Configuring IKEv2 VPN on Windows 10 Mobile with SD Card / NTFS Soft Link

As mentioned in the last post, due to some ridiculous changes by Microsoft, you cannot set up an IKEv2 VPN in Settings GUI on Windows 10 Mobile. Usually this can only be done with MDM.
However, some people on XDA-Devwfun and WindowsCentral find solutions for this issue.

Solution One

You’ll need to use Interop to unlock the Windows Phone (similar to Root on Android or Jailbreak on iOS) and edit rasphone.apk . I won’t explain in details on this solution.

Solution Two

Interop isn’t necessary, but you’ll need (1) a MicroSD card, (2) a MicroSD card reader, (3) a computer with Windows 10.

  1. Prepare a usable rasphone.pbk file

    1. Set up a VPN in Windows 10 (desktop) and modify gateway & metrics as mentioned in the last post. Make sure it’s usable.
    2. Open C:\Users\<YOUR-USERNAME>\AppData\Roaming\Microsoft\Network\Connections\Pbk and find the rasphone.pbk file.
  2. Prepare the file & create the soft link

    1. Take out the MicroSD card and connect it to the computer with card reader.
    2. Backup all files, then format it to NTFS. Copy the files back into it.
    3. create a new folder in the card with any name, for example, myvpn. Copy the aforementioned rasphone.apk into it. If you use certification as logon credential, then copy it too.
    4. Run the following commands as Administrator in cmd.exe (assuming the card is X:)
      X:
      cd myvpn
      mklink /d "pbk" "C:\Data\Users\DefApps\AppData\Roaming\Microsoft\Network\Connections\Pbk"
      exit
      
    5. Put the MicroSD card back into the phone.
  3. Install the usable rasphone.pbk into the phone

    1. Create a VPN connection in Settings and then delete it, so as to make the pbk folder in phone read-writable.
    2. Reboot the phone.
    3. Install the Files app (by Microsoft). Open SDcard->myvpn and you’ll see a pbk folder (actually a soft link) and other files you’ve copied.
    4. Copy the the rasphone.pbk from SDcard to myvpn\pbk folder. Then open pbk folder to make sure it’s copied.
    5. If the VPN is authenticated by certificates, install your certificate into the phone.
    6. Reboot the phone.

That’s all. Now try connecting the VPN and visiting Google. If you can open Google then it’s done.

Solution Three

Based on Solution Two, this improved solution applies to phones without SD card and also doesn’t require Interop. See this post for details.
The idea is to create a shortcut pointing to rasphone.pbk on the phone, so that you can directly modify the actual rasphone.pbk. The key step is creating such a shortcut and find a usable text editor (because there are too many junk apps on Windows Store).
.Vicer has provided the necessary shortcut. To edit the text, you can use NotepadX. Copy @rasphone.lnk.db to the phone and rename it as @rasphone.lnk. Open it with NotepadX and you can edit the real rasphone.pbk. You should modify:

  1. IpPrioritizeRemote=0 to IpPrioritizeRemote=1
  2. IpInterfaceMetric=0 to IpInterfaceMetric=15 (or smaller numbers)

Save it when finished.

This solution utilizes NTFS soft link and the permission of pbk folder on Win10m, which should be an exploit. Of course we can expect that Microsoft will treat it as a Feature and never fix it. Btw, I’d also like to mention other relevant bugs features here:

  1. If you still have problem after the above steps, you might have forgot to reboot in some steps. The solution is: reboot; delete all VPNs; if you cannot delete some VPNs, reboot and try again until all are removed; reboot once more; then start from the beginning.
  2. When roaming from mobile network to WiFi network, the IKEv2 VPN will automatically reconnect. However, when roaming from WiFi to mobile, it won’t auto-reconnect.
  3. Further to the above point, the VPN displays “not connected” in Settings GUI, but is actually not disconnected. When roaming back to WiFi, it will auto-reconnect.
  4. Further to the above point, if you do not roam back but try to connect again, a 809 error will pop out. The solution is rebooting.
  5. In Win10m, if the target folder of a soft link doesn’t exist, there won’t be any error but only an empty folder. Therefore you have to carefully check whether the soft link path is correct.
  6. In Win10m, when opening the soft link pointing to C: drive, only files & folders in current folder can be seen. You won’t see any content in sub-directories. This could be some kind of security setting. No error pops out.

Reference

  1. The problem about VPN(IKEv2) with Win10 Mobile
  2. How to make VPN work in W10M
  3. 修复Win10Mobile的VPN问题(IKEv2),不用解锁,纯手机端操作,全机型

Leave a Comment

Your email address will not be published. Required fields are marked *