IKEv2 PEAP - MS Always on VPN

Hi everyone,

I have configured the new MS Always on VPN technology that uses RADIUS, Active Directory Certificate Services and Windows RRAS:

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-overview

Apparently it is possible to use an alternative VPN server than Windows Server RRAS, I was hoping to user our Mikrotik router instead.

The VPN uses IKEv2 with a user certificate issued from Active Directory Certificate Services, this is presented to the RADIUS server via PEAP authentication.

Does the Mikrotik suppoert IKEv2 with radius PEAP authentication?

You can read more about how to set this up using only the windows components here:

https://4sysops.com/archives/always-on-vpn-directaccess-for-windows-10/

Apparently this is the new MS “standard” for corportate VPN, so would be sure good to get this working on the Mikrotik.

If anyone has any thoughts or ideas I would sure be grateful to hear them!

Thanks

Daniel

Hi, did you ever get this set up?
I am looking at this now and would love to be able to get it working with our Mikrotik router

Guys, any news regarding this topic?

Bump

I can tell that Always On VPN works fine with Mikrotik’s ikev2 eap radius.
I used this guide to configure Windows Servers https://4sysops.com/archives/always-on-vpn-directaccess-for-windows-10/
Except RRAS part.
Also I use trusted certificated from Comodo for Mikrotik’s ikev2 instead of AD CS.
You just need to configure ikev2 server on Mikrotik and use Windows NPS as Radius server for Mikrotik.

Just one drawback for me that Mikrotik does not support SSTP certificate authentication. We could use it with AOVPN too, because AOVPN supports sstp fallback in case of ikev2 cannot connect.

I have been using Mikrotik router since 2019 and always connect vpn on my pc with ikev2. I have never seen any issue regarding connectivity or else and I use this ikev2 guide [REDACTED]