Monday 28 October 2019

Maximum number of VPN Incoming Connections under Windows 10


As a client rather than server version of Windows, there are software licensing limits on the use of Windows 10 as a VPN “server”. This article however focuses solely on the technical limitations on the number of concurrent “Incoming Connections”.


The plural form of the name “Incoming Connections” hints that more than one (hopefully concurrent) connection is possible and the initial configuration allows a pool of IP addresses to be reserved for assignment to VPN clients. If a pool is configured (typically more useful than the DHCP or “client chooses” options) then the size of the pool will be a limiting factor on the maximum number of concurrent connections.


The VPN server needs an IP address from the pool, as does each client, so the minimum pool size for one connection is two IP addresses. If there are not enough IP addresses available in the pool for a new client, then an error such as ERROR_NO_IP_ADDRESSES or ERROR_IPSEC_IKE_INNER_IP_ASSIGNMENT_FAILURE (depending on the VPN protocol being used) will be returned to the client. In the case of an IKEv2 VPN, a Notify payload carrying INTERNAL_ADDRESS_FAILURE informs the client about the nature of the problem.


Another factor that affects the maximum number of connections is the maximum number of WAN Miniport ports. The command “netsh ras show wanports” shows the maximum number of ports for each type of WAN Minport (e.g. SSTP, IKEv2, L2TP, PPTP) and, by default, the value is 2. If one could arrange that there were two clients of each type, this would allow up to eight concurrent connections.


Section 2.2.3.3.1 of [MS-RRASM] (Routing and Remote Access Server Management Protocol) describes the registry storage of the WAN Miniport configuration and two values are of particular interest: MaxWanEndpoints and WanEndpoints. The values shown by “netsh ras show wanports” actually correspond to WanEndpoints (“the number of endpoints or ports that the device type is configured with”); MaxWanEndpoints (“the maximum number of endpoints or ports that the device type can support”) has the value 3.


A command like “netsh ras set wanports device=“WAN Miniport (IKEv2)” maxports=3” can be used to increase the maximum number of connections of a particular type to three (a machine restart is needed before the new value takes effect). If a new client would cause the maximum number of ports to be exceeded then the server stops processing the request (perhaps waiting for a port to become free) and the client quickly times out (after about 5 seconds) its request, reporting an error code of ERROR_IPSEC_IKE_TIMED_OUT.


Point-to-Point Protocol (PPP)



Three of the four VPN tunnel types supported by Windows carry PPP; the three types that use PPP are SSTP, L2TP and PPTP. The PPP implementation in Windows 10 limits the total number of concurrent PPP sessions to one. If a new client would cause the number of current PPP sessions to exceed one then the server terminates the connection with error code ERROR_USER_LIMIT.


Some PPP clients tear-down (terminate in an orderly fashion) the VPN connection when disconnecting whereas others just abruptly stop communicating with the VPN server. In the latter case, a “zombie” PPP session remains on the server until a time-out causes it to be cleaned up. During this period (which typically lasts for a few minutes), no new PPP connections can be established.


IKEv2



IKEv2 does not use PPP and the number of concurrent IKEv2 connections is limited by the WAN Miniport and IP address pool factors. However, an out-of-the-box version of Windows 10 does not accept any IKEv2 connections since there are no allowable authentication mechanisms. The default value of ServerFlags ([MS-RRASM], section 2.2.3.4.6) disables both EAP and certificate authentication. Both can be enabled, but Windows 10 is missing the “EAP Host Authenticator” component, which is needed for EAP authentication.


Summary



For most users, the maximum number of VPN Incoming Connections is one. With appropriate configuration, a maximum number of four concurrent VPN Incoming Connections can be obtained (one SSTP/L2TP/PPTP connection and three IKEv2 connections with certificate authentication).


If these restrictions are too severe for the intended usage, one can install third-party VPN server software under Windows 10 or add a low-cost device (such as a Raspberry Pi) to the network configured to act as a VPN server.

Establishing a VPN connection from iOS to Windows 10

After experimenting with the built-in VPN functionality on a “hand-me-down” iPad running the latest/last iOS version for the hardware (12.4.2), there were enough things that were not immediately obvious to warrant a short note.

The iPad offers 3 “types” of VPN:

  1. L2TP
  2. IPSec
  3. IKEv2
The first difficulty is the nomenclature of the types. “L2TP” (Layer 2 Tunneling Protocol, RFC 2661) can be used standalone, but is normally used in conjunction with IPsec and referred to as “L2TP/IPsec”. Indeed, the first option is actually L2TP/IPsec (with pre-shared key phase 1 authentication) and not plain L2TP. That naming brevity alone would not be so confusing if it were not for the fact that another option is “IPsec”.

The “IPsec” configuration shows a Cisco banner and allows a Cisco IPsec with XAUTH VPN (XAUTHInitPreShared or XAUTHInitRSA, https://tools.ietf.org/html/draft-beaulieu-ike-xauth-02) to be configured. Windows 10 does not natively support Cisco XAUTH VPNs.

Using L2TP over IPsec


The iPad L2TP/IPsec client sends 14 phase 1 transform proposals, at least one of which is acceptable to Windows 10. The authentication method is always “pre-shared key”, the encryption algorithms are AES-CBC-256, AES-CBC-128 and 3DES-CBC, the hash algorithms are SHA2-512, SHA2-256, SHA and MD5 and the group descriptions are 2048-bit MODP group, 1536-bit MODP group and alternate 1024-bit MODP group.

