As a client rather than server version of
Windows, there are software licensing limits on the use of Windows 10 as a VPN
“server”. This article however focuses solely on the technical limitations on
the number of concurrent “Incoming Connections”.
The plural form of the name “Incoming
Connections” hints that more than one (hopefully concurrent) connection is
possible and the initial configuration allows a pool of IP addresses to be reserved
for assignment to VPN clients. If a pool is configured (typically more useful
than the DHCP or “client chooses” options) then the size of the pool will be a
limiting factor on the maximum number of concurrent connections.
The VPN server needs an IP address from the
pool, as does each client, so the minimum pool size for one connection is two
IP addresses. If there are not enough IP addresses available in the pool for a
new client, then an error such as ERROR_NO_IP_ADDRESSES or ERROR_IPSEC_IKE_INNER_IP_ASSIGNMENT_FAILURE
(depending on the VPN protocol being used) will be returned to the client. In
the case of an IKEv2 VPN, a Notify payload carrying INTERNAL_ADDRESS_FAILURE
informs the client about the nature of the problem.
Another factor that affects the maximum
number of connections is the maximum number of WAN Miniport ports. The command
“netsh ras show wanports” shows the maximum number of ports for each type of
WAN Minport (e.g. SSTP, IKEv2, L2TP, PPTP) and, by default, the value is 2. If
one could arrange that there were two clients of each type, this would allow up
to eight concurrent connections.
Section 2.2.3.3.1 of [MS-RRASM] (Routing
and Remote Access Server Management Protocol) describes the registry storage of
the WAN Miniport configuration and two values are of particular interest: MaxWanEndpoints
and WanEndpoints. The values shown by “netsh ras show wanports” actually
correspond to WanEndpoints (“the number of endpoints or ports that the device
type is configured with”); MaxWanEndpoints (“the maximum number of endpoints or
ports that the device type can support”) has the value 3.
A command like “netsh ras set wanports
device=“WAN Miniport (IKEv2)” maxports=3” can be used to increase the maximum
number of connections of a particular type to three (a machine restart is
needed before the new value takes effect). If a new client would cause the
maximum number of ports to be exceeded then the server stops processing the
request (perhaps waiting for a port to become free) and the client quickly times
out (after about 5 seconds) its request, reporting an error code of ERROR_IPSEC_IKE_TIMED_OUT.
Point-to-Point Protocol (PPP)
Three of the four VPN tunnel types
supported by Windows carry PPP; the three types that use PPP are SSTP, L2TP and
PPTP. The PPP implementation in Windows 10 limits the total number of
concurrent PPP sessions to one. If a new client would cause the number of
current PPP sessions to exceed one then the server terminates the connection
with error code ERROR_USER_LIMIT.
Some PPP clients tear-down (terminate in an
orderly fashion) the VPN connection when disconnecting whereas others just
abruptly stop communicating with the VPN server. In the latter case, a “zombie”
PPP session remains on the server until a time-out causes it to be cleaned up.
During this period (which typically lasts for a few minutes), no new PPP
connections can be established.
IKEv2
IKEv2 does not use PPP and the number of
concurrent IKEv2 connections is limited by the WAN Miniport and IP address pool
factors. However, an out-of-the-box version of Windows 10 does not accept any
IKEv2 connections since there are no allowable authentication mechanisms. The
default value of ServerFlags ([MS-RRASM], section 2.2.3.4.6) disables both EAP
and certificate authentication. Both can be enabled, but Windows 10 is missing
the “EAP Host Authenticator” component, which is needed for EAP authentication.
Summary
For most users, the maximum number of VPN
Incoming Connections is one. With appropriate configuration, a maximum number
of four concurrent VPN Incoming Connections can be obtained (one SSTP/L2TP/PPTP
connection and three IKEv2 connections with certificate authentication).
If these restrictions are too severe for
the intended usage, one can install third-party VPN server software under
Windows 10 or add a low-cost device (such as a Raspberry Pi) to the network
configured to act as a VPN server.
After experimenting with the built-in VPN functionality on a “hand-me-down” iPad running the latest/last iOS version for the hardware (12.4.2), there were enough things that were not immediately obvious to warrant a short note.
The iPad offers 3 “types” of VPN:
- L2TP
- IPSec
- IKEv2
The first difficulty is the nomenclature of the types. “L2TP” (Layer 2 Tunneling Protocol, RFC 2661) can be used standalone, but is normally used in conjunction with IPsec and referred to as “L2TP/IPsec”. Indeed, the first option is actually L2TP/IPsec (with pre-shared key phase 1 authentication) and not plain L2TP. That naming brevity alone would not be so confusing if it were not for the fact that another option is “IPsec”.
The “IPsec” configuration shows a Cisco banner and allows a Cisco IPsec with XAUTH VPN (XAUTHInitPreShared or XAUTHInitRSA, https://tools.ietf.org/html/draft-beaulieu-ike-xauth-02) to be configured. Windows 10 does not natively support Cisco XAUTH VPNs.
Using L2TP over IPsec
The iPad L2TP/IPsec client sends 14 phase 1 transform proposals, at least one of which is acceptable to Windows 10. The authentication method is always “pre-shared key”, the encryption algorithms are AES-CBC-256, AES-CBC-128 and 3DES-CBC, the hash algorithms are SHA2-512, SHA2-256, SHA and MD5 and the group descriptions are 2048-bit MODP group, 1536-bit MODP group and alternate 1024-bit MODP group.
