My server is 2012R2. I deployed AOVPN according to Microsoft manual using PowerShell for clients deployment. It all works except custom route just does not appear on a client (tried on multiple Windows 10 and Windows 11 PCs) without any hints anywhere. DisableClassBasedDefaultRoute works.
I tried to modify recommended MakeProfile.ps1 with adding VPN connection via MDM_VPNv2_01 WMI class and add VPN connection with classic Add-VpnConnection instead with custom route like this Add-VpnConnectionRoute. It works, route does appear but the logon script doesn't run when a client is not connected to the network as it's usually is for remote clients. It seems like "incorrect" ProfileXML overrides the route added with Add-VpnConnection after few client reboots (I don't fully understand a logic) and custom route disappears, so it works but unreliable.
Please help to find an error in ProfileXML or anywhere else:
<VPNProfile>
<AlwaysOn>true</AlwaysOn>
<RememberCredentials>true</RememberCredentials>
<DnsSuffix>mydomain.local</DnsSuffix>
<RegisterDNS>true</RegisterDNS>
<TrustedNetworkDetection>mydomain.local</TrustedNetworkDetection>
<DomainNameInformation>
<DomainName>.mydomain.local</DomainName>
<DnsServers>192.168.99.1,192.168.99.100</DnsServers>
</DomainNameInformation>
<NativeProfile>
<Servers>vpn.external.com</Servers>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<NativeProtocolType>IKEv2</NativeProtocolType>
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
<CryptographySuite>
<AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
<CipherTransformConstants>AES256</CipherTransformConstants>
<EncryptionMethod>AES256</EncryptionMethod>
<IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
<DHGroup>Group14</DHGroup>
<PfsGroup>None</PfsGroup>
</CryptographySuite>
<Authentication>
<UserMethod>Eap</UserMethod>
<Eap>
<Configuration>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>26</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
<UseWinLogonCredentials>true</UseWinLogonCredentials>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</Configuration>
</Eap>
</Authentication>
</NativeProfile>
<Route>
<Address>192.168.96.0</Address>
<PrefixSize>20</PrefixSize>
<Metric>1</Metric>
</Route>
</VPNProfile>
I use custom routes myself but I was fighting with how to Disable class based routing. Your example above pointed me in the right direction.
Anyhow: The way I added customs routes was through PowerShell:
Assuming your VPN connection is called
MyVpnyou could add a custom route with the CmdletAdd-VpnConnectionRoutelike so:The route is associated with you VPN connection, so it will only appear in your routing table while the VPN connection is up.