How to Setup VPN Server 2016 with a Custom IPsec for L2TP/IKEv2.

Last updated on July 5th, 2019

The Virtual Private Network (VPN) allows you to securely connect to your private network from Internet locations and it is protecting you from Internet attacks and data interception.

To install and configure VPN (or "Remote Access" Role) on a Server 2016 it's a multi step process because you have to configure several settings on the VPN server's side to accomplish the successful VPN operation.

How to Install and Configure VPN Server 2016 with Custom IPsec policy for L2TP/IKEv2 connection.

In this step by step guide, we go through the VPN Server 2016 setup using the Layer Two Tunneling Protocol (L2TP/IPSEC) with a custom PreShared key, for more secure VPN connections.

Step 1. Add Remote Access (VPN Access) role on Server 2016.
Step 2. Configure and Enable Routing and Remote Access on Server 2016.
Step 3. Enable IPsec policy for L2TP/IKEv2 connections.
Step 4. Configure the Network Policy Server.
Step 5. Enable L2TP/IPsec Connections Behind NAT.
Step 6. Check if 'IKE' & 'IPsec Policy Agent' services are running.
Step 7. Allow L2TP/IPSEC Connections with a PreShared Key on Server and Client.
Step 8. Select which users will have VPN Access.
Step 9. Configure Firewall to Allow VPN Access.
Step 10. Connect to VPN Server 2016 from a Windows Client Computer.

Step 1. How to Add Remote Access (VPN Access) role on a Server 2016.

The first step to setup a Windows Server 2016, as a VPN server is to add the Remote Access role {Direct Access & VPN (RAS) services} to your Server 2016. *

* Info: For this example we're going to setup VPN on a Windows Server 2016 machine, named "Srv1" and with IP Address "192.168.1.8".

1. To install VPN role on Windows Server 2016, open 'Server Manager' and click on Add Roles and Features.

Setup VPN Server 2016

2. At the first screen of 'Add Roles and Features wizard', leave the Role-based or feature-based installation option and click Next.

clip_image008

3. At the next screen, leave the default option "Select server from the server pool" and click Next.

image

4. Then select the Remote Access role and click Next.

install VPN Server 2016

5. At 'Features' screen leave the default settings and click Next.

image

6. At 'Remote Access' information screen, click Next.

clip_image016

7. At 'Remote Services', choose the Direct Access and VPN (RAS) role services and then click Next.

clip_image020

8. Then click Add Features.

image

9. Click Next again.

image

10. Leave the default settings and click Next (twice) at 'Web Server Role (IIS)' and 'Role Services' screens.

image

11. At 'Confirmation' screen, select Restart the destination server automatically (if required) and click Install.

clip_image022

12. At the final screen, ensure that the installation of the Remote Access role is successful and Close the wizard.

clip_image024

13. Then (from Server Manager) Tools menu, click on Remote Access Management.
14.
Select Direct Access and VPN on the left and then click to Run the Getting Started Wizard.

image

15. Then click Deploy VPN only.

image

16. Continue to part-2 below to configure Routing and Remote Access.

Step 2. How to Configure and Enable Routing and Remote Access on Server 2016.

The next step is to enable and configure the VPN access on our Server 2016. To do that:

1. Right click on the Server's name and select Configure and Enable Routing and Remote Access. *

image

* Note: You can also launch Routing and Remote Access settings, by using the following way:

1. Open Server Manager and from Tools menu, select Computer Management.
2. Expand Services and Applications
3. Right click on Routing and Remote Access and select Configure and Enable Routing and Remote Access.

image

2. Click Next at 'Routing and Remote Access Server Setup Wizard'.

image

3. Choose Custom configuration and click Next.

clip_image030

4. Select VPN access only in this case and click Next.

clip_image032

5. Finally click Finish.

clip_image034

6. When prompted to Start the service click Start.

image

7. Now you will see a green arrow beside your Server's name (e.g. "Svr1" in this example).

Step 3. How to Enable Custom IPsec policy for L2TP/IKEv2 connections.

