Generate and install VPN client configuration files for P2S certificate authentication

When you connect to an Azure VNet using Point-to-Site and certificate authentication, you use the VPN client that is natively installed on the operating system from which you are connecting. All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure the VPN clients for Windows, Mac IKEv2 VPN, or Linux.

The VPN client configuration files that you generate are specific to the P2S VPN gateway configuration for the virtual network. If there are any changes to the Point-to-Site VPN configuration after you generate the files, such as changes to the VPN protocol type or authentication type, you need to generate new VPN client configuration files and apply the new configuration to all of the VPN clients that you want to connect.

Important

Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections will not be affected. If you’re using TLS for point-to-site VPNs on Windows 10 clients, you don’t need to take any action. If you are using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.

Generate VPN client configuration files

You can generate client configuration files using PowerShell, or by using the Azure portal. Either method returns the same zip file. Unzip the file to view the following folders:

  • WindowsAmd64 and WindowsX86, which contain the Windows 32-bit and 64-bit installer packages, respectively. The WindowsAmd64 installer package is for all supported 64-bit Windows clients, not just Amd.
  • Generic, which contains general information used to create your own VPN client configuration. The Generic folder is provided if IKEv2 or SSTP+IKEv2 was configured on the gateway. If only SSTP is configured, then the Generic folder is not present.

Generate files using the Azure portal

  1. In the Azure portal, navigate to the virtual network gateway for the virtual network that you want to connect to.

  2. On the virtual network gateway page, select Point-to-site configuration to open the Point-to-site configuration page.

  3. At the top of the Point-to-site configuration page, select Download VPN client. This doesn't download VPN client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for the client configuration package to generate. During this time, you may not see any indications until the packet has generated.

    Download the VPN client configuration.

  4. Once the configuration package has been generated, your browser indicates that a client configuration zip file is available. It's named the same name as your gateway. Unzip the file to view the folders.

Generate files using PowerShell

  1. When generating VPN client configuration files, the value for '-AuthenticationMethod' is 'EapTls'. Generate the VPN client configuration files using the following command:

    $profile=New-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" -AuthenticationMethod "EapTls"
    
    $profile.VPNProfileSASUrl
    
  2. Copy the URL to your browser to download the zip file, then unzip the file to view the folders.

Windows

You can use the same VPN client configuration package on each Windows client computer, as long as the version matches the architecture for the client. For the list of client operating systems that are supported, see the Point-to-Site section of the VPN Gateway FAQ.

Note

You must have Administrator rights on the Windows client computer from which you want to connect.

Install the configuration files

  1. Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.
  2. Double-click the package to install it. If you see a SmartScreen popup, click More info, then Run anyway.

Verify and connect

  1. Verify that you have installed a client certificate on the client computer. A client certificate is required for authentication when using the native Azure certificate authentication type. To view the client certificate, open Manage User Certificates. The client certificate is installed in Current User\Personal\Certificates.
  2. To connect, navigate to Network Settings and click VPN. The VPN connection shows the name of the virtual network that it connects to.

Mac (macOS)

In order to connect to Azure, you must manually configure the native IKEv2 VPN client. Azure does not provide a mobileconfig file. You can find all of the information that you need for configuration in the Generic folder.

If you don't see the Generic folder in your download, it's likely that IKEv2 was not selected as a tunnel type. Note that the VPN gateway Basic SKU does not support IKEv2. On the VPN gateway, verify that the SKU is not Basic. Then, select IKEv2 and generate the zip file again to retrieve the Generic folder.

The Generic folder contains the following files:

  • VpnSettings.xml, which contains important settings like server address and tunnel type. 
  • VpnServerRoot.cer, which contains the root certificate required to validate the Azure VPN Gateway during P2S connection setup.

Use the following steps to configure the native VPN client on Mac for certificate authentication. These steps must be completed on every Mac that you want to connect to Azure.

Import root certificate file

  1. Copy to the root certificate file to your Mac. Double-click the certificate. The certificate will either automatically install, or you will see the Add Certificates page.

  2. On the Add Certificates page, select login from the dropdown.

    Screenshot shows Add Certificates page with login selected.

  3. Click Add to import the file.

    Screenshot shows Add Certificates page with Add selected.

Verify certificate install

Verify that both the client and the root certificate are installed. The client certificate is used for authentication and is required. For information about how to install a client certificate, see Install a client certificate.

  1. Open the Keychain Access application.

  2. Navigate to the Certificates tab.

  3. Verify that both the client and the root certificate are installed.

    Screenshot shows Keychain Access with certificates installed.

Create VPN client profile

  1. Navigate to System Preferences -> Network. On the Network page, select '+' to create a new VPN client connection profile for a P2S connection to the Azure virtual network.

  2. For Interface, from the dropdown, select VPN.

    Screenshot shows the Network window with the option to select an interface, VPN is selected.

  3. For VPN Type, from the dropdown, select IKEv2. In the Service Name field,specify a friendly name for the profile.

    Screenshot shows the Network window with the option to select an interface, select VPN type, and enter a service name.

  4. Select Create to create the VPN client connection profile.

  5. In the Generic folder, open the VpnSettings.xml file using a text editor, and copy the VpnServer tag value.

    Screenshot shows the VpnSettings.xml file open with the VpnServer tag highlighted.

  6. Paste the VpnServer tag value in both the Server Address and Remote ID fields of the profile.

    Screenshot shows the Network window with the value pasted.

  7. Configure authentication settings. There are two sets of instructions. Choose the instructions that correspond to your OS version.

    Catalina:

    • For Authentication Settings select None.

    • Select Certificate, click Select and select the correct client certificate that you installed earlier. Then, click OK.

