Setting up L2TP/IPsec PSK VPN on Windows 10 and Server 2016With inherent security vulnerabilities of PPTP VPN it has become more relevant to use L2TP/IPsec VPN for remote access to business networks. If you are using Apple device you will find that PPTP is no longer an option. In this visual guide we will set up Windows 2016 member server with Remote Access role and configure Routing and Remote Access (RRAS). As we are using domain joined servers and clients we will use Group Policy to push VPN settings automatically to the clients. This will save time and ensure uniformity of VPN implementation across all domain joined clients.
Assumptions of this guide
- Active Directory domain environment
- Windows Server 2016 Standard
- Windows 10 Pro
- Basic familiarity with PowerShell and Group Policy.
- On the firewall/router UDP ports 500,1701 are open and are redirected to the RRAS server
Step 1. Install Remote Access role on Windows Server 2016We will fast forward with installing Remote Access by using Powershell. We will not use Web Application Proxy subfeature in this lab and will uninstall it. Run Powershell as an administrator and run the cmdlet below:
Install-WindowsFeature RemoteAccess -IncludeAllSubFeature -IncludeManagementTools Uninstall-WindowsFeature Web-Application-Proxy
Install Remote Access roles using Powershell
Step 2. Launch Routing and Remote Access consoleFrom Server Manager's Tools menu select Routing and Remote Access
Launch Routing and Remote access console
Step 3. Configure Routing and Remote AccessOnce in the console right click on the server and choose Configure and Enable Routing and Remote Access. Within Routing and Remote Access Server Setup Wizard select Custom Configuration and choose VPN access and NAT. Complete the wizard and start the service.
Configure and Enable Routing and Remote Access
Step 4. Configure L2TP/IPsec with PSKWithin RRAS console right click on your server and choose Properties. In Properties windows leave Genreal tab at defaults and go to Security tab. In Secutity tab tick Allow custom IPsec policy for L2TP/IKEv2 connection. Type in your preshared key (PSK). Go to IPv4 tab and unless you want to use existing DHCP server, select Static address pool. Click on Add and specify your IP range for the static pool.
Configure PSK and IPv4 settings
Step 5. Restart Routing and Remote Access ServiceIn the console right click on the server and choose All tasks then click Restart to restart the service.
Restart the service.
Step 6. Deploy the VPN via Group PolicyBefore we configure and apply the necessary Group Policy Object (GPO) we must prepare a Powershell script as below. Change the values in red to your own and save it as FILENAME.ps1 file.
Add-VpnConnection -AllUserConnection -Name YOUR-VPN -ServerAddress 220.127.116.11 -TunnelType L2tp -EncryptionLevel Optional -L2tpPsk YOUR-PSK -AuthenticationMethod Eap -RememberCredential -SplitTunneling -Force
Step 7. Launch Group Policy Management ConsoleFrom Server Manager's Tools menu launch Group Policy Management console
Launch Group Policy Management console
Step 8. Create a GPOIn Group Policy Management right click on the OU where your client computers are and select GPO in this domain, and link it here... Give new GPO a name (L2TP VPN).
Create a GPO
Step 9. Edit the GPOIn Group Policy Management Editor browse through to Computer Configuration > Policies > Windows settings > Scripts (Startup/Shutdown) and open the the Startup item. Under PowerShell Scripts tab add your script from Step 6.
Configure Startup script for the GPO
Step 10. Configure Registry entry for L2TP clients behind a NAT-T deviceIn Group Policy Management Editor browse through to Computer Configuration > Preferences > Registry and create new registry item. Under the General tab choose the following values:
Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SYSTEM\CurrentControlSet\Services\PolicyAgent Value Name: AssumeUDPEncapsulationContextOnSendRule Value Type: REG_DWORD Value Data: 00000002Under the Common tab choose Apply once and do not reapply.