How to configure L2TP IPSec VPN using Network Policy Server in Windows Server 2008 R2

The virtual private network (VPN) technology allows users working outside the office premises connect to  their private network in a cost-effective and secure way. Creating this type of internetwork is call virtual private networking. VPN uses ordinary internet as a medium to reach end point i.e. private network or inside corporate network.

In a VPN connection, data is encapsulated or wrapped up and encrypted with a header that provides routing information allowing it to traverse the shared or public transit internetwork to reach its destination. The portion of the connection in which the private data is encapsulated is known as the tunnel. VPN connections use either Point-to-Point Tunnelling Protocol (PPTP) or Layer Two Tunnelling Protocol/Internet Protocol security (L2TP/IPSec) over internet as medium.


Figure: A typical VPN connection, source Microsoft Corp.

So what is required to deploy VPN in an organisation. A systems administrator can accomplish VPN if he/she has the following components in place.

VPN Server (Windows 2008/2003)

Internet infrastructure with Public IP

VPN Clients (Windows 7, Windows XP or Mac OSX 10.5.x)

Intranet infrastructure (Microsoft networks, AD, DNS and DHCP with enough IP available) 

Certificate infrastructure (Microsoft AD CS)

Authentication, authorization and accounting (AAA) infrastructure (Windows/Radius)

Deployment: you can install Windows server 2008 in a standard hardware with two NICs. In my situation, I used three NICs as my VPN server is also wireless authentication server. So, it works both for me (VPN+Wireless). One NIC for internal network, another for public IP (VPN) and another for wireless networks (ignore third NIC if you are not in same situation). All NICs must have static IP. You have to pipe through public IP to your VPN server. VPN server must be a domain member and computer/machine certificate installed in VPN server. I configure DHCP in VPN server. So that VPN client can obtain IP from this server not from internal DHCP server. It makes my life easy and got enough IP. You can mention existing DHCP server also while configuring VPN if you choose not to configure DHCP in VPN server. Here, I will explain about L2TP IPSec deployment. L2TP IPSec is secure and preferred VPN for me. The following screen shots will do the rest for you.

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Here, you can select VPN+NAT, that will do.

18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 



Here, you have to select tunnel type, Encryption method, NASPort Type. It’s highly important.

35 36 37 38


I used Microsoft server 2008 R2 as VPN server using L2TP IPSec. I used windows authentication not Radius. In this case, the secure connection appears to the user as a private network communication, however this VPN connects over a public networks. An user and a machine certificate are required to connect to VPN server. Also user must be a domain user.  In your situation would certainly be different. Do as appropriate in your situation. I hope this would help you to configure VPN server.

41 thoughts on “How to configure L2TP IPSec VPN using Network Policy Server in Windows Server 2008 R2

  1. Hi mate,

    Any chance you could provide a printer friendly version? The images are really compressed and when printing the quality is pretty bad and you can’t read anything.



  2. hello, great article, do you know, as you’look good on ipsec, if windows 2008R2 can do a ipsec tunel with a cisco ASA on the other side ?


  3. Hi,

    It is great article. I am new in system administration. I am planning to setup IPSec VPN in my two proxy server which are running in Window 2008 server R2. I have 50 mobile phone which are running window mobile 6.5 to tunnel in to the VPN and i am using NCP Secure Entry client. Kindly advise if i need to do some additional thing out of the step you have explained in the article ?

    Thank you very much.



      • Hi Raihan,

        another question, which ports number that i need to open ?
        basically i plan to install VPN server and proxy server together in one server (window 2008 server R2).
        could it be done ?

        Kindly advise

        Many Thanks inadvance


      • When you configure VPN server, you have to create a policy to allow L2TP IPSec protocol from external to internal network. You dont need to create custom protocol in TMG. Expand All protocol and you will see L2TP IPSec.


  4. Hi Raihan,

    First, I just want to tell you that I really like your article.

    I Just have one question. At the end of your article you mentioned that a person would need a computer and user certificate to be able to connect to the VPN server. Why do you need a user certificate? Isn’t enough with the computer certificate only?

    Thanks for your information.


      • Hi Raihan,

        Thanks for your reply.
        But for me it’s not clear one thing yet.On the client side(Windows 7 in my case) how do you setup the connection with both certificates computer and user?, Where’s that setting when the vpn connection is being setup?

        Thanls again for the info.


