--- title: VPNv2 DDF file description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider. ms.assetid: 4E2F36B7-D2EE-4F48-AD1A-6BDE7E72CC94 ms.author: maricia ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque ms.date: 12/05/2017 --- # VPNv2 DDF file This topic shows the OMA DM device description framework (DDF) for the **VPNv2** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). The XML below is for Windows 10, version 1709. ``` syntax ]> 1.2 VPNv2 ./Device/Vendor/MSFT com.microsoft/1.3/MDM/VPNv2 ProfileName AppTriggerList List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect appTriggerRowId App Id App Identity. Specified, based on the Type Field.. text/plain Type PackageFamilyName FQBN FilePath text/plain RouteList List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface routeRowId Address Subnet address text/plain PrefixSize Subnet Prefix text/plain Metric The route's metric. text/plain ExclusionRoute False = This Route will direct traffic over the VPN True = This Route will direct traffic over the physical interface By default, this value is false. text/plain DomainNameInformationList NRPT (Name Resolution Policy Table) Rules for the VPN Profile dniRowId DomainName Value based on the DomainNameType field text/plain DomainNameType a. FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain. b. Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains. c. Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here. d. Any: Use this if the policy applies to all. text/plain DnsServers Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. text/plain WebProxyServers [Optional] If you are redirecting traffic through your intranet Web proxy servers, add the webproxyserver (Singular) text/plain AutoTrigger False = This DomainName Rule will not trigger the VPN True = This DomainName Rule will trigger the VPN By default, this value is false. text/plain Persistent False = This DomainName Rule will only be plumbed when the VPN is connected True = This DomainName Rule will always be plumbed. By default, this value is false. text/plain TrafficFilterList A list of rules allowing traffic over the VPN Interface. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed trafficFilterId App Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface Id App Identity. Specified, based on the Type Field.. text/plain Type PackageFamilyName FQBN FilePath text/plain Claims Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token text/plain Protocol 0-255 number representing the ip protocol (TCP = 6, UDP = 17) text/plain LocalPortRanges Comma Separated list of ranges for eg. 100-120,200,300-320 LocalPortRanges text/plain RemotePortRanges Comma Separated list of ranges for eg. 100-120,200,300-320 text/plain LocalAddressRanges Comma Separated list of IP ranges text/plain RemoteAddressRanges Comma Separated list of IP ranges text/plain RoutingPolicyType SplitTunnel - For this Rule, you are allowed to go over the VPN as well as the Internet. Other traffic may not go over the VPN Interface. ForceTunnel - All Traffic matching this rule must go over only the VPN Interface. Only Applicable for App and Claims type. text/plain EdpModeId Enterprise ID for the EDP Policy that this VPN Profile is supposed to interace with. text/plain RememberCredentials False = Remember credentials is turned off True = Remember credentials is turned on If True, Credentials will be cached wherever applicable. text/plain AlwaysOn False = Always on in not turned On True = Always is on is turned on Note: Always On will work only for the active profile. text/plain LockDown False = This is not a LockDown profile. True = This is a LockDown profile. If turned on a lockdown profile does four things. First, it automatically becomes an always on profile. Second, it can never be disconnected. Third, if the profile is not connected, then the user has no network connectivity. Fourth, no other profiles may be connected or modified. A lockdown profile must be deleted before any other profiles can be added, removed, or connected. text/plain DeviceTunnel False = This is not a Device Tunnel profile and it is the default value. True = This is a Device Tunnel profile. If turned on a device tunnel profile does four things. First, it automatically becomes an always on profile. Second, it does not require the presence or logging in of any user to the machine in order for it to connect. Third, no other Device Tunnel profile maybe be present on the Same machine. A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected. text/plain RegisterDNS False = Do not register the connection's address in DNS (default). True = Register the connection's addresses in DNS. text/plain DnsSuffix Connection Specific DNS Suffix. for eg. corp.contoso.com text/plain ByPassForLocal False : Do not Bypass for Local traffic True : ByPass VPN Interface for Local