1. At Routing and Remote access panel, right click on your server's name and select Properties.

image

2. At Security tab, choose Allow custom IPsec policy for L2TP/IKEv2 connection and then type a Preshared key (for this example I type: "TestVPN@1234").

clip_image038

3. Then click the Authentication Methods button (above) and make sure that the Microsoft encrypted authentication version 2 (MS-CHAP v2) is selected and then click OK.

clip_image040

4. Now select the IPv4 tab, select Static address pool and click Add.
5. Here type the IP Address Range that will be assigned to VPN connected clients and click OK (twice) to close all windows.

e.g. For this example we're going to use the IP address range: 192.168.1.200 – 192.168.1.202.

clip_image042

6. When you are prompted with the pop up message: "To enable custom IPsec policy for L2TP/IKEv2 connections you must restart Routing and Remote Access", click OK.

image

7. Finally right click on your server (e.g. "Svr1") and select All Tasks > Restart.

Step 4. How to Configure the Network Policy Server.

1. To configure the Network Policy server, right click on Remote Access Logging and Policies and select Launch NPS

image

2. On NPS (Local) select Network Policies. Here you will see that policies have a RED X.

clip_image046

3. Double click on each policy and change from Deny Access to Grant Access and click OK.

clip_image048

Step 5. How to Enable L2TP/IPsec Connections Behind NAT.

By default, modern Windows Clients (Windows 10, 8, 7 or Vista) and the Windows Server 2016, 2012 & 2008 operating systems do not support L2TP/IPsec connections if the Windows computer or the VPN server are located behind a NAT. To bypass this problem you have to modify registry as follows:

1. Simultaneously press the Windows image + R keys to open run command box.
2. Type regedit and press Enter.

regedit

3. At the left pane, navigate to this key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Sevices\PolicyAgent

4. Right click on PolicyAgent and select New –> DWORD (32 bit) Value.

image

5. For the new key name type: AssumeUDPEncapsulationContextOnSendRule and press Enter.

* Note: The value must be entered with all capital letters and with no space.

6. Double click on this new DWORD key and enter for Value data: 2

image

7. Close Registry Editor. *

* Important: If you have problems when connecting to your VPN server from a Windows client computer (Windows Vista, 7, 8, 10, and 2008 Server), then you have to add the "AssumeUDPEncapsulationContextOnSendRule" value at the following registry key and then to reboot the machine:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

8. Reboot the VPN server.

Step 6. Verify that IKE & IPsec Policy Agent services are running.

After the restart, go to services control panel and make sure that the following services are up and running. To do that:

1. Simultaneously press the Windows image + R keys to open run command box.
2. In run command box, type: services.msc and press Enter.

services.msc

3. Make sure that the following services are running: *

    1. IKE and AuthIP IPsec Keying Modules
    2. IPsec Policy Agent

image

* Notes:
1. If the above services are not running, then double click on each service and set the Startup Type to Automatic. Then click OK and restart the server.
2. You must ensure that the above services are also running in the Windows client machine.

image

Step 7. Allow L2TP/IPSEC Connections with a PreShared Key on Server and Client.

Now we have to allow L2TP connections with the custom Preshared Key on both the Server 2016 and the Windows Client. To do that:

1. Simultaneously press the Windows image + R keys to open run command box.
2. In run command box, type: mmc and press Enter.

 

image

3. From File menu, select Add/Remove Snap-in.

image

4. Select the IP Security Policy Management and click on Add.

image

5. Leave Local Computer on 'Select Computer or Domain' screen and click Finish.

image

6. Click OK again to close the "Add Remove Snap ins" window.

7. Right click on IP security Policies on Local Computer and select Create IP Security Policy…

image

8. Click Next at 'IP Security Policy wizard'.

9. Now type a name for the new policy (e.g. "Server Policy") and click Next.

image

10. On the next screen we will select Activate the default response rule if you have Widows XP client and Next.

image

11. Then on Default Response Rule Authentication Method select Use this string to protect the key exchange and then type the Preshared key (e.g. "TestVPN@1234" in this example). When done click Next.

image

12. On the next screen uncheck the Edit properties checkbox and click on Finish.

image

13. Then right click on Server policy and click on Assign.

image

14. Close MMC without saving the console settings to Console1.

image

15. Reboot the Server. *

* Note: Don't forget to make the same changes to the Windows client computers also.