  5. I followed your instructions but it does not work. What about IPSec preshared key (as I do not want to use certificates?) Where do you configure it? I tried to right click on RRAS and type my key there but it did not help? Is there a place to configure it in policies


  6. Im actually trying to do the reverse, our VPN appliance was fried in a remote office and as a temporary workaround, i’m trying to have the remote 2008 server dial OUT via L2TP but it just hangs and reports error 789, but when i look at netstat it seems the server never even attempts to dial out. Is there a setting , rule or reg hack I need to do to allow the 2008 r2 server to dial OUT using l2tp?


  7. This article really helped me with my assignment while giving me a great work-related information. I made sure to cite your work. Thank you very much.


  8. Dear Raihan,

    very nice article, but I have a problem with the following scenario:
    I have Hyper V Host running a Virtual Machine with Server 2008R2 configured as RRAS and Radius Server and a Wireless AP configured to use Radius for authentication. My problem is now that the Radius protocall is not reached at the service. I think the main problem is that the virtual network card and network seems to be a egde traversal link. When I disable RRAS and configure only NPS the connection works. When I configure RRAS without “Enable Security on selected …” and allow edged traversal in the advanced firewall for the radius ports it works also. But when I select “Enable Security on selected…” it doesn´t.
    Did you know where I can configure the static filtering to allow this?

    Best regards


    • I reckon, vNetwork configuration was right or something miss-configured in your Hyperv. Win2k8 L2tp VPn works straight fordward once you configure whether virtual or physical. its the communication between your physical switch and virtual switch might be going wrong.


  9. Question: Which software do you use on the client side to connect to the VPN once you have done the steps you kindly published here.

    Many Thanks,



  10. hi!

    I have a single NIC and two public IPs. I’ve setup the VPN to connect successfully. But the client can only access the server, loses access to the internet. I need the client to be able access internet via server’s internet. Is it a possible scenario with only one NIC?



  11. Thanks for the helpful article, however, got few questions.

    1)For L2tp, do I need to purchase a certificate from a vendor?
    2)Can I use this to connect mobile phones
    3)Is this for R2 or does the server 2008 standard edition support this?


  12. I have two private IP’s to access the internet through ISA Server but when try to configure external private IP on ASA cannot access the Internet.can you help me in this regard where I am mistaking please.


  13. Hi, nice work and excellent topic …!
    I have a question regarding NIC cards
    Can I use one NIC card since I’m planning to have my VPN server sits behind my firewall and will only open the necessary VPN ports on the firewall then forward all VPN trafic on the firewall to the VPN server
    So the public IP will be on the firewall and the VPN server will have a local NAT IP

    Thank you


  14. Hello Raihan, Great article. It helped me a little to understand part of the job I need to be done. This will do fine for client->server connections. Any tips on how can I setup a lan to lan vpn between two offices, and test it? Thanks in advance.


    • Best way to achieve site to site VPN using Forefront TMG. You can use PPTP VPN between two sites but this will not achieve great result if you are bandwidth hungry and wants to do QoS. Best option is Cisco Router.


  15. hi i need to need to secure rdp connections for a workstation in my workplace,we are using windows server 2008 as server os and windows 7 as client.i need to get secure rdp connections when i tried to get connected to my workstation,when i am outside my network…….does configuring l2tp into server solves my problem


  16. Good Morning Raihan ..

    I have a small problem with a VPN L2TP enabled only with the option of pre-shared key ..

    The stage is so …

    2 W2K8 R2 domain controller Standard
    1 member running W2K8 R2 Standard Server with Forefront TMG Management Gateway 2010, this team has two network cards .. One for the LAN and one for WAN (my ISP gives me a dynamic IP issues and set up via a router doing NAT WAN card to the network, ADSL)

    In the ServidorTMG I have both PPTP and L2TP PPTP options enabled … everything works smoothly, but with pre-shared key l2tp and fails to connect.

    I have indicated on the NPS server a policy that has the following options to grant access ..

    Access Permission: Grant
    Authentication Method: MS-CHAP v2
    framed prococol: PPP
    Service-Type: Framed
    Policy Encryption: Enabled
    Encryption: 40bit, 56 and 128

    I saw here in your own blog, you have other options enabled in your policy to grant access, but these are certified to handle ..

    I must enable these options, although not this autenticcando through certificates?

    NPS is absolutely necessary to manage the policy to grant access?

    Serious enough that only the TMG will validate the cf options to grant full access?

    Beforehand thank you very much…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.