为虚拟 WAN 配置 Always On VPN 设备隧道Configure an Always On VPN device tunnel for Virtual WAN

Windows 10 VPN 客户端 Always On 的一项新功能是能够维护 VPN 连接。A new feature of the Windows 10 VPN client, Always On, is the ability to maintain a VPN connection. 有了 Always On,有效的 VPN 配置文件就能根据触发因素(例如用户登录、网络状态更改或设备屏幕活动状态)自动建立连接并保持连接。With Always On, the active VPN profile can connect automatically and remain connected based on triggers, such as user sign-in, network state change, or device screen active.

可将网关与 Windows 10 Always On 配合使用,以便建立通往 Azure 的持久性用户隧道和设备隧道。You can use gateways with Windows 10 Always On to establish persistent user tunnels and device tunnels to Azure. 本文介绍如何配置 Always On VPN 用户隧道。This article helps you configure an Always On VPN user tunnel.

Always On VPN 连接包括下述两种隧道类型之一:Always On VPN connections include either of two types of tunnels:

  • 设备隧道:在用户登录到设备之前连接到指定的 VPN 服务器。Device tunnel: Connects to specified VPN servers before users sign in to the device. 预登录连接方案和设备管理使用设备隧道。Pre-sign-in connectivity scenarios and device management use a device tunnel.

  • 用户隧道:只会在用户登录到设备后进行连接。User tunnel: Connects only after users sign in to the device. 可以使用用户隧道通过 VPN 服务器访问组织资源。By using user tunnels, you can access organization resources through VPN servers.

设备隧道和用户隧道的运行独立于其 VPN 配置文件。Device tunnels and user tunnels operate independent of their VPN profiles. 它们可以同时连接,在适当的情况下可以使用不同的身份验证方法和其他 VPN 配置设置。They can be connected at the same time, and they can use different authentication methods and other VPN configuration settings, as appropriate.

先决条件Prerequisites

必须创建点到站点配置并编辑虚拟中心分配。You must create a point-to-site configuration and edit the virtual hub assignment. 有关说明,请参阅以下部分:See the following sections for instructions:

配置设备隧道Configure the device tunnel

必须满足以下要求才能成功建立设备隧道:The following requirements must be met in order to successfully establish a device tunnel:

  • 该设备必须是已加入域且运行 Windows 10 企业版或教育版 1809 或更高版本的计算机。The device must be a domain joined computer running Windows 10 Enterprise or Education version 1809 or later.
  • 只可针对 Windows 内置 VPN 解决方案配置该隧道;结合计算机证书身份验证使用 IKEv2 建立该隧道。The tunnel is only configurable for the Windows built-in VPN solution and is established using IKEv2 with computer certificate authentication.
  • 对于每台设备,只能配置一个设备隧道。Only one device tunnel can be configured per device.
  1. 按照点到站点 VPN 客户端一文中所述,在 Windows 10 客户端上安装客户端证书。Install client certificates on the Windows 10 client using the point-to-site VPN client article. 证书需位于本地计算机存储中。The certificate needs to be in the Local Machine store.
  2. 按照这些说明创建 VPN 配置文件,并在 LOCAL SYSTEM 帐户的上下文中配置设备隧道。Create a VPN Profile and configure device tunnel in the context of the LOCAL SYSTEM account using these instructions.

设备隧道的配置示例Configuration example for device tunnel

配置虚拟网络网关并在 Windows 10 客户端的本地计算机存储中安装客户端证书后,使用以下示例配置客户端设备隧道:After you have configured the virtual network gateway and installed the client certificate in the Local Machine store on the Windows 10 client, use the following examples to configure a client device tunnel:

  1. 复制以下文本,并将文件保存为 devicecert.ps1Copy the following text and save it as devicecert.ps1.

