Jump to content
chconline

Guide: Setting up a L2TP/IPSec with PSK VPN behind a NAT

Recommended Posts

As you guys know, I run a VPN server at home, just so i can keep my data synchronized with my desktop PC at work. I can also bypass any internet restrictions as well as encrypt my traffic in WiFi hotspots.

 

Previously, I ran a PPTP VPN server, which is really easy to set up on any Windows machine. I understand it's not very secure, but it wasn't a huge deal. However, ever since Apple removed PPTP support on iOS, I was already thinking of change. Recently, the university blocked outgoing PPTP connections on LAN, so I decided to set up a better VPN at home. I selected L2TP/IPSec with a pre-shared key.

 

It was a fairly complicated process, due to the way my network is set up. It's similar to most home networks. Anyway, here are some guides to follow in order to get things working. I used a Windows Server 2012 R2 system.

 

Set up RRAS on Windows Server 2012 R2: http://www.thomasmaurer.ch/2014/01/how-to-install-vpn-on-windows-server-2012-r2/

 

The port list in the guide above is wrong, so follow this: https://blogs.technet.microsoft.com/rrasblog/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through/

 

 

IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path

 

Next, after opening ports on your router, you need to configure your client to be able to connect to VPN on a Windows machine. Other OSes (Like iOS) should already work at this point.

 

https://support.microsoft.com/en-ca/kb/926179

 

 

Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
Note You can also apply the
AssumeUDPEncapsulationContextOnSendRule
DWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do this, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
On the Edit menu, point to New, and then click DWORD (32-bit) Value.
Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.

 

Use the value '2' for the DWORD entry.

 

Lastly, allow the MS-CHAP V2 protocol:

 

http://lifeonnetwork.com/vpn-connection-issue-in-windows-10/

Share this post


Link to post
Share on other sites

It just does lol. I don't know why you need to reconfigure a client for that; it seems like an unnecessary step.

Share this post


Link to post
Share on other sites

It just does lol. I don't know why you need to reconfigure a client for that; it seems like an unnecessary step.

:P Probably because most People who do this aren't behind a NAT.

Edited by Big Bang

Share this post


Link to post
Share on other sites

Just an update on this technique: The server may have problems assigning IP addresses if you use DHCP config. To fix it, go to Routing and Remote Access, right click the local server, click Properties and go to IPv4 and specify a custom static address pool.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×