Jump to content

Guide: Setting up a L2TP/IPSec with PSK VPN behind a NAT

Recommended Posts

As you guys know, I run a VPN server at home, just so i can keep my data synchronized with my desktop PC at work. I can also bypass any internet restrictions as well as encrypt my traffic in WiFi hotspots.


Previously, I ran a PPTP VPN server, which is really easy to set up on any Windows machine. I understand it's not very secure, but it wasn't a huge deal. However, ever since Apple removed PPTP support on iOS, I was already thinking of change. Recently, the university blocked outgoing PPTP connections on LAN, so I decided to set up a better VPN at home. I selected L2TP/IPSec with a pre-shared key.


It was a fairly complicated process, due to the way my network is set up. It's similar to most home networks. Anyway, here are some guides to follow in order to get things working. I used a Windows Server 2012 R2 system.


Set up RRAS on Windows Server 2012 R2: http://www.thomasmaurer.ch/2014/01/how-to-install-vpn-on-windows-server-2012-r2/


The port list in the guide above is wrong, so follow this: https://blogs.technet.microsoft.com/rrasblog/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through/



IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path


Next, after opening ports on your router, you need to configure your client to be able to connect to VPN on a Windows machine. Other OSes (Like iOS) should already work at this point.





Locate and then click the following registry subkey:
Note You can also apply the
DWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do this, locate and then click the following registry subkey:
On the Edit menu, point to New, and then click DWORD (32-bit) Value.
Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.


Use the value '2' for the DWORD entry.


Lastly, allow the MS-CHAP V2 protocol:



Share this post

Link to post
Share on other sites

It just does lol. I don't know why you need to reconfigure a client for that; it seems like an unnecessary step.

:P Probably because most People who do this aren't behind a NAT.

Edited by Big Bang

Share this post

Link to post
Share on other sites

Just an update on this technique: The server may have problems assigning IP addresses if you use DHCP config. To fix it, go to Routing and Remote Access, right click the local server, click Properties and go to IPv4 and specify a custom static address pool.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...