Step 8. How to Select which users will have VPN Access.

Now it's time to specify which users will be able to connect to the VPN server (Dial-IN permissions).

1. Open Server Manager.
2. From Tools menu, select Active Directory Users and Computers. *

* Note: If your server doesn't belong to a domain, then go to Computer Management -> Local Users and Groups.

Transfer Operation Masters Role to Server 2016.

3. Select Users and double click on the user that you want to allow the VPN Access.
4. Select the Dial-in tab and select Allow access. Then click OK.

clip_image002

Step 9. How to Configure Firewall to Allow VPN Access (Port Forwarding).

The next step is allow the VPN connections in your Firewall.

1. At the top of our browser type your router's IP address: (e.g. "http://192.168.1.1" in this example) and login to router's web interface.

2. Inside the Router configuration setup, forward the port 1723 to the IP address of the computer where you created the new incoming connection and that acts as a VPN server. (See your Router's manual on how to configure Port Forward).

  • For example, if the computer where you created the incoming (VPN) connection has the IP 192.168.1.8 then you have to forward port 1723 to that IP.

image

– If you want to have maximum security then you can use another unused external port for VPN connections (the Port range is: 1-65535). See this article to find an unused port: List of TCP and UDP port numbers

  • For example if you specify the random (unused) port 34580 for incoming VPN connections then you will be protected from malicious programs which scan for well known open network ports and then compromise your network.

image

You 're done!

Additional instructions:

  • In order to be able to connect to your VPN server from a distance you have to know the public IP Address of the VPN server. To find the pubic IP Address (from the VPN Server PC) navigate to this link: http://www.whatismyip.com/
  • To ensure that you can always connect to your VPN server it is better to have a Static Public IP Address. To obtain a Static Public IP Address you must contact your internet service provider. If you don't want to pay for a static IP Address, then you can setup a free Dynamic DNS service (e.g. no-ip.) on your router's (VPN Server) side.
  • To setup a new VPN connection at your client computer see these instructions: How to setup a VPN client.

Step 10. How to Connect to VPN Server 2016 from a Windows Client Computer.

Now it's time to connect to our VPN Server 2006 from a client computer.

1. Open Network and Sharing Center.
2. Click Set up a new connection or network

image

3. Select Connect to workplace and click Next.

image

4. Then select Use my Internet connection (VPN).

image

5. On the next screen type the VPN's server public IP Address and the VPN Port that you have assigned on the router side and then click Create.

e.g. If the external IP address is: 108.200.135.144 and you have assigned the port 35000 for VPN, then type: 108.200.135.144:3500 at Internet Address box. For destination name type any name you want (e.g. "L2TP-VPN").

image

6. Type the username and the password for the VPN connection and click Connect.

image

7. If you setup the VPN on a Windows 7 client machine it will try to connect. Press Skip and then click Close, because you need to specify some additional settings for the VPN connection.

8. On Network and Sharing center click on Change adapter settings on the left.
9.
Right click on the new VPN connection (e.g. "L2TP-VPN") and select Properties.
10. Select the Security tab and choose Layer 2 (Tunneling Protocol with IPsec (L2TP/IPsec) and then click on Advanced settings.

clip_image078

11. In 'Advanced settings' type the Preshared key (e.g. "TestVPN@1234" in this example) and click OK

clip_image080

12. Then click on Allow these protocols and select the Microsoft CHAP Version 2 (MS-CHAP v2)

clip_image082

13. Then select the Networking tab. We will double click on Internet Protocol Version 4 (TCP/IPv4) to open its Properties.
14. For Preferred DNS server type the Local IP Address of the VPN Server (e.g. "192.168.1.8" in this example).

clip_image084

15. Then click the Advanced button and uncheck the Use default gateway on remote network because we want to separate our PC Internet browsing from VPN connection.
16. Finally click OK continually to close all windows.

clip_image086

17. Now double click on the new VPN connection and click Connect, to connect to your workplace.

clip_image088

That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free: