, I am getting IP address from the pool which actually also shows up on the phone (n85). It should that VPN is activated also on the phone followed by another message that it is deactivated. I used Nokia VPN Client policy
tool to create the policy with following

IKEv1,3DES,MD5,

True = Responder lifetime, send certificate, IPsec expire, Replay status, Use mode config, Use commit bit, Xauth

False= Nat probe

IKE proposal = 3DES-CBC, MD5

 

Azure VPN - Client won't launch on Windows 10 PC

I have successfully set up an Azure point to site VPN using IKEv2 - root certs and client certs have been produced successfully.

I have downloaded the VPN client, and on my laptop I can connect, get the private IP address and connect to the Virtual Machine on the network.

However, when I install the same VPN client on my desktop, the VPN connection appears in the VPN settings screen, but when I click "Connect" instead of the Azure login window appearing I get the "circle of dots" going round endlessly, and nothing happens.

I've tried removing the client cert from the laptop, and the Azure login window still appears and warns you that you don't have a valid Client cert, so its not that.

I've removed Sophos Endpoint security, and switched off the firewall to see if they were stopping anything, rebooted several times - but I'm still getting the same issue.

I'm running out of ideas of where to look next to resolve this, so any help would be appreciated.