--- title: VPNv2 DDF file description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider. ms.date: 06/28/2024 --- # VPNv2 DDF file The following XML file contains the device description framework (DDF) for the VPNv2 configuration service provider. ```xml ]> 1.2 VPNv2 ./User/Vendor/MSFT 10.0.10586 1.0 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. ProfileName ^[^/]*$ AppTriggerList List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect. A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. appTriggerRowId A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. App App Node under the Row Id. Id App Identity. Specified, based on the Type Field. Type Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. RouteList List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface. A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. routeRowId A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. Address Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix. PrefixSize The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface. [0-4294967295] Metric The route's metric. 10.0.14393 1.2 ExclusionRoute false A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. 10.0.14393 1.2 false This route will direct traffic over the VPN. true This route will direct traffic over the physical interface. DomainNameInformationList NRPT (Name Resolution Policy Table) Rules for the VPN Profile. A sequential integer identifier for the Domain Name information. Sequencing must start at 0. dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. DomainName Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix. DomainNameType Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains. DnsServers Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. WebProxyServers Web Proxy Server IP address if you are redirecting traffic through your intranet. AutoTrigger false Boolean to determine whether this domain name rule will trigger the VPN. 10.0.14393 1.2 false This DomainName rule will not trigger the VPN. true This DomainName rule will trigger the VPN. Persistent false A boolean value that specifies if the rule being added should persist even when the VPN is not connected. 10.0.14393 1.2 false This DomainName rule will only be applied when VPN is connected. true This DomainName rule will always be present and applied. TrafficFilterList A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. trafficFilterId A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. App Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface. Id App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB). Type Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System. Claims Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token. Protocol 0-255 number representing the ip protocol (TCP = 6, UDP = 17). [0-255] LocalPortRanges Comma Separated list of ranges for eg. 100-120,200,300-320. LocalPortRanges ^[\d]*$ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol [6,17] RemotePortRanges A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320. ^[\d]*$ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol [6,17] LocalAddressRanges A list of comma separated values specifying local IP address ranges to allow. RemoteAddressRanges A list of comma separated values specifying remote IP address ranges to allow. RoutingPolicyType Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. SplitTunnel For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. ForceTunnel For this traffic rule all IP traffic must go through the VPN Interface only. Direction Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default. Inbound - The traffic filter allows traffic coming from external locations matching this rule. 10.0.19041 1.3 EdpModeId Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. RememberCredentials false Boolean value (true or false) for caching credentials. false Do not cache credentials. true Credentials are cached whenever possible. AlwaysOn false An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects. false Always On is turned off. true Always On is turned on. AlwaysOnActive 1 An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation. 0 Always On is inactive. 1 Always On is activated on provisioning. RegisterDNS false Allows registration of the connection's address in DNS. 10.0.16299 1.3 false Do not register the connection's address in DNS. true Register the connection's addresses in DNS. DnsSuffix Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. ByPassForLocal False : Do not Bypass for Local traffic True : ByPass VPN Interface for Local Traffic Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. TrustedNetworkDetection Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. , DisableAdvancedOptionsEditButton Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info. 10.0.22000 1.5 false Advanced Options Edit Button is available. true Advanced Options Edit Button is unavailable. DisableDisconnectButton Optional. When this setting is True, the Disconnect button will not be visible for connected profiles. 10.0.22000 1.5 false Disconnect Button is visible. true Disconnect Button is not visible. RequireVpnClientAppUI Applicable only to AppContainer profiles. False : Do not show profile in Settings UI. True : Show profile in Settings UI. Optional. This node is only relevant for AppContainer profiles (i.e. using the VpnManagementAgent::AddProfileFromXmlAsync method). 