How to set up an L2TP/IPSec VPN on Windows Server 2016

Estimated reading time: 4 min

Introduction

A virtual private network (VPN) extends a private network across a public network so that you will be able to access your data remotely through the public network securely. You can also use a VPN to secure your internet activity by using the VPN server as a proxy server.

This article will show you how you can set up an L2TP/IPsec VPN on a Windows Server 2016 Standard with step by step screenshots. This VPN can be used to get access to your business network.

We will configure the VPN with the built-in feature (Routing and Remote Access RRAS) which Microsoft is providing in Windows Server 2016. This can feature can be enabled in the Add Roles and Features wizard.

Prerequisites

  • Server with Windows Server 2016 Standard installed. If you do not have a server you can order a server on Snel.com
  • Access to your Windows Server with administrator or a user with administrator permissions

Step 1 – Log in using RDP

You must be logged in via RDP as an administrator or a user with administrator permission. Please see this article for instructions if you don’t know how to connect.

Step 2 – Update Windows

All Windows updates needs to be installed before you start with installing and configuring L2TP/IPsec. This is needed to keep the server up to date with all security patches.

Open Windows Start menu and click Settings

windows server 2016 settings

Navigate to Update & Security

windows server 2016 security

Click on Check for updates to check if there are any updates for your server.

windows server 2016 updates

Download and install all updates if there is any available.

windows server 2016 updates install

Step 3 – Install Dependencies

Open Windows Start menu and click on Server Manager

windows server 2016 manager

Click on Manage -> Add Roles and Features

windows 2016 server manager

A new screen will be opened and click on Next

windows server 2016 add role

Select Role-based or feature-based installation and click on Next

windows server 2016 role based

Select Select a server from the server pool and click on Next

windows server 2016 server pool

Select Remote Access and click on Next

windows server 2016 role list

Click on Next

windows server 2016 feature

Click on Next

windows server 2016 ra

Select DirectAccess and VPN (RAS) and Routing. Once it’s selected a pop up will be shown and click on Add Features 

windows server 2016 ras

Click on Next

windows server 2016 ras list

Click on Next

windows server 2016 ras finish

Click on Next

windows server 2016 iis

Select Restart the destination server automatically if required

windows server 2016 restart

Once it’s selected a pop up will be shown and click on Yes to allow the system to reboot if required.

windows server 2016 required

The last step is to click on Install.

windows server 2016 install

Pending installation.

Windows Server 2016 install pending

Installation is finished.

Windows Server 2016 finished

Step 4 – Routing and Remote Access

Open Routing and Remote Access in Server Manager -> Tools -> Routing and Remote Access.

windows server 2016 rasc

A new screen will be opened. Right click on the server name and click on Configure Routing and Remote Access.

windows server 2016 routing

A new screen will be opened to setup Routing Access Server and click on Next

windows server 2016 routing setup

We are using Custom configuration because Virtual private network (VPN) access and NAT requires two or more network interfaces.

windows server 2016 two interfaces

Select Custom configuration and click on Next

windows server 2016 custom

Select VPN access and NAT and click on Next

windows server 2016 select

Complete the wizard by clicking on Finish

windows server 2016 finish

After the wizard is completed a pop up will be shown with the question if you want to Start the Routing and Remote Acess Service. Click on Start Service

windows server 2016 start

windows server 2016 pending

Step 5 – Configure Routing and Remote Access

Right click on the server name (VPN) and click on Properties

windows server 2016 properties

Navigate to Securitytab and select Allow custom IPsec policy for L2TP/IKev2 connection. In our screenshot section Preshared Key but you have to fill this with a strong password.

You can use a password. passphrase generator for creating a preshared key. Generate a strong pre-shared key with at least 32+ characters. 

windows server 2016 security

Navigate to IPv4. In our setup we do not have a DHCP server, therefore, we have to select the option Static address pool and click on Addto enter your IP address range.

windows server 2016 ipv4

We used the following range:

Start IP address: 10.10.10.1
End IP address: 10.10.10.254
Number of addresses: 254

windows server 2016 add

Click on OK to save the IPv4 range.

Click on OK to apply the changes which we made in the properties of the Routing and Remote Access service. You should get  a warning pop up with the information to restart the service click OK.

windows server 2016 popup

Step 6 – Configure NAT

Right click on NAT by navigating to Routing and Remote Access -> VPN (server name) -> IPv4 -> NAT and click on New Interface...

windows server 2016 NAT

A new screen will be opened and select Ethernet and click on OK.

windows server 2016 ethernet

Select Public interface connected to the Internet and select Enable NAT on this Interface

windows server 2016 nat settings

Open Services and Ports tab select VPN Gateway (L2TP/IPsec - running on this server) from the list.

windows server 2016 l2tpipsec

A new screen will be opened. Edit Private address variable from 0.0.0.0 to 127.0.0.1 and click on OK

windows server 2016 private

Click on OK

windows server 2016 nat properties

Step 7 – Restart Routing and Remote Access

Right click on server name (VPN) and navigate to All Tasks and click on Restart

windows server 2016 restart

Step 8 – Windows Firewall

Open Windows Start menu and click on Control Panel

windows server 2016 cp

Open System and Security

windows server 2016 system

Open Windows Firewall

windows server 2016 firewall

Click on Advanced settingsin the left menu

windows server 2016 advanced

A new screen will be opened and open Inbound Rules

windows server 2016 inbound

Create a new rule by clicking on New Rule... in the right menu.

windows server 2016 new rule

A new screen will be opened. Select Predefined: Routing and Remote Access and click on Next

windows server 2016 predfined

Select Routing and Remote Access (L2TP-In) and click on Next

windows server 2016 l2tp

Click on Finish

windows server 2016 connection

Verify that the rule is created

windows server 2016 verify

Step 9 – Configure User(s)

Before user(s) can start using VPN we have to give them permission to connect.

Right click on the Windows icon and click on Computer Management

windows server 2016 right

Open Local Users and Groups from the left menu and click on Users

windows server 2016 cm

You should see a list of users of your server. Right click on the user you want to enable VPN and click on Properties

In our article we are enabling VPN for our Administrator user. We advise creating/using separate users for VPN purposes with limited permissions.

windows server 2016 click

A new screen will be opened with User Properties. In our example it’s Administrator. Open Dial-Intab and select Allow access

windows server 2016 dialin

Click on OK and close Computer Management. User Administrator has now the permission to connect to the server via L2TP/IPsec VPN connection.

Step 10 –  Remote Access Management

Open Windows start menu and click on Server Manager

windows server 2016 manager

Navigate to Tools -> Remote Access Management. A new screen will be opened with the Remote Access Dashboard. You can see in our overview that services are running without warnings.

windows server 2016 status

More information regarding Remote Access Management can be found here.

Step 11 – Reboot the server

Open Windows Start menu

windows server start

Right click on the power icon and click on Restart

windows server 2016 restart

Step 12 – Client Connection

Conclusion

Congratulations, you have now configured an L2TP/IPsec VPN on your Windows Server 2016 Standard. If you need further assistance or help with configuring your Windows Server 2016 Standard get in touch with our support.

Was this article helpful?
Dislike 0
Views: 121

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *