Skip to content
This repository was archived by the owner on Jun 6, 2022. It is now read-only.

Windows Resources

Jump to bottom
Ross Jacobs edited this page May 16, 2018 · 4 revisions

Windows

This covers builds NT 2600 (XP Service Pack 3) - Win10 1803 (April 2018 Update) Equivalently, Windows NT 5.1-10.0

Connecting with Set-VpnConnection

  • MS Online Documentation for Set-VpnConnection
  • Powershell> Get-Help Set-VpnConnection -Full

rasphone.pbk values

MS info can be found here

Variables to use in this explanation

[Autogenerated VPN connection]

GUI options

Set-VpnConnection

Format: PS flag | rasphone key | Explanation

If you flip $True to $False in the PS flag, then flip 1/0 in the rasphone value. Default values here are set to $True for sake of consistency.

  • -ServerAddress w.x.y.z | PhoneNumber=w.x.y.z | w.x.y.z is the IP address of your firewall
  • -SplitTunneling $True | IpPrioritizeRemote=0 Ipv6PrioritizeRemote=0 | VPN will be split tunnel
  • -RememberCredetial $True | CacheCredentials=1 | Remember the username/password combination for this VPN
  • -DnsSuffix "contoso.com" | IpDnsSuffix=contoso.com| Sets the DNS Suffix to contoso.com
  • -IdleDisconnectSeconds 3600 | IdleDisconnectSeconds=3600 | Set idle disconnect seconds to 1 hour

Add-VpnConnectionRoute

  • If you have an existing VPN connection, you can add static routes to it.
  • NumRoutes=<# of routes>
  • Routes=<72 hex digihts>:
    • DWORD 0 : Route Metric
      • The order for storage is a bit weird: 16^1, 16^0, 16^3, 16^2, 16^5, 16^4, 16^7, 16^6
      • Listing just powers in order: 10325476
    • DWORD 1 : 02000000
    • DWORD 2 : Subnet Mask (CIDR). Only first 2 of 8 hex chars are used.
    • DWORD 3 : Route subnet
    • DWORD 4 : 00000000
    • DWORD 5 : 00000000
    • DWORD 6 : 00000000
    • DWORD 7 : 00000000
    • DWORD 8 : 00000000

Once Routes has reached 128 hex digits, there will be another 'Routes' line. So if you add 2 routes, the first line will have 128 hex digits and the second will have 16 hex digits.

Datetimes
  • LowDateTime = lower 32 bits of UTC time
  • HighDateTime = higher 32 bits of UTC time

See this document for more information on datetimes.

Guid
  • 128-bit unique hex number autogenerated to identify this VPN connection
  • RFC 4122 is relevant here.

rasphone.pbk settings (Use MS-RRASM documentation for more detailed explanation)

Notes about usage

  • Each RRAS entry section MUST consist of a sequence of key value pairs separated by a carriage return and line feed
  • A key-value pair MUST be a key name followed by an equal sign "=" with the value after the equal sign
  • If a value says "If key is present", that means that you can omit the key or ONLY use key=value

REQUIRED for L2TP + PAP

2.2.2.1 RRAS entry section name : MUST be at least one char in length and enclosed in square brackes (e.g. [RRAS entry])
2.2.2.2.3 Type=2  # 2 = VPN connection
2.2.2.2.8 DialParamsUID=<1+ number>  # Required for remember-credential. Number used here is tied to saved credentials
2.2.2.2.9 Guid=<32 hex numbers>  # Required for Windows to uniquely identify this connection. If it's missing, you'll see weird doubling of connections. If it's not 32 hex digits, the Win10 VPN connections will crash.
2.2.2.2.11 VpnStrategy=3  # If this isn't present, Windows will successfully complete the connection but overwrite the phonebook entry. 
2.2.2.2.76 IpSecFlags=1  # Required or else connecting computer thinks remote is not responding
2.2.2.2.96 MEDIA=rastapi
2.2.2.2.97 Port=VPN2-0  # Can also be VPN3-0
2.2.2.2.98 Device=WAN Miniport (L2TP)
2.2.2.2.100 DEVICE=vpn
2.2.2.2.108 PhoneNumber=<Firewall IP>

REQUIRED to NOT have settings

AuthRestrictions=8  # This must be 8 if it's set (PAP). If it's not included, the VPN connection can negotiate for any protocol

