So I had initially written about setting up VPN with Windows Server as the platform. But I then swapped over to Libreswan and Linux. Ironic or not, I've decided to switch back to using Windows Server for a couple of reasons:
- It turns out that the problems I was having with routing were actually the fault of my personal wireless router, and not the platform. Switching to a custom firmware and setting my custom route there was actually necessary to get Libreswan/Linux working as well.
- Debugging the Libreswan/Linux setup is easier, true. But only nominally so. And in return, the setup is considerably more complicated.
- Perhaps most importantly, under the Libreswan/Linux setup, a given user could only have a single connection to the VPN. Under Windows Server, that restriction doesn't exist.
However, during that process, I also decided to switch around my home setup. Previously, I was running a domain controller as a Hyper-V host with a RRAS server as a client. The problem is that since the RRAS client comes up after the domain controller does, so it doesn't always act correctly as a result. So, I decided to switch it around, and try to set up a RRAS server as the Hyper-V host, with the domain controller as a client. Except... this doesn't work properly. Honestly, I'm somewhat shocked that this bug has existed for over 3 years - I will admit that's one area where open source would (probably) not have let this bug live for this long. In this case, it resulted in me setting up a standalone Hyper-V host with two clients: the RRAS server coming up first, with the domain controller coming up later. sigh<
Update (1/19/2016): So after kicking it around some more, I still haven't managed to get my site-to-site set up quite the way I want. Even following Microsoft's IKEv2 troubleshooting page, I can't manage to make it work. The only way I've managed to get it to work is for my colocated server to specify my home server via IP and with a PSK. Even after setting up a custom certificate template with the appropriate EKUs and create the associate templates, it's a no-go - all I get is a RemoteAccess error in the Event Viewer with Event ID 20111 ("IKE authentication credentials are unacceptable"). Very unhelpful, and this is one of the areas where Windows' ability to debug can be nigh-nonexistent. But, on the other hand, iOS is able to connect just fine. Yay?