By default, Windows 10 chooses 3DES-CBC, SHA, and alternate 1024-bit MODP group. Windows 10 can be configured such that it chooses a more secure transform (via RasMan service parameters such as NegotiateDH2048 and NegotiateDH2048_AES256).
The iPad L2TP/IPsec client sends 6 phase 2 transform proposals, at least one of which is acceptable to Windows 10. The encryption algorithms are AES-CBC-256, AES-CBC-128 and 3DES-CBC, the HMAC algorithms are HMAC-SHA1-96 and HMAC-MD5-96.
By default, Windows 10 chooses AES-CBC-256 and HMAC-SHA1-96.
Shared Secret
As mentioned in an earlier article on the Windows 10 and macOS VPN combination, there is no straightforward user interface in Windows 10 that enables an L2TP/IPsec pre-shared key to be set. There is a “trick” that works or a short program can be written that calls the RRAS (Routing and Remote Access Service) API routine MprAdminInterfaceSetCredentialsEx to set the value.
Using IKEv2
When first viewing the iPad IKEv2 configuration dialog, the (required) “Remote ID” and (optional) “Local ID” are the first two items whose meaning and implication are not totally clear.
The “Remote ID” setting is used in two ways: it is used to verify that the identity asserted by the VPN server matches expectations and it is sent to the server (as an IDr Identification payload) to help the server select an identity (in case it has more than one, using redirection). A weakness of the iOS implementation is that it always seems to send the “Remote ID” with a type of “ID_FQDN” and represented as an ASCII string, although other values might be more appropriate (e.g. a type of ID_DER_ASN1_DN and a DER (Distinguished Encoding Rules) encoding of the value).
The “Local ID”, if set, is sent as the IDi Identification payload, with the same encoding problems as the “Remote ID”. If “Local ID” is not set, the local IP address is sent with the correct binary encoding and a type of ID_IPV4_ADDR or ID_IPV6_ADDR, as appropriate.
No Vendor ID payloads are sent and the following Notify payloads are sent:
First message → NAT_DETECTION_SOURCE_IP, NAT_DETECTION_DESTINATION_IP, IKEV2_FRAGMENTATION_SUPPORTED and REDIRECT_SUPPORTED
Second message → INITIAL_CONTACT, MOBIKE_SUPPORTED, ESP_TFC_PADDING_NOT_SUPPORTED, NON_FIRST_FRAGMENTS_ALSO
Authentication
Similar to macOS, iOS offers 3 options: None (IKEv2 non-EAP authentication), Username (EAP-MSCHAPv2) and certificate (EAP-TLS).
The EAP mechanisms require a replacement for missing functionality on Windows 10 (as discussed in the macOS VPN blog entry) but otherwise work – with one quirk. If one chooses Username authentication and leaves the Password field blank in the configuration (implying “Ask Every Time”) then the VPN connection attempt always fails; a dialog enabling entry of a password does pop up, but the entered password does not seem to be used (the connection just times out, without ever sending the MSCHAPv2 response and the iPad console log just reports “Failed to process IKE Auth (EAP) packet (connect)”).
The non-EAP IKEv2 authentication methods include RSA Digital Signature, Shared Key Message Integrity Code and ECDSA with SHA-256 on the P-256 curve (plus 384 and 512 bit equivalents). Via the configuration user interface, one can choose between certificate and pre-shared key methods. However, if the certificate method is chosen, the iOS client always indicates that the RSA Digital Signature method has been chosen, regardless of the type of certificate. The iOS Security Guide explicitly states: “IKEv2/IPSec with authentication by shared secret, RSA Certificates, ECDSA Certificates, EAP-MSCHAPv2, or EAP-TLS”.
For unknown reasons, iOS does not use the type of the configured certificate to set the authentication method, but instead uses a configuration setting that is not visible in the user interface (and which defaults to RSA). If one is prepared to create and install a Device Management Profile (a “.mobileconfig” file), one can set CertificateType to one of RSA, ECDSA256, ECDSA384, ECDSA512, or Ed25519 (https://developer.apple.com/documentation/devicemanagement/vpn/ikev2).
Security Association Proposals
By default, the iPad IKEv2 client sends 5 phase 1 transform proposals. The encryption algorithms include AES-CBC-256, AES-CBC-128 and 3DES-CBC, the hash algorithms include SHA2-256 and SHA and the Diffie-Hellman groups are 2048-bit MODP group, 256-bit random ECP group, 1536-bit MODP group and 1024-bit MODP group.
The iPad IKEv2 client sends 5 phase 2 transform proposals. The encryption algorithms include AES-CBC-256, AES-CBC-128 and 3DES-CBC, the hash algorithms include SHA2-256 and SHA.
It is possible to specify transforms via a Device Management Profile. The documentation claims support for the following:
Encryption algorithms: DES, 3DES, AES-128, AES-256, AES-128-GCM, AES-256-GCM, ChaCha20Poly1305
Integrity algorithms: SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
Diffie-Hellman groups: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 31
In common with the built-in Windows IKEv2 client, if one specifies a transform to be used (rather than just using the defaults), then only that one transform is sent (so one needs to be sure that the VPN server accepts it, since there are no alternative proposals).