10.0.19628 1.4 ProfileXML The XML schema for provisioning all the fields of a VPN. 10.0.14393 1.2 ]]> Proxy A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. Manual Optional node containing the manual server settings. Server Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80. AutoConfigUrl Optional. Set a URL to automatically retrieve the proxy settings. APNBinding Reserved for future use. ProviderId Reserved for future use. AccessPointName Reserved for future use. UserName Reserved for future use. Password Reserved for future use. IsCompressionEnabled Reserved for future use. AuthenticationType Reserved for future use. DeviceCompliance Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN. 10.0.14393 1.1 Enabled Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory. false Disabled true Enabled Sso Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance. Enabled If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication. false Disabled true Enabled IssuerHash Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication. Eku Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication. PluginProfile Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin. ServerUrlList Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format. CustomConfiguration Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults. PluginPackageFamilyName Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app. NativeProfile InboxNodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP). Servers Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. RoutingPolicyType Type of routing policy. SplitTunnel Traffic can go over any interface as determined by the networking stack. ForceTunnel All IP traffic must go over the VPN interface. NativeProtocolType Required for native profiles. Type of tunneling protocol used. PPTP PPTP L2TP L2TP IKEv2 IKEv2 Automatic Automatic SSTP SSTP ProtocolList ProtocolList ProtocolList 10.0.20207 1.4 NativeProtocolList List of inbox VPN protocols in priority order. NativeProtocolRowId Type Inbox VPN protocols type. Pptp Pptp L2tp L2tp Ikev2 Ikev2 Sstp Sstp RetryTimeInHours Default 168, max 500000. Authentication Required node for native profile. It contains authentication information for the native VPN profile. UserMethod This value can be one of the following: EAP or MSChapv2 (This is not supported for IKEv2). EAP EAP MSChapv2 MSChapv2: This is not supported for IKEv2 MachineMethod This is only supported in IKEv2. Certificate Certificate Eap Required when the native profile specifies EAP authentication. EAP configuration XML. Configuration HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration. Type Required node for EAP profiles. This specifies the EAP Type ID 13 = EAP-TLS 26 = Ms-Chapv2 27 = Peap Certificate Reserved for future use. Issuer Reserved for future use. Eku Reserved for future use. CryptographySuite Properties of IPSec tunnels. 10.0.14393 1.2 AuthenticationTransformConstants Type of authentication transform constant. MD596 MD596 SHA196 SHA196 SHA256128 SHA256128 GCMAES128 GCMAES128 GCMAES192 GCMAES192 GCMAES256 GCMAES256 CipherTransformConstants Type of Cipher transform constant. DES DES DES3 DES3 AES128 AES128 AES192 AES192 AES256 AES256 GCMAES128 GCMAES128 GCMAES192 GCMAES192 GCMAES256 GCMAES256 EncryptionMethod Type of encryption method. DES DES DES3 DES3 AES128 AES128 AES192 AES192 AES256 AES256 AES_GCM_128 AES_GCM_128 AES_GCM_256 AES_GCM_256 IntegrityCheckMethod Type of integrity check. MD5 MD5 SHA196 SHA196 SHA256 SHA256 SHA384 SHA384 DHGroup Group used for DH (Diffie-Hellman). None None Group1 Group1 Group2 Group2 Group14 Group14 ECP256 ECP256 ECP384 ECP384 Group24 Group24 PfsGroup Group used for PFS (Perfect Forward Secrecy). None None PFS1 PFS1 PFS2 PFS2 PFS2048 PFS2048 ECP256 ECP256 ECP384 ECP384 PFSMM PFSMM PFS24 PFS24 L2tpPsk The preshared key used for an L2TP connection. 10.0.14393 1.2 DisableClassBasedDefaultRoute Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8 10.0.14393 1.2 false Enabled true Disabled PlumbIKEv2TSAsRoutes True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes. 10.0.19041 1.3 NetworkOutageTime The amount of time in seconds the network is allowed to idle. 0 means no limit. 10.0.22000 1.6 [0-4294967295] IPv4InterfaceMetric The metric for the IPv4 interface. 10.0.22000 1.6 [1-9999] IPv6InterfaceMetric The metric for the IPv6 interface. 10.0.22000 1.6 [1-9999] UseRasCredentials true Determines whether the credential manager will save ras credentials after a connection. 10.0.22000 1.6 false Ras Credentials are not saved. true Ras Credentials are saved. DataEncryption Require Determines the level of data encryption required for the connection. 10.0.22000 1.6 None No Data Encryption required. Require Data Encryption required. Max Maximum-strength Data Encryption required. Optional Perform encryption if possible. PrivateNetwork true Determines whether the VPN connection is public or private. 10.0.22000 1.6 false VPN connection is public. true VPN connection is private. DisableIKEv2Fragmentation false Set to disable IKEv2 Fragmentation. 10.0.22000 1.6 true IKEv2 Fragmentation will not be used. false IKEv2 Fragmentation is used as normal. VPNv2 ./Device/Vendor/MSFT 10.0.10586 1.0 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2; Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. ProfileName ^[^/]*$ AppTriggerList List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect. A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. appTriggerRowId A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. App App Node under the Row Id. Id App Identity. Specified, based on the Type Field. Type Returns the type of App/Id. This value can be either of the following: PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. RouteList List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface. A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. routeRowId A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. Address Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix. PrefixSize The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface. [0-4294967295] Metric The route's metric. 