      Screenshot shows the Network window with None selected for Authentication Settings and Certificate selected.

    Big Sur:

    • Click Authentication Settings, then select Certificate

      Screenshot shows authentication settings with certificate selected.

    • Click Select to open the Choose An Identity page. The Choose An Identity page displays a list of certificates for you to choose from. If you are unsure which certificate to use, you can click Show Certificate to see more information about each certificate.

      Screenshot shows certificate properties..

    • Select the proper certificate, then select Continue.

      Screenshot shows Choose an Identity, where you can select a certificate.

    • On the Authentication Settings page, verify that the correct certificate is shown, then click OK.

      Screenshot shows the Choose An Identity dialog box where you can select the proper certificate.

  8. For both Catalina and Big Sur, in the Local ID field, specify the name of the certificate. In this example, it is P2SChildCert.

    Screenshot shows local ID value.

  9. Select Apply to save all changes.

  10. Select Connect to start the P2S connection to the Azure virtual network.

    Screenshot shows connect button.

  11. Once the connection has been established, the status shows as Connected and you can view the IP address that was pulled from the VPN client address pool.

    Screenshot shows Connected.

Linux (strongSwan GUI)

Install strongSwan

The following configuration was used for the steps below:

  • Computer: Ubuntu Server 18.04
  • Dependencies: strongSwan

Use the following commands to install the required strongSwan configuration:

sudo apt install strongswan
sudo apt install strongswan-pki
sudo apt install libstrongswan-extra-plugins

Use the following command to install the Azure command-line interface:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Additional instructions on how to install the Azure CLI

Generate certificates

If you have not already generated certificates, use the following steps:

Generate the CA certificate.

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem

Print the CA certificate in base64 format. This is the format that is supported by Azure. You upload this certificate to Azure as part of the P2S configuration steps.

openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo

Generate the user certificate.

export PASSWORD="password"
export USERNAME="client"

ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}Cert.pem"

Generate a p12 bundle containing the user certificate. This bundle will be used in the next steps when working with the client configuration files.

openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"

Install and configure

The following instructions were created on Ubuntu 18.0.4. Ubuntu 16.0.10 does not support strongSwan GUI. If you want to use Ubuntu 16.0.10, you will have to use the command line. The examples below may not match screens that you see, depending on your version of Linux and strongSwan.

  1. Open the Terminal to install strongSwan and its Network Manager by running the command in the example.

    sudo apt install network-manager-strongswan
    
  2. Select Settings, then select Network. Select the + button to create a new connection.

    Screenshot shows the network connections page.

  3. Select IPsec/IKEv2 (strongSwan) from the menu, and double-click.

    Screenshot shows the Add VPN page.

  4. On the Add VPN page, add a name for your VPN connection.

    Screenshot shows Choose a connection type.

  5. Open the VpnSettings.xml file from the Generic folder contained in the downloaded client configuration files. Find the tag called VpnServer and copy the name, beginning with 'azuregateway' and ending with '.cloudapp.net'.

    Screenshot shows copy data.

  6. Paste the name in the Address field of your new VPN connection in the Gateway section. Next, select the folder icon at the end of the Certificate field, browse to the Generic folder, and select the VpnServerRoot file.

  7. In the Client section of the connection, for Authentication, select Certificate/private key. For Certificate and Private key, choose the certificate and the private key that were created earlier. In Options, select Request an inner IP address. Then, select Add.

    Screenshot shows Request an inner IP address.

  8. Turn the connection On.

    Screenshot shows copy.

Linux (strongSwan CLI)

Install strongSwan

The following configuration was used for the steps below:

  • Computer: Ubuntu Server 18.04
  • Dependencies: strongSwan

Use the following commands to install the required strongSwan configuration:

sudo apt install strongswan
sudo apt install strongswan-pki
sudo apt install libstrongswan-extra-plugins

Use the following command to install the Azure command-line interface:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Additional instructions on how to install the Azure CLI

Generate certificates

If you have not already generated certificates, use the following steps:

Generate the CA certificate.

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem

Print the CA certificate in base64 format. This is the format that is supported by Azure. You upload this certificate to Azure as part of the P2S configuration steps.

openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo

Generate the user certificate.

export PASSWORD="password"
export USERNAME="client"

ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}Cert.pem"

Generate a p12 bundle containing the user certificate. This bundle will be used in the next steps when working with the client configuration files.

openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"

Install and configure

  1. Download the VPNClient package from Azure portal.

  2. Extract the file.

  3. From the Generic folder, copy or move the VpnServerRoot.cer to /etc/ipsec.d/cacerts.

  4. Copy or move cp client.p12 to /etc/ipsec.d/private/. This file is the client certificate for the VPN gateway.

  5. Open the VpnSettings.xml file and copy the <VpnServer> value. You will use this value in the next step.

  6. Adjust the values in the example below, then add the example to the /etc/ipsec.conf configuration.

    conn azure
          keyexchange=ikev2
          type=tunnel
          leftfirewall=yes
          left=%any
          leftauth=eap-tls
          leftid=%client # use the DNS alternative name prefixed with the %
          right= Enter the VPN Server value here# Azure VPN gateway address
          rightid=% # Enter the VPN Server value here# Azure VPN gateway FQDN with %
          rightsubnet=0.0.0.0/0
          leftsourceip=%config
          auto=add
    
  7. Add the following values to /etc/ipsec.secrets.

    : P12 client.p12 'password' # key filename inside /etc/ipsec.d/private directory
    
  8. Run the following commands:

    # ipsec restart
    # ipsec up azure
    

Next steps

Return to the original article that you were working from, then complete your P2S configuration.