Traffic Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. text/plain TrustedNetworkDetection String Optional.String to identify the trusted network. VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device. text/plain ProfileXML Xml schema for provisioning all the fields of a VPN text/plain Proxy Manual Server Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80 text/plain AutoConfigUrl Optional. Set a URL to automatically retrieve the proxy settings. text/plain APNBinding Reserved for Future Use ProviderId text/plain AccessPointName text/plain UserName text/plain Password text/plain IsCompressionEnabled text/plain AuthenticationType text/plain DeviceCompliance Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN Enabled Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory text/plain Sso Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance text/plain Enabled If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication text/plain IssuerHash Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication text/plain Eku Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication text/plain PluginProfile ServerUrlList Required. URL for VPN Server text/plain CustomConfiguration Optional. This is an XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins text/plain PluginPackageFamilyName Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app text/plain CustomStoreUrl TO be Deleted text/plain NativeProfile Inbox VPN Profile Servers Server Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm Some examples are 208.23.45.130 or vpn.contoso.com. text/plain RoutingPolicyType SplitTunnel - For this Connection, Traffic can go over any interface as determined by the networking stack. ForceTunnel - All IP Traffic must go over only the VPN Interface. text/plain NativeProtocolType Supported Values : Pptp L2tp Ikev2 Automatic text/plain Authentication UserMethod Supported Values Mschapv2 Eap text/plain MachineMethod Supported Values Eap Certificate PresharedKey text/plain Eap Configuration XML Configuration for EAP Method text/plain Type Required node for EAP profiles. This specifies the EAP Type ID 13 = EAP-TLS 26 = Ms-Chapv2 27 = Peap text/plain Certificate Reserved for future Use Issuer Reserved for future Use text/plain Eku Reserved for future Use text/plain CryptographySuite Properties of IPSec tunnels. AuthenticationTransformConstants Choices are: -- MD596 -- SHA196 -- SHA256128 -- GCMAES128 -- GCMAES192 -- GCMAES256 text/plain CipherTransformConstants Choices Are: -- DES -- DES3 -- AES128 -- AES192 -- AES256 -- GCMAES128 -- GCMAES192 -- GCMAES256 text/plain EncryptionMethod Choices are: -- DES -- DES3 -- AES128 -- AES192 -- AES256 -- AES_GCM_128 -- AES_GCM_256 text/plain IntegrityCheckMethod Choices are: -- MD5 -- SHA196 -- SHA256 -- SHA384 text/plain DHGroup Choices are: -- Group1 -- Group2 -- Group14 -- ECP256 -- ECP384 -- Group24 text/plain PfsGroup Choices are: -- PFS1 -- PFS2 -- PFS2048 -- ECP256 -- ECP384 -- PFSMM -- PFS24 text/plain L2tpPsk The preshared key used for an L2TP connection text/plain DisableClassBasedDefaultRoute When false this VPN connection will plumb class based default routes. i.e. If the interface IP begins with 10, it assumes a class a IP and pushes the route 10.0.0.0/8 text/plain VPNv2 ./User/Vendor/MSFT com.microsoft/1.3/MDM/VPNv2 ProfileName AppTriggerList List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect appTriggerRowId App Id App Identity. Specified, based on the Type Field.. text/plain Type PackageFamilyName FQBN FilePath text/plain RouteList List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface routeRowId Address Subnet address text/plain PrefixSize Subnet Prefix text/plain Metric The route's metric. text/plain ExclusionRoute Is this a route to never go over the VPN text/plain DomainNameInformationList NRPT (Name Resolution Policy Table) Rules for the VPN Profile dniRowId DomainName Value based on the DomainNameType field text/plain DomainNameType a. FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain. b. Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains. c. Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here. d. Any: Use this if the policy applies to all. text/plain DnsServers Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. text/plain WebProxyServers [Optional] If you are redirecting traffic through your intranet Web proxy servers, add the webproxyserver (Singular) text/plain AutoTrigger False = This DomainName Rule will not trigger the VPN True = This DomainName Rule will trigger the VPN By default, this value is false. text/plain Persistent False = This DomainName Rule will only be plumbed when the VPN is connected True = This DomainName Rule will always be plumbed. By default, this value is false. text/plain TrafficFilterList A list of rules allowing traffic over the VPN Interface. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed trafficFilterId App Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface Id App Identity. Specified, based on the Type Field.. text/plain Type PackageFamilyName FQBN FilePath text/plain Claims Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token text/plain Protocol 0-255 number representing the ip protocol (TCP = 6, UDP = 17) text/plain LocalPortRanges Comma Separated list of ranges for eg. 100-120,200,300-320 LocalPortRanges text/plain RemotePortRanges Comma Separated list of ranges for eg. 100-120,200,300-320 text/plain LocalAddressRanges Comma Separated list of IP ranges text/plain RemoteAddressRanges Comma Separated list of IP ranges text/plain RoutingPolicyType SplitTunnel - For this Rule, you are allowed to go over the VPN as well as the Internet. Other traffic may not go over the VPN Interface. ForceTunnel - All Traffic matching this rule must go over only the VPN Interface. Only Applicable for App and Claims type. text/plain EdpModeId Enterprise ID for the EDP Policy that this VPN Profile is supposed to interace with. text/plain RememberCredentials False = Remember credentials is turned off True = Remember credentials is turned on If True, Credentials will be cached wherever applicable. text/plain AlwaysOn False = Always on in not turned On True = Always is on is turned on Note: Always On will work only for the active profile. text/plain DnsSuffix Connection Specific DNS Suffix. for eg. corp.contoso.com text/plain ByPassForLocal False : Do not Bypass for Local traffic True : ByPass VPN Interface for Local Traffic Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. text/plain TrustedNetworkDetection String Optional.String to identify the trusted network. VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device. text/plain ProfileXML Xml schema for provisioning all the fields of a VPN text/plain Proxy Manual Server Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80 text/plain AutoConfigUrl Optional. Set a URL to automatically retrieve the proxy settings. text/plain APNBinding Reserved for Future Use ProviderId text/plain AccessPointName text/plain UserName text/plain Password text/plain IsCompressionEnabled text/plain AuthenticationType text/plain DeviceCompliance Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN Enabled Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory text/plain Sso Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance text/plain Enabled If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication text/plain IssuerHash Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication text/plain Eku Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication text/plain PluginProfile ServerUrlList Required. URL for VPN Server text/plain CustomConfiguration Optional. This is an XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins text/plain PluginPackageFamilyName Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app text/plain CustomStoreUrl TO be Deleted text/plain NativeProfile Inbox VPN Profile Servers Server Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm Some examples are 208.23.45.130 or vpn.contoso.com. text/plain RoutingPolicyType SplitTunnel - For this Connection, Traffic can go over any interface as determined by the networking stack. ForceTunnel - All IP Traffic must go over only the VPN Interface. text/plain NativeProtocolType Supported Values : Pptp L2tp Ikev2 Automatic text/plain Authentication UserMethod Supported Values Mschapv2 Eap text/plain MachineMethod Supported Values Eap Certificate PresharedKey text/plain Eap Configuration XML Configuration for EAP Method text/plain Type Required node for EAP profiles. This specifies the EAP Type ID 13 = EAP-TLS 26 = Ms-Chapv2 27 = Peap text/plain Certificate Reserved for future Use Issuer Reserved for future Use text/plain Eku Reserved for future Use text/plain CryptographySuite Properties of IPSec tunnels. AuthenticationTransformConstants Choices are: -- MD596 -- SHA196 -- SHA256128 -- GCMAES128 -- GCMAES192 -- GCMAES256 text/plain CipherTransformConstants Choices Are: -- DES -- DES3 -- AES128 -- AES192 -- AES256 -- GCMAES128 -- GCMAES192 -- GCMAES256 text/plain EncryptionMethod Choices are: -- DES -- DES3 -- AES128 -- AES192 -- AES256 -- AES_GCM_128 -- AES_GCM_256 text/plain IntegrityCheckMethod Choices are: -- MD5 -- SHA196 -- SHA256 -- SHA384 text/plain DHGroup Choices are: -- Group1 -- Group2 -- Group14 -- ECP256 -- ECP384 -- Group24 text/plain PfsGroup Choices are: -- PFS1 -- PFS2 -- PFS2048 -- ECP256 -- ECP384 -- PFSMM -- PFS24 text/plain L2tpPsk The preshared key used for an L2TP connection text/plain DisableClassBasedDefaultRoute When false this VPN connection will plumb class based default routes. i.e. If the interface IP begins with 10, it assumes a class a IP and pushes the route 10.0.0.0/8 text/plain ```