How to set up an L2TP/IPSec VPN on Windows Server 2016

Estimated reading time: 4 min

Introduction

A virtual private network (VPN) extends a private network across a public network so that you will be able to access your data remotely through the public network securely. You can also use a VPN to secure your internet activity by using the VPN server as a proxy server.

This article will show you how you can set up an L2TP/IPsec VPN on a Windows Server 2016 Standard with step by step screenshots. This VPN can be used to get access to your business network.

We will configure the VPN with the built-in feature (Routing and Remote Access RRAS) which Microsoft is providing in Windows Server 2016. This can feature can be enabled in the Add Roles and Features wizard.

Prerequisites

Step 1 – Log in using RDP

You must be logged in via RDP as an administrator or a user with administrator permission. Please see this article for instructions if you don’t know how to connect.

Step 2 – Update Windows

All Windows updates needs to be installed before you start with installing and configuring L2TP/IPsec. This is needed to keep the server up to date with all security patches.

Open Windows Start menu and click Settings

windows server 2016 settings

Navigate to Update & Security

windows server 2016 security

Click on Check for updates to check if there are any updates for your server.

windows server 2016 updates

Download and install all updates if there is any available.

windows server 2016 updates install

Step 3 – Install Dependencies

Open Windows Start menu and click on Server Manager

windows server 2016 manager

Click on Manage -> Add Roles and Features

windows 2016 server manager

A new screen will be opened and click on Next

windows server 2016 add role

Select Role-based or feature-based installation and click on Next

windows server 2016 role based

Select Select a server from the server pool and click on Next

windows server 2016 server pool

Select Remote Access and click on Next

windows server 2016 role list

Click on Next

windows server 2016 feature

Click on Next

windows server 2016 ra

Select DirectAccess and VPN (RAS) and Routing. Once it’s selected a pop up will be shown and click on Add Features

windows server 2016 ras

Click on Next

windows server 2016 ras list

Click on Next

windows server 2016 ras finish

Click on Next

windows server 2016 iis

Select Restart the destination server automatically if required

windows server 2016 restart

Once it’s selected a pop up will be shown and click on Yes to allow the system to reboot if required.

windows server 2016 required

The last step is to click on Install.

windows server 2016 install

Pending installation.

Windows Server 2016 install pending

Installation is finished.

Windows Server 2016 finished

Step 4 – Routing and Remote Access

Open Routing and Remote Access in Server Manager -> Tools -> Routing and Remote Access.

windows server 2016 rasc

A new screen will be opened. Right click on the server name and click on Configure Routing and Remote Access.

windows server 2016 routing

A new screen will be opened to setup Routing Access Server and click on Next

windows server 2016 routing setup

We are using Custom configuration because Virtual private network (VPN) access and NAT requires two or more network interfaces.

windows server 2016 two interfaces

Select Custom configuration and click on Next

windows server 2016 custom

Select VPN access and NAT and click on Next

windows server 2016 select

Complete the wizard by clicking on Finish

windows server 2016 finish

After the wizard is completed a pop up will be shown with the question if you want to Start the Routing and Remote Acess Service. Click on Start Service

windows server 2016 start

windows server 2016 pending

Step 5 – Configure Routing and Remote Access

Right click on the server name (VPN) and click on Properties

windows server 2016 properties

Navigate to Securitytab and select Allow custom IPsec policy for L2TP/IKev2 connection. In our screenshot section Preshared Key but you have to fill this with a strong password.

You can use a password. passphrase generator for creating a preshared key. Generate a strong pre-shared key with at least 32+ characters. 

windows server 2016 security

Navigate to IPv4. In our setup we do not have a DHCP server, therefore, we have to select the option Static address pool and click on Addto enter your IP address range.

windows server 2016 ipv4

We used the following range:

Start IP address: 10.10.10.1
End IP address: 10.10.10.254
Number of addresses: 254

windows server 2016 add

Click on OK to save the IPv4 range.

Click on OK to apply the changes which we made in the properties of the Routing and Remote Access service. You should get  a warning pop up with the information to restart the service click OK.

windows server 2016 popup

Step 6 – Configure NAT

Right click on NAT by navigating to Routing and Remote Access -> VPN (server name) -> IPv4 -> NAT and click on New Interface...

windows server 2016 NAT

A new screen will be opened and select Ethernet and click on OK.

windows server 2016 ethernet

Select Public interface connected to the Internet and select Enable NAT on this Interface

windows server 2016 nat settings

Open Services and Ports tab select VPN Gateway (L2TP/IPsec - running on this server) from the list.

windows server 2016 l2tpipsec

A new screen will be opened. Edit Private address variable from 0.0.0.0 to 127.0.0.1 and click on OK

windows server 2016 private

Click on OK

windows server 2016 nat properties

Step 7 – Restart Routing and Remote Access

Right click on server name (VPN) and navigate to All Tasks and click on Restart

windows server 2016 restart

Step 8 – Windows Firewall

Open Windows Start menu and click on Control Panel

windows server 2016 cp

Open System and Security

windows server 2016 system

Open Windows Firewall

windows server 2016 firewall

Click on Advanced settingsin the left menu

windows server 2016 advanced

A new screen will be opened and open Inbound Rules

windows server 2016 inbound

Create a new rule by clicking on New Rule... in the right menu.

windows server 2016 new rule

A new screen will be opened. Select Predefined: Routing and Remote Access and click on Next

windows server 2016 predfined

Select Routing and Remote Access (L2TP-In) and click on Next

windows server 2016 l2tp

Click on Finish

windows server 2016 connection

Verify that the rule is created

windows server 2016 verify

Step 9 – Configure User(s)

Before user(s) can start using VPN we have to give them permission to connect.