By default, Windows 10 chooses 3DES-CBC, SHA, and alternate 1024-bit MODP group. Windows 10 can be configured such that it chooses a more secure transform (via RasMan service parameters such as NegotiateDH2048 and NegotiateDH2048_AES256).

The iPad L2TP/IPsec client sends 6 phase 2 transform proposals, at least one of which is acceptable to Windows 10. The encryption algorithms are AES-CBC-256, AES-CBC-128 and 3DES-CBC, the HMAC algorithms are HMAC-SHA1-96 and HMAC-MD5-96.
By default, Windows 10 chooses AES-CBC-256 and HMAC-SHA1-96.

Shared Secret


As mentioned in an earlier article on the Windows 10 and macOS VPN combination, there is no straightforward user interface in Windows 10 that enables an L2TP/IPsec pre-shared key to be set. There is a “trick” that works or a short program can be written that calls the RRAS (Routing and Remote Access Service) API routine MprAdminInterfaceSetCredentialsEx to set the value.

Using IKEv2


When first viewing the iPad IKEv2 configuration dialog, the (required) “Remote ID” and (optional) “Local ID” are the first two items whose meaning and implication are not totally clear.

The “Remote ID” setting is used in two ways: it is used to verify that the identity asserted by the VPN server matches expectations and it is sent to the server (as an IDr Identification payload) to help the server select an identity (in case it has more than one, using redirection). A weakness of the iOS implementation is that it always seems to send the “Remote ID” with a type of “ID_FQDN” and represented as an ASCII string, although other values might be more appropriate (e.g. a type of ID_DER_ASN1_DN and a DER (Distinguished Encoding Rules) encoding of the value).

The “Local ID”, if set, is sent as the IDi Identification payload, with the same encoding problems as the “Remote ID”. If “Local ID” is not set, the local IP address is sent with the correct binary encoding and a type of ID_IPV4_ADDR or ID_IPV6_ADDR, as appropriate.

No Vendor ID payloads are sent and the following Notify payloads are sent:

First message → NAT_DETECTION_SOURCE_IP, NAT_DETECTION_DESTINATION_IP, IKEV2_FRAGMENTATION_SUPPORTED and REDIRECT_SUPPORTED

Second message → INITIAL_CONTACT, MOBIKE_SUPPORTED, ESP_TFC_PADDING_NOT_SUPPORTED, NON_FIRST_FRAGMENTS_ALSO

Authentication


Similar to macOS, iOS offers 3 options: None (IKEv2 non-EAP authentication), Username (EAP-MSCHAPv2) and certificate (EAP-TLS).

The EAP mechanisms require a replacement for missing functionality on Windows 10 (as discussed in the macOS VPN blog entry) but otherwise work – with one quirk. If one chooses Username authentication and leaves the Password field blank in the configuration (implying “Ask Every Time”) then the VPN connection attempt always fails; a dialog enabling entry of a password does pop up, but the entered password does not seem to be used (the connection just times out, without ever sending the MSCHAPv2 response and the iPad console log just reports “Failed to process IKE Auth (EAP) packet (connect)”).

The non-EAP IKEv2 authentication methods include RSA Digital Signature, Shared Key Message Integrity Code and ECDSA with SHA-256 on the P-256 curve (plus 384 and 512 bit equivalents). Via the configuration user interface, one can choose between certificate and pre-shared key methods. However, if the certificate method is chosen, the iOS client always indicates that the RSA Digital Signature method has been chosen, regardless of the type of certificate. The iOS Security Guide explicitly states: “IKEv2/IPSec with authentication by shared secret, RSA Certificates, ECDSA Certificates, EAP-MSCHAPv2, or EAP-TLS”.

For unknown reasons, iOS does not use the type of the configured certificate to set the authentication method, but instead uses a configuration setting that is not visible in the user interface (and which defaults to RSA). If one is prepared to create and install a Device Management Profile (a “.mobileconfig” file), one can set CertificateType to one of RSA, ECDSA256, ECDSA384, ECDSA512, or Ed25519 (https://developer.apple.com/documentation/devicemanagement/vpn/ikev2).

Security Association Proposals


By default, the iPad IKEv2 client sends 5 phase 1 transform proposals. The encryption algorithms include AES-CBC-256, AES-CBC-128 and 3DES-CBC, the hash algorithms include SHA2-256 and SHA and the Diffie-Hellman groups are 2048-bit MODP group, 256-bit random ECP group, 1536-bit MODP group and 1024-bit MODP group.

The iPad IKEv2 client sends 5 phase 2 transform proposals. The encryption algorithms include AES-CBC-256, AES-CBC-128 and 3DES-CBC, the hash algorithms include SHA2-256 and SHA.

It is possible to specify transforms via a Device Management Profile. The documentation claims support for the following:

Encryption algorithms: DES, 3DES, AES-128, AES-256, AES-128-GCM, AES-256-GCM, ChaCha20Poly1305

Integrity algorithms: SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512

Diffie-Hellman groups: 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 31

In common with the built-in Windows IKEv2 client, if one specifies a transform to be used (rather than just using the defaults), then only that one transform is sent (so one needs to be sure that the VPN server accepts it, since there are no alternative proposals).