How to configure L2TP IPSec VPN using Network Policy Server in Windows Server 2008 R2


The virtual private network (VPN) technology allows users working outside the office premises connect to  their private network in a cost-effective and secure way. Creating this type of internetwork is call virtual private networking. VPN uses ordinary internet as a medium to reach end point i.e. private network or inside corporate network.

In a VPN connection, data is encapsulated or wrapped up and encrypted with a header that provides routing information allowing it to traverse the shared or public transit internetwork to reach its destination. The portion of the connection in which the private data is encapsulated is known as the tunnel. VPN connections use either Point-to-Point Tunnelling Protocol (PPTP) or Layer Two Tunnelling Protocol/Internet Protocol security (L2TP/IPSec) over internet as medium.

clip_image001[4]

Figure: A typical VPN connection, source Microsoft Corp.

So what is required to deploy VPN in an organisation. A systems administrator can accomplish VPN if he/she has the following components in place.

VPN Server (Windows 2008/2003)

Internet infrastructure with Public IP

VPN Clients (Windows 7, Windows XP or Mac OSX 10.5.x)

Intranet infrastructure (Microsoft networks, AD, DNS and DHCP with enough IP available) 

Certificate infrastructure (Microsoft AD CS)

Authentication, authorization and accounting (AAA) infrastructure (Windows/Radius)

Deployment: you can install Windows server 2008 in a standard hardware with two NICs. In my situation, I used three NICs as my VPN server is also wireless authentication server. So, it works both for me (VPN+Wireless). One NIC for internal network, another for public IP (VPN) and another for wireless networks (ignore third NIC if you are not in same situation). All NICs must have static IP. You have to pipe through public IP to your VPN server. VPN server must be a domain member and computer/machine certificate installed in VPN server. I configure DHCP in VPN server. So that VPN client can obtain IP from this server not from internal DHCP server. It makes my life easy and got enough IP. You can mention existing DHCP server also while configuring VPN if you choose not to configure DHCP in VPN server. Here, I will explain about L2TP IPSec deployment. L2TP IPSec is secure and preferred VPN for me. The following screen shots will do the rest for you.

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Here, you can select VPN+NAT, that will do.

18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

NASport1 

NASport   

Here, you have to select tunnel type, Encryption method, NASPort Type. It’s highly important.

35 36 37 38

39

I used Microsoft server 2008 R2 as VPN server using L2TP IPSec. I used windows authentication not Radius. In this case, the secure connection appears to the user as a private network communication, however this VPN connects over a public networks. An user and a machine certificate are required to connect to VPN server. Also user must be a domain user.  In your situation would certainly be different. Do as appropriate in your situation. I hope this would help you to configure VPN server.

About these ads

About Raihan Al-Beruni

Raihan Al-Beruni has been working on Microsoft Technologies for more than 15 years. Microsoft Technologies are his passion and blogging on Microsoft product is his hobby. Raihan has published a book on Windows Server 2012 titled “Windows Server 2012 Step by Step” on December 2 2012. He has published hundreds of articles on wide variety of technology. Raihan Al-Beruni has a Master’s degree in Electronic Business from Edith Cowan University, Western Australia. He is Microsoft certified IT Professional in Lync Server 2010, Enterprise Messaging Administrator on Exchange Server 2010, Windows Server 2008. He is a Microsoft Certified Solutions Expert in Private Cloud and Server Infrastructure. He is a VMware Certified Professional on vSphere 5. He is ITILv3 Foundation certified. Other than working on various enterprise technologies and projects, he mostly spends times on playing with new technologies at home or spending time with family.
This entry was posted in Windows Server and tagged , , . Bookmark the permalink.

34 Responses to How to configure L2TP IPSec VPN using Network Policy Server in Windows Server 2008 R2

  1. VPN Install says:

    Hello my name is Anthon, I really liked your article! Nice work

  2. Raj says:

    Really nice job dude. Thanks a lot.

    Raj

  3. Hamid says:

    Hi mate,

    Any chance you could provide a printer friendly version? The images are really compressed and when printing the quality is pretty bad and you can’t read anything.

    thanks,
    Hamid

  4. julien says:

    hello, great article, do you know, as you’look good on ipsec, if windows 2008R2 can do a ipsec tunel with a cisco ASA on the other side ?

  5. handoko says:

    Hi,

    It is great article. I am new in system administration. I am planning to setup IPSec VPN in my two proxy server which are running in Window 2008 server R2. I have 50 mobile phone which are running window mobile 6.5 to tunnel in to the VPN and i am using NCP Secure Entry client. Kindly advise if i need to do some additional thing out of the step you have explained in the article ?

    Thank you very much.

    Regards,
    Handoko

    • I am certain that windows mobile will work with Microsoft VPN and steps are mentioned above. No further steps necessary if you are completely using windows. But for NCP you need to check with them.

      • handoko says:

        Hi Raihan,

        another question, which ports number that i need to open ?
        basically i plan to install VPN server and proxy server together in one server (window 2008 server R2).
        could it be done ?

        Kindly advise

        Many Thanks inadvance

      • When you configure VPN server, you have to create a policy to allow L2TP IPSec protocol from external to internal network. You dont need to create custom protocol in TMG. Expand All protocol and you will see L2TP IPSec.

  6. Ospin says:

    Hi Raihan,

    First, I just want to tell you that I really like your article.

    I Just have one question. At the end of your article you mentioned that a person would need a computer and user certificate to be able to connect to the VPN server. Why do you need a user certificate? Isn’t enough with the computer certificate only?

    Thanks for your information.

    • It depends on your configuration and security objectives. Computer and Users certificates are my prefered way of doing it. This article is sample guidance, feel free to change your own config.

      • Ospin says:

        Hi Raihan,

        Thanks for your reply.
        But for me it’s not clear one thing yet.On the client side(Windows 7 in my case) how do you setup the connection with both certificates computer and user?, Where’s that setting when the vpn connection is being setup?

        Thanls again for the info.

  7. mat says:

    I followed your instructions but it does not work. What about IPSec preshared key (as I do not want to use certificates?) Where do you configure it? I tried to right click on RRAS and type my key there but it did not help? Is there a place to configure it in policies

  8. JJ says:

    Im actually trying to do the reverse, our VPN appliance was fried in a remote office and as a temporary workaround, i’m trying to have the remote 2008 server dial OUT via L2TP but it just hangs and reports error 789, but when i look at netstat it seems the server never even attempts to dial out. Is there a setting , rule or reg hack I need to do to allow the 2008 r2 server to dial OUT using l2tp?

  9. erwin says:

    hi there,

    any chance of uploading the network diagram including the sample IP addressing please.
    thank you in advance.

    erwin

  10. Elizabeth says:

    This article really helped me with my assignment while giving me a great work-related information. I made sure to cite your work. Thank you very much.

  11. Christian says:

    Dear Raihan,

    very nice article, but I have a problem with the following scenario:
    I have Hyper V Host running a Virtual Machine with Server 2008R2 configured as RRAS and Radius Server and a Wireless AP configured to use Radius for authentication. My problem is now that the Radius protocall is not reached at the service. I think the main problem is that the virtual network card and network seems to be a egde traversal link. When I disable RRAS and configure only NPS the connection works. When I configure RRAS without “Enable Security on selected …” and allow edged traversal in the advanced firewall for the radius ports it works also. But when I select “Enable Security on selected…” it doesn´t.
    Did you know where I can configure the static filtering to allow this?

    Best regards
    Christian

    • I reckon, vNetwork configuration was right or something miss-configured in your Hyperv. Win2k8 L2tp VPn works straight fordward once you configure whether virtual or physical. its the communication between your physical switch and virtual switch might be going wrong.

  12. Agustín de Landa says:

    Question: Which software do you use on the client side to connect to the VPN once you have done the steps you kindly published here.

    Many Thanks,

    Agustín.

  13. Jayesh Soni says:

    hi!

    I have a single NIC and two public IPs. I’ve setup the VPN to connect successfully. But the client can only access the server, loses access to the internet. I need the client to be able access internet via server’s internet. Is it a possible scenario with only one NIC?

    Thanks,

  14. Umar says:

    Raihan Al beruni need you help i am getting Error code 800
    please respone

  15. Luis says:

    Hi, Raihan. Good job men. Can DDNS be implemented instead of public IP ?

  16. teh_bot says:

    Thanks for the helpful article, however, got few questions.

    1)For L2tp, do I need to purchase a certificate from a vendor?
    2)Can I use this to connect mobile phones
    3)Is this for R2 or does the server 2008 standard edition support this?

  17. Nighar says:

    I have two private IP’s to access the internet through ISA Server but when try to configure external private IP on ASA cannot access the Internet.can you help me in this regard where I am mistaking please.

  18. CodeTron says:

    Hi, nice work and excellent topic …!
    I have a question regarding NIC cards
    Can I use one NIC card since I’m planning to have my VPN server sits behind my firewall and will only open the necessary VPN ports on the firewall then forward all VPN trafic on the firewall to the VPN server
    So the public IP will be on the firewall and the VPN server will have a local NAT IP

    Thank you

  19. you need check with mobile device. this is nothing to do with VPN server

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s