Thanks to Dirk Hartmann and his scripting idea, The simplest way to add a VPN connection to Windows 10 that includes the routing to the internal IP, is by running the following commands in PowerShell commands. This also enables strong ciphers (MODP2048)
This is for a username/password VPN available to all users (remove -AllUserConnection from the Add-VpnConnection command for just the current user) ------------ reg add HKLM\System\CurrentControlSet\Services\Rasman\Parameters /v NegotiateDH2048_AES256 /t REG_DWORD /d 2 /f Add-VpnConnection -Name "vpn-connection" -ServerAddress my-server-ip-or-hostname -TunnelType "Ikev2" -AllUserConnection -EncryptionLevel Required Set-VPNConnection -Name "vpn-connection" -AllUserConnection -SplitTunneling 1 Add-VpnConnectionRoute -ConnectionName "vpn-connection" -DestinationPrefix 10.0.0.0/18 Set-VPNConnectionIPsecConfiguration -ConnectionName "vpn-connection" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -Force <http://www.naimuri.com/> Reboot machine for registry entry to take affect > On 4 May 2018, at 07:49, Christian Salway <[email protected]> > wrote: > > Still working on this issue so a quick morning update. > > I've figured that in the request IKE_AUTH is the client telling strongSwan > what it supports as "information". > > # Win10 supports ADDR(1) DNS(3) NBNS(4) SRV ADDR6(8) DNS6(10) SRV6 > > # OSX supports ADDR DHCP(6) DNS MASK(2) ADDR6 DHCP6(12) DNS6 > DNS_DOMAIN(25) > > So I have added dns and domain into the attr.conf > > $ /etc/strongswan.d/charon/attr.conf > attr { > > load = yes > dns = 10.0.5.202 > 25 = eu-west-2.compute.internal > } > > and removed DHCP because as Thor said, it was only being used by strongSwan > to assign an IP address to the client which is not needed in my case. > > Windows 10 is still not adding any route though but I have managed to alter > the command so I can bind the route persistently to the interface (as opposed > to the IP that I had before) which allows for IP address changes > > netsh interface ipv4 show interfaces > > note the name of your vpn interface > > netsh interface ipv4 add route 10.0.0.0/18 "vpn-interface-name" > <http://www.naimuri.com/> > > where 10.0.0.0/18 is your internal network >
