Windows Server: Creating L2TP VPN ConnectionsTo configure Windows to use L2TP/IPsec connections: Server Configuration- Ensure the services IKE and AuthIP IPsec Keying Modules and IPsec Policy Agent are running, and set to Automatic start:
sc config IKEEXT start= auto sc config PolicyAgent start= auto net start IKEEXT net start PolicyAgent - In Routing and Remote Access, right-click the server and choose Properties. In the Security tab, enable Allow custom IPSec policy for L2TP connection. Then enter the Preshared Key, which should be a secure random password.
- Right-click Ports, and choose Properties. Under Devices, click WAN Miniport (L2TP), choose Configure. Enable Remote access connections (inbound only) and change the Maximum Ports as required.
- In Windows Firewall with Advanced Security, add a rule to allow inbound connections on ports 500 and 4500 for UDP, and a rule to allow inbound connections on protocol 50. (Further Reading.)
Ensure the default rule Routing and Remote Access (L2TP-In) is enabled. - On the network edge (router), allow inbound UDP traffic on ports 500, 4500 and 1701.
- If the server or clients are behind a NAT device, which is quite common due to the use of network edge devices such as routers, open an elevated command prompt and enter:
reg add HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /d 2 /t REG_DWORD /f Then reboot. Without this setting, clients will report “Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding”. - Ensure inbound and outbound filters set appropriately under Routing and Remote Access → <Server> → IPv4 → General → Properties.
Client Configuration- Add the AssumeUDPEncapsulationContextOnSendRule setting as above.
- Change the Type of VPN to Layer 2 Tunneling Protocol with IPsec and enter the preshared key under Advanced Settings.
|