PowerShell Script - Configure VPN
-
Hi All, I was wondering if anyone can help?
I am trying to setup a PowerShell script that will add a registry key and edit the VPN security connection to check specific boxes in the protocol section?
For e.g. whenever a user runs Windows updates it normally breaks the connection and removes some of the settings.
The setting to check is under 'Allow these protocols' the 'Unencrypted password (PAP)' option only and then add a registry key for the Meraki VPN;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002Thanks
-
Waqkas,
I hope all is well. The first issue you have to address here is that the status check and potential updates tot he registry are going to be occurring against remote machines. Using PowerShell to edit the remote registry of a machine is a bit more complicated than using it against a local machine.
A good place to begin will be with the following article that walks you through the basics of remote connection and editing
From there, the
set-itemproperty
cmdlet will be of use to you as noted in the example below:Example of a PowerShell registry change
$RegKey ="HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
Set-ItemProperty -Path $RegKey -Name CachedLogonsCount -Value 45
Get-ItemProperty -Path. -Name CachedLogonsCountThe guidance that Mike and I have given you on PowerShell across many of your other posts will help you to figure out the rest from here, but remember that you want to evaluate
IF
something is a certain way or exists,THEN
you want to do something depending on the outcome of that evaluation.... :)Good Luck,
Cheers !!
Adam
-
The link Adam posted to The Scripting Guy does a great job of explaining how to edit the registry on a remote computer using a PSSession, and add and define a new registry key. After you create your remote session, do something like this...
Set-Location HKLM:\system\currentcontrolset\services New-Item -Name PolicyAgent New-ItemProperty -Name AssumeUDPEncapsulationContextOnSendRule -PropertyType dword -Value 00000002 -Path PolicyAgent
The Set-VpnConnection cmdlet will let you modify existing VPN connections. You can use the -AuthenticationMethod to set it to PAP (Yikes, allow unencrypted password transmission ?!?) if you want to. Something like this...
Set-VpnConnection -Name test -AuthenticationMethod Pap
In the future would you mind posting what you have so far? This will give us a starting point and help figure out what part you are having trouble with.
-
@Mike-Rodrick Thanks for all your help thus far.
I'm just getting the following error when trying to run the registry change;
PS C:\Windows\system32> Set-Location HKLM:\system\CurrentControlSet\services New-ItemProperty -Name AssumeUDPEncapsulationContextOnSendRule -PropertyType dword -Path PolicyAgent -Value "00000002" New-ItemProperty : Requested registry access is not allowed. At line:2 char:1 + New-ItemProperty -Name AssumeUDPEncapsulationContextOnSendRule -PropertyType dwo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH...ces\PolicyAgent:String) [New-ItemProperty], Securi tyException + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand
Also, I need to setup the VPN client to connect to meraki. Using the guide from Meraki I create the VPN connection using Authenication Method PAP and Encryption level to required. This is fully possibe by the interface. However when I try to use the Set-VPNConnection the AuthenicationMethod set to PAP and EncryptionLevel set to Required I get an error "The current encryption selection required EAP or MS-CHAPv2 logon security methods". Anyone know if this is a bug in the GUI or whether theres a way to change the behaviour? Meraki doesn't suupport EAP or MS-CHAPv2.
-
You're welcome!
-
Here is what I have so far...
# Get name of remote computer $hostname = Read-Host -Prompt "Enter Remote Hostname" # Get credentials for remote computer $cred = Get-Credential # Create a PSSession to the remote computer $s = New-PSSession -ComputerName $hostname -Credential $cred # Execute commands on remote computer Invoke-Command -Session $s -ScriptBlock { # Store path to registry key $basePath = "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\" # Check if property exists if (-not(Get-ItemProperty -Name 'AssumeUDPEncapsulationContextOnSendRule' -Path $basePath -ErrorAction SilentlyContinue)){ # If it doesn't exist, create it and set the value to 00000002 New-ItemProperty -Name AssumeUDPEncapsulationContextOnSendRule -PropertyType dword -Value 00000002 -Path $basePath } else { # If it does exist, set the value to 00000002 Set-ItemProperty -Name AssumeUDPEncapsulationContextOnSendRule -Value 00000002 -Path $basePath } # Set the VPN properties Set-VpnConnection -Name 'test' -AuthenticationMethod Pap -EncryptionLevel NoEncryption } # Remove the PSSession when done Remove-PSSession $s
This will prompt for the remote computer info and credentials, you can hard code this instead.
It will check to see if the registry key exists and then create it, or update it to the appropriate value. Not sure if that's what you want it to do if the key already exists. If not, just remove the 'else' block
It will update a VPN connection named 'test' to use PAP for authentication. We can add checks to see if the VPN connection exists, and create it if necessary. Let me know.
You cannot choose 'require encryption' or 'maximum encryption' on a VPN connection that is using PAP for authentication. Only 'no encryption' or 'optional encryption' because PAP is plaintext, no support for encryption. You cannot send credentials in plaintext and then encrypt the data.
