Specifying machine certificate issuer with Windows VPN

Question

I am trying to create a Windows Always On VPN connection between an AD and AAD joined Windows 10 client and a StrongSwan VPN server. The Windows client has multiple "Client Authentication" certificates in its machine store, one from our internal AD CA, and one from Microsoft Intune MDM.

When using a user tunnel with EAP authentication, we can specify an issuer fingerprint so that the VPN client picks the correct certificate, however, this same option does not seem to be available when using "Certificate" authentication for device VPNs:

This value can be one of the following:

• Certificate

Or from the rasphone UI, no options are available either:

End result is that it tries to authenticate using the Intune MDM certificate instead of the one issued by our CA, and strongswan is configured to only accept connections with certificates issued by our CA.

Is there any way to tell Windows to use a certificate issued by a particular CA when connecting to a VPN with a machine cert?

Answer 1

I had this issue when setting up WPA2-Enterprise using my own CA. It would work fine for any machine that only had one machine certificate, but as soon as another one was on the machine, it was a mixed bag. I never figured it out and ended up using the enterprise CA on the domain, setting up a machine policy that domain joined machine automatically enrolled and updated their certificates and that ended up working. It seems to not be an issue when the Enterprise CA on the domain issuing the certificate. It always selects the correct one now.

Answer 2

Looks like there are a couple of ways to select the certificate:

Set-VpnConnection -MachineCertificateIssuerFilter

Set-VpnConnection -MachineCertificateEKUFilter

https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnection?view=win10-ps