Configure L2TP/IPsec-based Remote Access

  • Article

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

Deploying L2TP-based remote access VPN connections by using Windows Server 2008consists of the following:

  • Configuring the connection to the Internet

  • Configuring the connection to the intranet

  • Configuring the remote access server as a corporate intranet router

  • Configuring the VPN server

  • Installing certificates

  • Configuring firewall packet filters

  • Configuring network policies

The following figure shows a typical L2TP-based remote access VPN deployment.

Note

The following configuration assumes that computer certificates are already installed on the VPN server and remote access client computers. For more information, see Implementing Security for a VPN Solution.

Configuring the connection to the Internet

The connection to the Internet from a computer running Windows Server 2008 is a dedicated connection – a WAN adapter installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, Frame Relay adapter, or an adapter for another high-speed, dedicated connection. Verify that the WAN adapter is compatible with Windows Server 2008. The WAN adapter includes drivers that are installed so that the WAN adapter appears as a network adapter.

You need to configure the following TCP/IP settings on the WAN adapter:

  • IP address and subnet mask assigned from your Internet service provider (ISP).

  • Default gateway of the ISP router.

For more information, see Configure TCP/IP on the VPN Server.

To enable VPN clients to connect to your VPN server by name rather than by IP address, you can request that your ISP register your VPN server in DNS.

Configuring the connection to the intranet

The connection to the intranet from a computer running Windows Server 2008 is a LAN adapter that is installed in the computer.

You need to configure the following TCP/IP settings on the LAN adapter:

  • IP address and subnet mask assigned from the network administrator.

  • DNS and WINS name servers of corporate intranet name servers.

For more information, see Configure TCP/IP on the VPN Server.

Configuring the remote access server as a corporate intranet router

For the remote access server to properly forward traffic on the corporate intranet, you must configure it as a router with either static routes or a routing protocol, such as Routing Information Protocol (RIP), so that all of the locations on the intranet are reachable from the remote access server. For information about configuring routing, see Configure Routing on a VPN Server.

Configuring the VPN server

You can configure your VPN server by running the Routing and Remote Access Server Setup Wizard. You can use the wizard to configure the following settings:

  • The method by which the VPN server assigns IP addresses to remote access clients (either using addresses that the VPN server obtains from a DHCP server or by using addresses from a specified range of addresses that you configure).

  • Forwarding of authorization and authentication messages to a Remote Authentication Dial-In User Service (RADIUS) server (configuration of the VPN server as a RADIUS client).

After you run the wizard, the following RRAS settings are automatically configured:

  • Network interfaces

  • IKEv2, SSTP, PPTP, and L2TP ports (five or 128 of each, depending on your choices when running the wizard)

  • Multicast support using Internet Group Management Protocol (IGMP)

  • IP routing

  • Installation of the DHCP Relay Agent component

Installing certificates

In order to create L2TP/IPsec remote access VPN connections using computer certificate authentication for IPsec, you must install computer certificates on the VPN client and the VPN server. For more information, see Implementing Security for a VPN Solution.

Configuring firewall packet filters

If you are using a firewall, you need to configure L2TP/IPsec packet filters on your firewall to allow L2TP/IPsec traffic between Internet-based VPN clients and the VPN server computer. For more information, see Appendix B: VPN Servers and Firewall Configuration.

Configuring network policies

For an access-by-user administrative model, you need to set the network access permission to Allow access on the user accounts for those users who will be making VPN connections. For an access-by-policy model, use Network Policy Server (NPS) to create remote access network policies. For more information, see Configure a Remote Access Network Policy.