OPTIONAL

	0: RRAS entry is 8-bit ASCII
	1: RRAS entry is UTF-8 
2.2.2.2.2 PBVersion=
	1: If key is present
2.2.2.2.12 ExcludedProtocols 
2.2.2.2.13 LcpExtensions 
2.2.2.2.14 DataEncryption 
2.2.2.2.15 SwCompression
2.2.2.2.16 NegotiateMultilinkAlways 
2.2.2.2.20 DialMode
2.2.2.2.21 DialPercent
2.2.2.2.22 DialSeconds
2.2.2.2.23 HangupPercent
2.2.2.2.24 HangupSeconds
2.2.2.2.26 RedialAttempts
2.2.2.2.27 RedialSeconds
2.2.2.2.28 IdleDisconnectSeconds
2.2.2.2.29 RedialOnLinkFailure
2.2.2.2.30 CallbackMode
2.2.2.2.33 CustomRasDialDll
2.2.2.2.35 DisableIKENameEkuCheck
2.2.2.2.36 AuthenticateServer
2.2.2.2.37 ShareMsFilePrint
2.2.2.2.38 BindMsNetClient
2.2.2.2.39 SharedPhoneNumbers
2.2.2.2.40 GlobalDeviceSettings
2.2.2.2.43 PreferredPort
2.2.2.2.44 PreferredDevice
2.2.2.2.45 PreferredBps
2.2.2.2.46 PreferredHwFlow
2.2.2.2.47 PreferredProtocol
2.2.2.2.48 PreferredCompression
2.2.2.2.49 PreferredSpeaker
2.2.2.2.56 CustomAuthKey
2.2.2.2.57 CustomAuthData
2.2.2.2.58 AuthRestrictions
2.2.2.2.60 IpPrioritizeRemote
2.2.2.2.63 IpHeaderCompression
2.2.2.2.64 IpAddress
2.2.2.2.65 IpDnsAddress
2.2.2.2.66 IpDns2Address
2.2.2.2.67 IpWinsAddress
2.2.2.2.68 IpWins2Address
2.2.2.2.69 IpAssign
2.2.2.2.70 IpNameAssign
2.2.2.2.72 IpDnsFlags
2.2.2.2.73 IpNBTFlags
2.2.2.2.74 TcpWindowSize
2.2.2.2.76 IpSecFlags
2.2.2.2.77 IpDnsSuffix
2.2.2.2.79 Ipv6Assign
2.2.2.2.80 Ipv6PrefixLength
2.2.2.2.81 Ipv6PrioritizeRemote
2.2.2.2.83 Ipv6NameAssign
2.2.2.2.84 Ipv6DnsAddress
2.2.2.2.85 Ipv6Dns2Address
2.2.2.2.86 Ipv6Prefix
2.2.2.2.87 Ipv6InterfaceId
2.2.2.2.99 ConnectBPS
2.2.2.2.101 Terminal
2.2.2.2.102 Name
2.2.2.2.103 Script
2.2.2.2.104 X25Pad
2.2.2.2.105 X25Address
2.2.2.2.106 UserData
2.2.2.2.107 Facilities
2.2.2.2.109 AreaCode
2.2.2.2.110 CountryCode
2.2.2.2.111 CountryID
2.2.2.2.112 UseDialingRules
2.2.2.2.116 PromoteAlternates
2.2.2.2.117 TryNextAlternateOnFail
2.2.2.2.118 HwFlowControl
2.2.2.2.119 Protocol
2.2.2.2.120 Compression
2.2.2.2.121 Speaker
2.2.2.2.123 LineType
2.2.2.2.124 Fallback
2.2.2.2.125 EnableCompression
2.2.2.2.126 ChannelAggregation
2.2.2.2.127 Proprietary

IGNORED BY RRAS IF PRESENT

2.2.2.2.4 Autologon
2.2.2.2.5 UseRasCredentials
2.2.2.2.6 LowDateTime
2.2.2.2.7 HighDateTime 
2.2.2.2.10 BaseProtocol
2.2.2.2.17 SkipNwcWarning
2.2.2.2.18 SkipDownLevelDialog
2.2.2.2.19 SkipDoubleDialDialog
2.2.2.2.25 OverridePref
2.2.2.2.31 CustomDialDll
2.2.2.2.32 CustomDialFunc
2.2.2.2.34 ForceSecureCompartment
2.2.2.2.41 PrerequisitePbk
2.2.2.2.42 PrerequisiteEntry
2.2.2.2.50 PreferredMdmProtocol
2.2.2.2.51 PreviewUsePw
2.2.2.2.52 PreviewDomain
2.2.2.2.53 PreviewPhoneNumber
2.2.2.2.54 ShowDialingProgress
2.2.2.2.55 ShowMonitorIconInTaskbar
2.2.2.2.59 TypicalAuth
2.2.2.2.61 IpInterfaceMetric
2.2.2.2.62 fCachedDnsSuffix
2.2.2.2.71 IpFrameSize
2.2.2.2.75 UseFlags
2.2.2.2.78 IpCachedDnsSuffix
2.2.2.2.82 Ipv6InterfaceMetric
2.2.2.2.88 DisableClassBasedDefaultRoute
2.2.2.2.89 DisableMobility
2.2.2.2.90 NetworkOutageTime
2.2.2.2.91 ProvisionType
2.2.2.2.92 PreSharedKey
2.2.2.2.93 NETCOMPONENTS
2.2.2.2.94 ms_msclient
2.2.2.2.95 ms_server
2.2.2.2.113 Comment
2.2.2.2.114 FriendlyName
2.2.2.2.115 LastSelectedPhone
2.2.2.2.122 MdmProtocol

MS is wrong that these MUST be ignored (they are actually used by powershell for the split-tunnel flag)

2.2.2.2.60 IpPrioritizeRemote
2.2.2.2.81 Ipv6PrioritizeRemote
NumRoutes, Routes are missing for when adding routes to interface

Minimum rasphone.pbk required to create L2TP + PAP

<Make sure to add preshared key after creating it>
[test-connection]
Type=2
DialParamsUID=<choose #>
Guid=<choose 32 hex digits>
VpnStrategy=3
IpSecFlags=1
MEDIA=rastapi
Port=VPN2-0
Device=WAN Miniport (L2TP)
DEVICE=vpn
PhoneNumber=<choose IP>

Documentation for the Merlink project

Clone this wiki locally