Right click on the Windows icon and click on Computer Management

windows server 2016 right

Open Local Users and Groups from the left menu and click on Users

windows server 2016 cm

You should see a list of users of your server. Right click on the user you want to enable VPN and click on Properties

In our article we are enabling VPN for our Administrator user. We advise creating/using separate users for VPN purposes with limited permissions.

windows server 2016 click

A new screen will be opened with User Properties. In our example it’s Administrator. Open Dial-Intab and select Allow access

windows server 2016 dialin

Click on OK and close Computer Management. User Administrator has now the permission to connect to the server via L2TP/IPsec VPN connection.

Step 10 –  Remote Access Management

Open Windows start menu and click on Server Manager.

windows server 2016 manager

Navigate to Tools -> Remote Access Management. A new screen will be opened with the Remote Access Dashboard. You can see in our overview that services are running without warnings.

windows server 2016 status

More information regarding Remote Access Management can be found here.

Step 11 – Reboot the server

Open Windows Start menu

windows server start

Right click on the power icon and click on Restart

windows server 2016 restart

Step 12 – Client Connection

Conclusion

Congratulations, you have now configured an L2TP/IPsec VPN on your Windows Server 2016 Standard. If you need further assistance or help with configuring your Windows Server 2016 Standard get in touch with our support.

Was this article helpful?
Dislike 1
Views: 66344

Reader Interactions

Comments

  1. paul p says

    I take it this article assumes that one of the server NICs is directly on the internet?

    you've installed NAT routing on the server which I assume takes the place of what many folks do with a NAT router.

    so in a typical environment you must forward UDP 500, UDP 1701 and UDP 4500 (IIRC) from your NAT router to your VPN server.

    But in this environment, you are accomplishing the same thing by first enabling L2TP on the NAT item within RRAS to allow those services….then forwarding the ports with the automated rule in Windows firewall?

    • Yavuz Aydin says

      Yes, this article assumes one of the NIC's is public facing. The NAT is needed for routing the traffic between the VPN network and the public network and has nothing to do with being behind a NAT router or not.

  2. Victor says

    Hello

    This configuration is IPSec VPN Site-to-Site tunnel or just Remote Access VPN (SSL).

    And, is it possible to configure IPSec VPN Site-to-Site tunnel on Windows Server.

    Thank you!
    Regards,

  3. TM says

    I followed through the thread on windows server 2019
    however when i start the remote and routing service it fails with the error

    "The system cannot find the file specified"

    Event id 7024

  4. Dante Havenaar says

    Hi Ahmet,

    Facing the NIC to a public IP Address, what kind of settings do you use for the gateway and DNS?
    Another problem is that the IP Address of my ISP is changing a lot of times. How can I fix that problem?

    Kind regards,
    Dante

    • Ahmet Bas says

      Hi Dante,

      Yes, it should be a public IP address. Could you elaborate on your question of what you mean with what kind of settings do you use for gateway and DNS?
      There is no easy solution if your ISP is providing you with a dynamic IP address. The only solution is to contact them and ask for a static IP address which they provide in some cases.

      We provide VPS and dedicated servers managed and unmanaged. All our servers come with a public static IPv4 and IPv6 addresses. If you are interested in one of our services feel free to contact our sales department by emailing [email protected].

  5. Karol says

    Hi,
    everythink is ok, but I can't connect to this server via RDP, even ping is not working.
    If I turn off firewall it works (via vpn), but from public network as well.
    I put inbound firewall rule (custom) to allowy everythink, and I put just in scope
    my vpn ip, and it didn't work. Have you got any solutions?

    • Ahmet Bas says

      Hey Karal,

      If I understand it right, it's working fine if you disabling the Windows Firewall? Did you enable RDP connections in the Firewall? Ping (ICMP) requests are disabled by default in Windows Firewall you can enable this.

  6. Karol says

    Hi Ahmed,
    yes. If I turn off firewall connection works.
    If I enable firewall and put allow TCP 3389 it works as well.
    But with this rule I can connect from all public ip addresses.
    If I put to this rule scope change from "Any Ip address" to "These IP addresses" and put my vpn ip's – it doesn't work.

    • Ahmet Bas says

      You have to double-check the firewall rules since you mentioned that it's working if it's disabled. In step 8 of our article we are providing instructions on how to configure the firewall rules.

  7. Karol says

    I have checked it many times. I have revert system checkpoint and configure it couple of times. L2tp connection always works. Even if it was over nat I could log into other devices (router), but I couldn't log into windows rdp.

  8. Jan says

    Hi, thank you for the tutorial. I configured everything step by step (also client PC on WIN 10 by the tutorial) but client showing me this error:
    "The specified protocol identifier is not known to the router."
    Please do you have an idea where can be the problem? (I already tried uncle Google)

    Thank you 🙂

  9. Hosein says

    Hello and thanks for this useful tutorial
    I did all this successfully but I can not connect to the server with L2TP but I can connect immediately with PPTP without any problems. Of course, after making the relevant adjustment.

    With Tcpview software on the server, I noticed that ports 1701, 500, 4500 are not in listening mode. But port 1723 is in listening mode, so I can connect to it without any problems. Why are L2TP ports not in listening mode after installation and configuration? Can anyone help me?

  10. adrian says

    The same thing happens to me as to:
    Jan says
    Hi, thank you for the tutorial. I configured everything step by step (also client PC on WIN 10 by the tutorial) but client showing me this error:
    "The specified protocol identifier is not known to the router."
    Please do you have an idea where can be the problem?

  11. Junaid says

    Thanks for your article it helps us alot. Can you please share the article in which VPN server is behind the NAT device means its NIC does not have Public IP but the local IP and one-to-one NAT on NAT device.

Leave a Reply

Your email address will not be published. Required fields are marked *