10.0.14393 1.2 ExclusionRoute false A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. 10.0.14393 1.2 false This route will direct traffic over the VPN. true This route will direct traffic over the physical interface. DomainNameInformationList NRPT (Name Resolution Policy Table) Rules for the VPN Profile. A sequential integer identifier for the Domain Name information. Sequencing must start at 0. dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. DomainName Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: FQDN - Fully qualified domain name. Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a . to the DNS suffix. DomainNameType Returns the namespace type. This value can be one of the following: FQDN - If the DomainName was not prepended with a . and applies only to the fully qualified domain name (FQDN) of a specified host. Suffix - If the DomainName was prepended with a . and applies to the specified namespace, all records in that namespace, and all subdomains. DnsServers Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. WebProxyServers Web Proxy Server IP address if you are redirecting traffic through your intranet. AutoTrigger false Boolean to determine whether this domain name rule will trigger the VPN. 10.0.14393 1.2 false This DomainName rule will not trigger the VPN. true This DomainName rule will trigger the VPN. Persistent false A boolean value that specifies if the rule being added should persist even when the VPN is not connected. 10.0.14393 1.2 false This DomainName rule will only be applied when VPN is connected. true This DomainName rule will always be present and applied. TrafficFilterList A list of rules allowing traffic over the VPN Interface. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed. A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. trafficFilterId A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. App Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface Id App identity for the app-based traffic filter. The value for this node can be one of the following: PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. SYSTEM - This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB). Type Returns the type of ID of the App/Id. Either PackageFamilyName, FilePath, or System. Claims Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token. Protocol 0-255 number representing the ip protocol (TCP = 6, UDP = 17). [0-255] LocalPortRanges Comma Separated list of ranges for eg. 100-120,200,300-320. LocalPortRanges ^[\d]*$ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol [6,17] RemotePortRanges A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320. ^[\d]*$ Vendor/MSFT/VPNv2/[ProfileName]/TrafficFilterList/[trafficFilterId]/Protocol [6,17] LocalAddressRanges A list of comma separated values specifying local IP address ranges to allow. RemoteAddressRanges A list of comma separated values specifying remote IP address ranges to allow. RoutingPolicyType Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. SplitTunnel For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. ForceTunnel For this traffic rule all IP traffic must go through the VPN Interface only. Direction Outbound - The traffic filter allows traffic to reach destinations matching this rule. This is the default. Inbound - The traffic filter allows traffic coming from external locations matching this rule. 10.0.19041 1.3 EdpModeId Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. RememberCredentials false Boolean value (true or false) for caching credentials. false Do not cache credentials. true Credentials are cached whenever possible. AlwaysOn false An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects. false Always On is turned off. true Always On is turned on. AlwaysOnActive 1 An optional flag to activate Always On mode. This is true by default if AlwaysOn is true. Setting controls whether "Connect Automatically" is toggled on profile creation. 0 Always On is inactive. 1 Always On is activated on provisioning. DeviceTunnel false If turned on a device tunnel profile does four things. First, it automatically becomes an always on profile. Second, it does not require the presence or logging in of any user to the machine in order for it to connect. Third, no other Device Tunnel profile maybe be present on the same machine. A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected. 10.0.16299 1.3 false This is not a device tunnel profile. true This is a device tunnel profile. RegisterDNS false Allows registration of the connection's address in DNS. 10.0.16299 1.3 false Do not register the connection's address in DNS. true Register the connection's addresses in DNS. DnsSuffix Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. ByPassForLocal False : Do not Bypass for Local traffic True : ByPass VPN Interface for Local Traffic Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. TrustedNetworkDetection Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. , DisableAdvancedOptionsEditButton Optional. When this setting is True, the Advanced Options page will have its edit functions disabled, only allowing viewing and Clear Sign-In Info. 10.0.22000 1.5 false Advanced Options Edit Button is available. true Advanced Options Edit Button is unavailable. DisableDisconnectButton Optional. When this setting is True, the Disconnect button will not be visible for connected profiles. 10.0.22000 1.5 false Disconnect Button is visible. true Disconnect Button is not visible. ProfileXML The XML schema for provisioning all the fields of a VPN. 10.0.14393 1.2 ]]> Proxy A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. Manual Optional node containing the manual server settings. Server Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80. AutoConfigUrl Optional. Set a URL to automatically retrieve the proxy settings. APNBinding Reserved for future use. ProviderId Reserved for future use. AccessPointName Reserved for future use. UserName Reserved for future use. Password Reserved for future use. IsCompressionEnabled Reserved for future use. AuthenticationType Reserved for future use. DeviceCompliance Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN. 10.0.14393 1.1 Enabled Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory. false Disabled true Enabled Sso Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance. Enabled If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication. false Disabled true Enabled IssuerHash Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication. Eku Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication. PluginProfile Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin. ServerUrlList Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format. CustomConfiguration Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults. PluginPackageFamilyName Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app. NativeProfile Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP, SSTP). Servers Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com. RoutingPolicyType Type of routing policy. SplitTunnel Traffic can go over any interface as determined by the networking stack. ForceTunnel All IP traffic must go over the VPN interface. NativeProtocolType Required for native profiles. Type of tunneling protocol used. PPTP PPTP L2TP L2TP IKEv2 IKEv2 Automatic Automatic SSTP SSTP ProtocolList ProtocolList ProtocolList 10.0.20207 1.4 NativeProtocolList List of inbox VPN protocols in priority order. NativeProtocolRowId Type Inbox VPN protocols type. Pptp Pptp L2tp L2tp Ikev2 Ikev2 Sstp Sstp RetryTimeInHours Default 168, max 500000. Authentication Required node for native profile. It contains authentication information for the native VPN profile. UserMethod Type of user authentication. EAP EAP MSChapv2 MSChapv2: This is not supported for IKEv2 MachineMethod This is only supported in IKEv2. Certificate Certificate Eap Required when the native profile specifies EAP authentication. EAP configuration XML. Configuration HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see https://docs.microsoft.com/en-us/windows/client-management/mdm/eap-configuration. Type Required node for EAP profiles. This specifies the EAP Type ID 13 = EAP-TLS 26 = Ms-Chapv2 27 = Peap Certificate Reserved for future use. Issuer Reserved for future use. Eku Reserved for future use. CryptographySuite Properties of IPSec tunnels. 10.0.14393 1.2 AuthenticationTransformConstants Type of authentication transform constant. MD596 MD596 SHA196 SHA196 SHA256128 SHA256128 GCMAES128 GCMAES128 GCMAES192 GCMAES192 GCMAES256 GCMAES256 CipherTransformConstants Type of Cipher transform constant. DES DES DES3 DES3 AES128 AES128 AES192 AES192 AES256 AES256 GCMAES128 GCMAES128 GCMAES192 GCMAES192 GCMAES256 GCMAES256 EncryptionMethod Type of encryption method. DES DES DES3 DES3 AES128 AES128 AES192 AES192 AES256 AES256 AES_GCM_128 AES_GCM_128 AES_GCM_256 AES_GCM_256 IntegrityCheckMethod Type of integrity check. MD5 MD5 SHA196 SHA196 SHA256 SHA256 SHA384 SHA384 DHGroup Group used for DH (Diffie-Hellman). None None Group1 Group1 Group2 Group2 Group14 Group14 ECP256 ECP256 ECP384 ECP384 Group24 Group24 PfsGroup Group used for PFS (Perfect Forward Secrecy). None None PFS1 PFS1 PFS2 PFS2 PFS2048 PFS2048 ECP256 ECP256 ECP384 ECP384 PFSMM PFSMM PFS24 PFS24 L2tpPsk The preshared key used for an L2TP connection. 10.0.14393 1.2 DisableClassBasedDefaultRoute Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8 10.0.14393 1.2 false Enabled true Disabled PlumbIKEv2TSAsRoutes True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb traffic selectors as routes. 10.0.19041 1.3 NetworkOutageTime The amount of time in seconds the network is allowed to idle. 0 means no limit. 10.0.22000 1.6 [0-4294967295] IPv4InterfaceMetric The metric for the IPv4 interface. 10.0.22000 1.6 [1-9999] IPv6InterfaceMetric The metric for the IPv6 interface. 10.0.22000 1.6 [1-9999] UseRasCredentials true Determines whether the credential manager will save ras credentials after a connection. 10.0.22000 1.6 false Ras Credentials are not saved. true Ras Credentials are saved. DataEncryption Require Determines the level of data encryption required for the connection. 10.0.22000 1.6 None No Data Encryption required. Require Data Encryption required. Max Maximum-strength Data Encryption required. Optional Perform encryption if possible. PrivateNetwork true Determines whether the VPN connection is public or private. 10.0.22000 1.6 false VPN connection is public. true VPN connection is private. DisableIKEv2Fragmentation false Set to disable IKEv2 Fragmentation. 10.0.22000 1.6 true IKEv2 Fragmentation will not be used. false IKEv2 Fragmentation is used as normal. ``` ## Related articles [VPNv2 configuration service provider reference](vpnv2-csp.md)