-
If you need to create the VPN, use this...
Add-VpnConnection -Name 'test' -ServerAddress '1.2.3.4' -AuthenticationMethod Pap
You will get a warning
WARNING: The currently selected encryption level requires EAP or MS-CHAPv2 logon security methods. Data encryption will not occur for Pap o r Chap.
It will still create the VPN, it's just reminding you that if you want to encrypt, you will have to use EAP or MS-CHAPv2
-
@Mike-Rodrick I was wondering if there is no way of setting up 'require encryption' with VPN using PAP for authentication via PowerShell, is there a way to setup a script that will pop up the VPN adaptor Security tab when ran? so we can input the settings manually via the interfcae because it's possible to setup that way.
Thanks
-
What operating system are you running?
In Windows 10 you cannot choose PAP as your only authentication method and also require encryption. PAP is a plaintext protocol. It doesn't matter if you use the GUI or PowerShell to configure the VPN.
If you configure the VPN to use EAP or MSCHAP-v2 in addition to PAP, it will let you select require encryption. You will get a warning stating that if PAP or CHAP is negotiated as the authentication protocol, data encryption will not occur. In other words, even though you've chosen to require encryption, your data will not be encrypted if the client connects using PAP. It doesn't matter if you use the GUI or PowerShell to configure this.
-
If you are running an older operating system, let me know so I can test it. But as far as I remember, this is the way it has always been.
-
@Mike-Rodrick We will be running this on Windows 7 onwards.
We use a Meraki setup via the following link; https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration
I have been setting this up to use 'Require encryption' and 'PAP' together fine via the interface and connects.
-
I learned something new! If you change the VPN type to L2TP/IPsec specifically (not the default automatic), it will allow the use of PAP as the only authentication method and allow you to require encryption. Since the IPsec tunnel is established first, the credentials are still protected, even when using PAP. Nice!
So we just need to adjust the script to set the VPN type as well as the authentication method. I'll post a new script once I test it.
-
@Mike-Rodrick Thanks appreciate it.
-
I believe you have found the one thing you can do in the GUI and cannot do through PowerShell. I have tried several ways, and cannot get PowerShell let me change the encryption level to required. I've tried setting the tunnel type first, set the encryption level first, none of which worked. Yet I was able to set the encryption level to required in the GUI using PAP as long as I set the tunnel type to L2TP first. I have not been able to find a way to launch the dialog box either.
I'll keep trying to figure out a solution. What are you using with L2TP, certificates or PSK?
-
@Mike-Rodrick Thanks for the update. We are using PSK
-
Take a look at this solution. I haven't tested it using packet capture to verify the encryption.
I've used Add-VpnConnection to create the VPN, configured to use L2TP and PAP. Then I used Set-VpnConnectionIPsecConfiguration to set a custom configuration. It doesn't change the drop down list in the GUI, but when you do a Get-VpnConnection, it lists encryptionLevel as custom.
Add-VpnConnection ` -Name 'test' ` -ServerAddress '1.2.3.4' ` -TunnelType L2tp ` -L2tpPsk 'Pa$$w0rd' ` -AllUserConnection ` -AuthenticationMethod Pap ` -WarningAction SilentlyContinue ` -InformationAction SilentlyContinue ` -Force Set-VpnConnectionIPsecConfiguration ` -ConnectionName 'test' ` -AuthenticationTransformConstants SHA256128 ` -CipherTransformConstants AES128 ` -EncryptionMethod AES256 ` -IntegrityCheckMethod SHA256 ` -PfsGroup None ` -DHGroup ECP256 ` -PassThru ` -Force ` -WarningAction SilentlyContinue Get-VpnConnection -AllUserConnection -Name 'test'
-
@Mike-Rodrick Thanks for this script, really appreciate it.
The only thing is the VPN conection will aleady be setup and the issue is the 'PAP' option dissapers after updates due to Microsoft disabling it by default.
I have tested your script and it creates the connection with Encryption set as custom, but when trying to connect I get the following error;
'Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during intitial negotiations with the remote computer.'
Is there no way to have the VPN's security adaptor dialog box apperar to have the end user just check the correct options?
Waqkas
-
@Mike-Rodrick Hi, I was wondering if there was any updates on this please? As I have had a look around and can't see the option to open the dialog. Also, this does not have to be in a PowerShell script.
-
I don't know of a way to open the VPN dialog box. That might need to be done in C, C++, or C#, I don't think you can with PowerShell.
You might look into ras.h. I am not familiar with C programming, but that header contains the APIs to work with VPN connections in Windows.
I'm not sure what is causing the error, you will need to examine the log files. Maybe an issue during the main mode negotiation? Password mismatch? Possibly some of the encryption choices (AuthenticationTransformConstants, IntegrityCheckMethod, etc) don't match the receiving end.
Mike