How to set a preshared key for Microsoft Windows VPN?

Hello,

Are you converting your Microsoft PPTP VPN to L2TP VPN with a pre-shared key?
The problem is that the pre-shared key is saved locally (seems to be in the registry) but we don’t know where exactly. This information is not provided by Microsoft. We have made a few researches to found where the key is located without success. If someone from your company found that information, please provide it to us so that we can verify if we can enhance our Microsoft VPN integration.
It’s because of the pre-shared key that you need to have a local copy of the VPN.

Sorry that I cannot do anything to help for the moment.

Best regards,

Hello,

Jeff didnt know that we have been given a trick by our good friend Brent Quick.

Here's a powershell script that will create the vpn profile. You can create a powershell entry right in RDM that your users will have to run only once to create the profile.

[color=rgb(0, 0, 0)][font=Calibri, sans-serif]# set-executionpolicy -executionpolicy unrestricted[/font][/color]

$wshell = New-Object -ComObject Wscript.Shell
$ConnectionName = '<Connection Name>'
$Exists = Get-VpnConnection -Name $ConnectionName -AllUserConnection
If ($Exists -eq $False){
$ServerAddress = '<IP Address>'
$PresharedKey = '<Shared Key>'
Add-VpnConnection -Name '$ConnectionName' -ServerAddress 'ServerAddress' -TunnelType L2tp -AllUserConnection -L2tpPsk '$PresharedKey' -AuthenticationMethod Pap -Force
} Else {
$wshell.Popup($ConnectionName + ' - VPN Connection Already Exists',0,'Done',0x0)
}

[color=rgb(0, 0, 0)][font=Calibri, sans-serif] [/font][/color]
In an ideal world, we would add a feature in the VPN entry to create the profile if it doesnt exist, but at least you can automate most of your requirement with this script.

Best regards,

Maurice,

I believe that you could fire off the create script since it does check for the existence of the connection name and then have it open the VPN.

See this article about "auto connect" at boot time --> https://www.magnumvpn.com/powershell_auto_connect_vpn.html

Open VPN PS commands

while ($true) { $vpnname = "YOURVPNCONNECTIONNAME" $vpnusername = "YOURUSERNAME" $vpnpassword = "YOURPASSWORD" $vpn = Get-VpnConnection | where {$_.Name -eq $vpnname} if ($vpn.ConnectionStatus -eq "Disconnected") { $cmd = $env:WINDIR + "\System32\rasdial.exe" $expression = "$cmd ""$vpnname"" $vpnusername $vpnpassword" Invoke-Expression -Command $expression } start-sleep -seconds 30 }



You would need a return code (try/catch) in case of errors and it is becoming something of a Rube Goldberg process but I will put some time to it and see if I can link the open script to the create script and get an effective process. Might also want to "remove" the VPN connection on close since as there is a user with 98 VPN connections and that really clogs up the "Network Picker" in Windows 10 since it shows all VPN connections.


Updates to the script:

1) If you need to allow splittunnel connection add "-SplitTunneling " after the "-TunnelType L2TP" and before "-L2tpPsk"


We setup most as split tunnel but sometimes Windows does not do the route part unless you add the manual ROUTE entry.

2) I had to an additional element to the script for users, who did not know what to do about the the security warning returned on the -Force parameter that eliminates requirement for encryption on the PSK
Revised script below.


# Run from elevated PowerShell session
# May need to run commented line below and answer 'A' OR 'Y'
# set-executionpolicy -executionpolicy unrestricted
$wshell = New-Object -ComObject Wscript.Shell
$ServerAddress = 'IP or FQDN'
$ConnectionName = 'String Name'
$PresharedKey = 'String PSK'
$Exists = Get-VpnConnection -Name $ConnectionName -ErrorAction SilentlyContinue -ErrorVariable ProcessError;

If ($ProcessError) {
$wshell.Popup($ConnectionName + ' - Does Not Exists',0,'Creating',0x0)
$Exists = $False
}
If ($Exists -eq $False){
$ServerAddress = $ServerAddress
$PresharedKey = $PresharedKey
Add-VpnConnection -RememberCredential -Name $ConnectionName -ServerAddress $ServerAddress -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod Pap -Force
$wshell.Popup('Warning message about encryption level expected.',0,'Done',0x0)
} Else {
$wshell.Popup($ConnectionName + ' - VPN Connection Already Exists',0,'Done',0x0)
}
Exit


3) Finally, if someone want more information on the Add-VpnConnection command here is the MS page --> https://docs.microsoft.com/en-us/powershell/module/vpnclient/add-vpnconnection?view=win10-ps

Thank you.

I had a PM about adding L2TP VPN connections and if the script was needed so I thought I would add that here.

Are you asking, "I already have setup the L2TP VPN connection and just want to add it to RDM, can I do so without the PowerShell script?"

The answer is yes, it is already in RDM, since RDM looks at the phonebook.pbk when you add a Windows VPN entry.
I have had issues where it will not "see the connection" when editing but it does show all entries in the drop down list.
Pick the one you want and if you have already saved credentials in the connection, they may not work. I believe RDM will try and pass based on the RDM entry but cannot access the Windows saved credentials. I have not tried it to be sure so this is more a sceptical/safe note then something I am certain about.

The problem/reason for the script is that for a distributed group of users each one has to have identical entries in their person phonebook. The script insures they set them up in an identical way.