/
ProfileXML_Device.xml
58 lines (58 loc) · 3.57 KB
/
ProfileXML_Device.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
<VPNProfile>
<AlwaysOn>true</AlwaysOn>
<DeviceTunnel>true</DeviceTunnel>
<DnsSuffix>corp.example.net</DnsSuffix>
<TrustedNetworkDetection>corp.example.net</TrustedNetworkDetection>
<!-- The following settings are supported in Windows 11 22H2 and later. -->
<DisableAdvancedOptionsEditButton>true</DisableAdvancedOptionsEditButton>
<DisableDisconnectButton>true</DisableDisconnectButton>
<!-- The following settings are not currently supported in a public release of Windows. However, they are available in current Windows 11 Insider development channel builds. -->
<DataEncryption>Max</DataEncryption>
<DisableIKEv2Fragmentation>true</DisableIKEv2Fragmentation>
<IPv4InterfaceMetric>3</IPv4InterfaceMetric>
<IPv6InterfaceMetric>3</IPv6InterfaceMetric>
<NetworkOutageTime>0</NetworkOutageTime>
<UseRasCredentials>false</UseRasCredentials>
<PrivateNetwork>true</PrivateNetwork>
<!-- End settings -->
<NativeProfile>
<Servers>vpn.example.com</Servers>
<!-- Only SplitTunnel routing policy is supported for the Always On VPN device tunnel. Force tunneling is explicitly not supported. -->
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<!-- Only IKEv2 is supported for use with the Always On VPN device tunnel. -->
<NativeProtocolType>IKEv2</NativeProtocolType>
<!-- Only machine certificate authentication is supported for the Always On VPN device tunnel. -->
<Authentication>
<MachineMethod>Certificate</MachineMethod>
</Authentication>
<!-- The CryptographySuite setting is optional but recommended when using IKEv2. The default security settings for IKEv2 are extremely weak. Details here: https://rmhci.co/2Eou3Op. -->
<!-- Enabling this setting requires the VPN server to use matching settings. A PowerShell script to configure Windows Server RRAS servers can be found here: https://rmhci.co/2WRpFgl. -->
<!-- The cryptography settings defined below are recommended minimum security baselines. They can be changed to meet higher level security requirements as required. -->
<CryptographySuite>
<AuthenticationTransformConstants>GCMAES128</AuthenticationTransformConstants>
<CipherTransformConstants>GCMAES128</CipherTransformConstants>
<PfsGroup>ECP256</PfsGroup>
<DHGroup>Group14</DHGroup>
<IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
<EncryptionMethod>AES_GCM_128</EncryptionMethod>
</CryptographySuite>
<!-- This setting is optional but recommended. -->
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
</NativeProfile>
<!-- The Route setting is required when DisableClassBasedDefaultRoute is set to "true". -->
<!-- Host routes (/32 or /128) should be used to restrict access over the device tunnel to domain controllers. Using traffic filters is not recommended prior to Windows 10 2004 as it prevents outbound management. -->
<Route>
<Address>10.21.12.100</Address>
<PrefixSize>32</PrefixSize>
</Route>
<Route>
<Address>10.21.12.101</Address>
<PrefixSize>32</PrefixSize>
</Route>
<Route>
<Address>2001:db8:2112:a867:5309:1843:6572:adfe</Address>
<PrefixSize>128</PrefixSize>
</Route>
<!-- The RegisterDNS element is optional and used to register the IP address of the device tunnel VPN connection in internal DNS. If a user tunnel is deployed in conjunction with a device tunnel, this element should only be defined on the device tunnel. -->
<RegisterDNS>true</RegisterDNS>
</VPNProfile>