Windows Server: Creating L2TP VPN Connections
To configure Windows to use L2TP/IPsec connections:
- Ensure the services IKE and AuthIP IPsec Keying Modules and IPsec Policy Agent are running, and set to Automatic start:
sc config IKEEXT start= auto
sc config PolicyAgent start= auto
net start IKEEXT
net start PolicyAgent
- In Routing and Remote Access, right-click the server and choose Properties. In the Security tab, enable Allow custom IPSec policy for L2TP connection. Then enter the Preshared Key, which should be a secure random password.
- Right-click Ports, and choose Properties. Under Devices, click WAN Miniport (L2TP), choose Configure. Enable Remote access connections (inbound only) and change the Maximum Ports as required.
- In Windows Firewall with Advanced Security, add a rule to allow inbound connections on ports 500 and 4500 for UDP, and a rule to allow inbound connections on protocol 50. (Further Reading.)
Ensure the default rule Routing and Remote Access (L2TP-In) is enabled.
- On the network edge (router), allow inbound UDP traffic on ports 500, 4500 and 1701.
- If the server or clients are behind a NAT device, which is quite common due to the use of network edge devices such as routers, open an elevated command prompt and enter:
reg add HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /d 2 /t REG_DWORD /f
Without this setting, clients will report “Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding”.
- Ensure inbound and outbound filters set appropriately under Routing and Remote Access → <Server> → IPv4 → General → Properties.
- Add the AssumeUDPEncapsulationContextOnSendRule setting as above.
- Change the Type of VPN to Layer 2 Tunneling Protocol with IPsec and enter the preshared key under Advanced Settings.