Step by Step – L2TP/IPsec VPN set up on Windows 10 and Server 2016

Setting up L2TP/IPsec PSK VPN on Windows 10 and Server 2016

With inherent security vulnerabilities of PPTP VPN it has become more relevant to use L2TP/IPsec VPN for remote access to business networks.  If you are using Apple device you will find that PPTP is no longer an option.  In this visual guide we will set up Windows 2016 member server with Remote Access role and configure Routing and Remote Access (RRAS). As we are using domain joined servers and clients we will use Group Policy to push VPN settings automatically to the clients. This will save time and ensure uniformity of VPN implementation across all domain joined clients.

Assumptions of this guide

  • Active Directory domain environment
  • Windows Server 2016 Standard 
  • Windows 10 Pro 
  • Basic familiarity with PowerShell and Group Policy.
  • On the firewall/router UDP ports 500,1701 are open and are redirected to the RRAS server

Step 1. Install Remote Access role on Windows Server 2016

We will fast forward with installing Remote Access by using Powershell. We will not use Web Application Proxy subfeature in this lab and will uninstall it. Run Powershell as an administrator and run the cmdlet below:
Install-WindowsFeature RemoteAccess -IncludeAllSubFeature -IncludeManagementTools
Uninstall-WindowsFeature Web-Application-Proxy 

Install Remote Access roles using Powershell

Step 2. Launch Routing and Remote Access console

From Server Manager's Tools menu select Routing and Remote Access

Launch Routing and Remote access console

Step 3. Configure Routing and Remote Access

Once in the console right click on the server and choose Configure and Enable Routing and Remote Access. Within Routing and Remote Access Server Setup Wizard select Custom Configuration and choose VPN access and NAT. Complete the wizard and start the service.

Configure and Enable Routing and Remote Access

Step 4. Configure L2TP/IPsec with PSK

Within RRAS console right click on your server and choose Properties. In Properties windows leave Genreal tab at defaults and go to Security tab.  In Secutity tab tick Allow custom IPsec policy for L2TP/IKEv2 connection. Type in your preshared key (PSK). Go to IPv4 tab and unless you want to use existing DHCP server, select Static address pool.  Click on Add and specify your IP range for the static pool.

Configure PSK and IPv4 settings

Step 5. Restart Routing and Remote Access Service

In the console right click on the server and choose All tasks then click Restart to restart the service.

Restart the service.

Step 6. Deploy the VPN via Group Policy

Before we configure and apply the necessary Group Policy Object (GPO) we must prepare a Powershell script as below. Change the values in red to your own and save it as FILENAME.ps1 file.
Add-VpnConnection -AllUserConnection -Name YOUR-VPN -ServerAddress -TunnelType L2tp -EncryptionLevel Optional -L2tpPsk YOUR-PSK -AuthenticationMethod Eap -RememberCredential -SplitTunneling -Force


Step 7. Launch Group Policy Management Console

From Server Manager's Tools menu launch Group Policy Management console

Launch Group Policy Management console

Step 8. Create a GPO

In Group Policy Management right click on the OU where your client computers are and select GPO in this domain, and link it here... Give new GPO a name (L2TP VPN).

Create a GPO

Step 9. Edit the GPO

In Group Policy Management Editor browse through to Computer Configuration Policies Windows settings > Scripts (Startup/Shutdown) and open the the Startup item. Under PowerShell Scripts tab add your script from Step 6.

Configure Startup script for the GPO

Step 10. Configure Registry entry for L2TP clients behind a NAT-T device

In Group Policy Management Editor browse through to Computer Configuration Preferences > Registry and create new registry item. Under the General tab choose the following values:
Action:    Update


Key Path:  SYSTEM\CurrentControlSet\Services\PolicyAgent

Value Name: AssumeUDPEncapsulationContextOnSendRule

Value Type: REG_DWORD

Value Data: 00000002

Under the Common tab choose Apply once and do not reapply.

Configure Registry for NAT-T clients

Step 11. Restart your Windows 10 client in the domain network

Restart your Windows 10 client once in the domain network so that the GPO with startup script and registry item gets applied. Once logged in you will notice that you have a new VPN connection. When you take your device to remote location and try to login you will now notice a new login option.

VPN option before login

Step 12. Try logging in from remote location

This way your VPN connects first and applies all GPOs before logon takes place.

VPN login screen

Leave a comment

Your email address will not be published. Required fields are marked *