This repository has been archived by the owner on May 28, 2020. It is now read-only.
forked from richardhicks/aovpn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathProfileXML_Device.xml
46 lines (46 loc) · 2.82 KB
/
ProfileXML_Device.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<VPNProfile>
<AlwaysOn>true</AlwaysOn>
<DeviceTunnel>true</DeviceTunnel>
<DnsSuffix>corp.example.net</DnsSuffix>
<!-- The RegisterDNS element is optional and used to register the IP address of the device tunnel VPN connection in internal DNS. If a user tunnel is deployed in conjunction with a device tunnel, this element should only be defined on the device tunnel -->
<RegisterDNS>true</RegisterDNS>
<TrustedNetworkDetection>corp.example.net</TrustedNetworkDetection>
<!-- The DomainNameInformation element is optional. It should only be used when the DNS servers configured on the VPN server's network interface can't resolve internal Active Directory hostnames -->
<!-- More information regarding DNS configuration for Always On VPN can be found here: https://rmhci.co/2L2quNk -->
<DomainNameInformation>
<DomainName>.corp.example.net</DomainName>
<DnsServers>10.21.12.100,10.21.12.101</DnsServers>
</DomainNameInformation>
<NativeProfile>
<Servers>vpn.example.com</Servers>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<!-- Only IKEv2 is supported for use with the Always On VPN device tunnel -->
<NativeProtocolType>IKEv2</NativeProtocolType>
<!-- Only machine certificates authentication is supported for use with the Always On VPN device tunnel -->
<Authentication>
<MachineMethod>Certificate</MachineMethod>
</Authentication>
<!-- This setting is optional but recommended -->
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
<!-- The CryptographySuite setting is optional but recommended when using IKEv2. The default security settings for IKEv2 are extremely weak. Details here: https://rmhci.co/2Eou3Op -->
<!-- Enabling this setting requires the VPN server to use matching settings. A PowerShell script to configure Windows Server RRAS servers can be found here: https://rmhci.co/2WRpFgl -->
<CryptographySuite>
<AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
<CipherTransformConstants>AES128</CipherTransformConstants>
<EncryptionMethod>AES128</EncryptionMethod>
<IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
<DHGroup>Group14</DHGroup>
<PfsGroup>PFS2048</PfsGroup>
</CryptographySuite>
</NativeProfile>
<!-- The Route setting is required when DisableClassBasedDefaultRoute is set to "true" -->
<!-- Host routes (/32) should be used to restrict access over the device tunnel to domain controllers. Using traffic filters isn't recommended as it prevents outbound management -->
<Route>
<Address>10.21.12.100</Address>
<PrefixSize>32</PrefixSize>
</Route>
<Route>
<Address>10.21.12.101</Address>
<PrefixSize>32</PrefixSize>
</Route>
</VPNProfile>