    Param(
    [string]$xmlFilePath,
    [string]$ProfileName
    )
    
    $a = Test-Path $xmlFilePath
    echo $a
    
    $ProfileXML = Get-Content $xmlFilePath
    
    echo $XML
    
    $ProfileNameEscaped = $ProfileName -replace ' ', '%20'
    
    $Version = 201606090004
    
    $ProfileXML = $ProfileXML -replace '<', '&lt;'
    $ProfileXML = $ProfileXML -replace '>', '&gt;'
    $ProfileXML = $ProfileXML -replace '"', '&quot;'
    
    $nodeCSPURI = './Vendor/MSFT/VPNv2'
    $namespaceName = "root\cimv2\mdm\dmmap"
    $className = "MDM_VPNv2_01"
    
    $session = New-CimSession
    
    try
    {
    $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
    $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
    $newInstance.CimInstanceProperties.Add($property)
    $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
    $newInstance.CimInstanceProperties.Add($property)
    $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
    $newInstance.CimInstanceProperties.Add($property)
    
    $session.CreateInstance($namespaceName, $newInstance)
    $Message = "Created $ProfileName profile."
    Write-Host "$Message"
    }
    catch [Exception]
    {
    $Message = "Unable to create $ProfileName profile: $_"
    Write-Host "$Message"
    exit
    }
    $Message = "Complete."
    Write-Host "$Message"
    
  2. 复制以下文本,并在 devicecert.ps1 所在的同一文件夹中将文件保存为 VPNProfile.xmlCopy the following text and save it as VPNProfile.xml in the same folder as devicecert.ps1. 编辑以下文本,使之与你的环境相匹配。Edit the following text to match your environment.

    • <Servers>azuregateway-1234-56-78dc.chinacloudapp.cn</Servers> <= Can be found in the VpnSettings.xml in the downloaded profile zip file
    • <Address>192.168.3.5</Address> <= IP of resource in the vnet or the vnet address space
    • <Address>192.168.3.4</Address> <= IP of resource in the vnet or the vnet address space
    <VPNProfile>  
      <NativeProfile>  
    <Servers>azuregateway-1234-56-78dc.chinacloudapp.cn</Servers>  
    <NativeProtocolType>IKEv2</NativeProtocolType>  
    <Authentication>  
      <MachineMethod>Certificate</MachineMethod>  
    </Authentication>  
    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>  
     <!-- disable the addition of a class based route for the assigned IP address on the VPN interface -->
    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>  
      </NativeProfile> 
      <!-- use host routes(/32) to prevent routing conflicts -->  
      <Route>  
    <Address>192.168.3.5</Address>  
    <PrefixSize>32</PrefixSize>  
      </Route>  
      <Route>  
    <Address>192.168.3.4</Address>  
    <PrefixSize>32</PrefixSize>  
      </Route>  
    <!-- need to specify always on = true --> 
      <AlwaysOn>true</AlwaysOn> 
    <!-- new node to specify that this is a device tunnel -->  
     <DeviceTunnel>true</DeviceTunnel>
    <!--new node to register client IP address in DNS to enable manage out -->
    <RegisterDNS>true</RegisterDNS>
    </VPNProfile>
    
  3. Sysinternals 下载 PsExec,并将文件解压缩到 C:\PSToolsDownload PsExec from Sysinternals and extract the files to C:\PSTools.

  4. 在管理员命令提示符下,运行以下命令启动 PowerShell:From an Admin CMD prompt, launch PowerShell by running:

    PsExec.exe Powershell for 32-bit Windows
    PsExec64.exe Powershell for 64-bit Windows
    

    powershell

  5. 在 PowerShell 中,切换到 devicecert.ps1VPNProfile.xml 所在的文件夹,然后运行以下命令:In PowerShell, switch to the folder where devicecert.ps1 and VPNProfile.xml are located, and run the following command:

    .\devicecert.ps1 .\VPNProfile.xml MachineCertTest
    

    MachineCertTest

  6. 运行 rasphoneRun rasphone.

    rasphone

  7. 找到 MachineCertTest 条目并单击“连接”。 Look for the MachineCertTest entry and click Connect.

    连接

  8. 如果连接成功,请重新启动计算机。If the connection succeeds, reboot the computer. 隧道将自动连接。The tunnel will connect automatically.

删除配置文件To remove a profile

若要删除配置文件,请运行以下命令:To remove the profile, run the following command:

屏幕截图显示了运行 Remove-VpnConnection -Name MachineCertTest 命令的 PowerShell 窗口。

后续步骤Next steps

有关虚拟 WAN 的详细信息,请参阅常见问题解答For more information about Virtual WAN, see the FAQ.