Following tutorial shows how to setup Windows Server 2016 (single NIC, behind NAT/Firewall) as a L2TP / IPSec VPN Server.
Install Remote Access Role
- Open Server Manager > Manage > Add Roles and Features and add Remote Access role.
- On Role Services screen choose only DirectAccess and VPN (RAS).
Enable and Configure Routing and Remote Access
- Open Server Manager > Tools > Routing and Remote Access
- Right click on server name and choose Configure Routing and Remote Access.
- Follow the wizard and choose options Custom Configuration and VPN Access.
- Right click on server name and choose Properties.
- General: Leave default settings
- Security: select “Allow custom IPsec policy for L2TP/IKEv2 connection” and enter your chosen Preshared key.
- IPv4: Leave default settings (if you have existing DHCP server)
- Settings in other tabs can left as they are.
- General: Leave default settings
Create Active Directory VPN Group
- Open Active Directory Users and Computers.
- Create a new security group and add all users that will have permission to connect via VPN.
Create and Configure Remote Access Policy
- Open Server Manager > Tools > Network Policy Server
- Open Policies, right click on Network Policies and click on New
- Configure as follows:
- Policy name: Allow VPN Access
- Type of Network Access Server: Remote Access Server (VPN-Dial up)
- Conditions > Add > Users Groups. Add VPN Users group you created in previously.
- Specify Access Permission: Access Granted
- EAP Types: Add Microsoft: Secured password (EAP-MSCHAP v2)
- Constraints: Setup as required…
- Complete rest of the wizard and move the policy up to Processing Order: 1
Make registry changes to allow L2TP behind NAT
This registry change needs to be done on the VPN server and all Windows VPN clients:
- Open regedit.exe
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
- Create a new DWORD 32 type value:
- Name: AssumeUDPEncapsulationContextOnSendRule
- Data: 2
0 – No connection to servers behind NAT (Default).
1 – Connection where VPN server is behind NAT.
2 – Connection where VPN server and client are behind NAT.
- Reboot computer for changes to take effect.
April 2018
Windows Server Standard 2016
Leave a Reply