Export (0) Print
Expand All

Configure L2TP/IPsec-based Remote Access

Published: April 30, 2010

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

Deploying L2TP-based remote access VPN connections by using Windows Server 2008consists of the following:

The following figure shows a typical L2TP-based remote access VPN deployment.

L2TP/IPSec remote access to a corporate intranet
noteNote
The following configuration assumes that computer certificates are already installed on the VPN server and remote access client computers. For more information, see Implementing Security for a VPN Solution.

The connection to the Internet from a computer running Windows Server 2008 is a dedicated connection – a WAN adapter installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, Frame Relay adapter, or an adapter for another high-speed, dedicated connection. Verify that the WAN adapter is compatible with Windows Server 2008. The WAN adapter includes drivers that are installed so that the WAN adapter appears as a network adapter.

You need to configure the following TCP/IP settings on the WAN adapter:

  • IP address and subnet mask assigned from your Internet service provider (ISP).

  • Default gateway of the ISP router.

For more information, see Configure TCP/IP on the VPN Server.

To enable VPN clients to connect to your VPN server by name rather than by IP address, you can request that your ISP register your VPN server in DNS.

The connection to the intranet from a computer running Windows Server 2008 is a LAN adapter that is installed in the computer.

You need to configure the following TCP/IP settings on the LAN adapter:

  • IP address and subnet mask assigned from the network administrator.

  • DNS and WINS name servers of corporate intranet name servers.

For more information, see Configure TCP/IP on the VPN Server.

For the remote access server to properly forward traffic on the corporate intranet, you must configure it as a router with either static routes or a routing protocol, such as Routing Information Protocol (RIP), so that all of the locations on the intranet are reachable from the remote access server. For information about configuring routing, see Configure Routing on a VPN Server.

You can configure your VPN server by running the Routing and Remote Access Server Setup Wizard. You can use the wizard to configure the following settings:

  • The method by which the VPN server assigns IP addresses to remote access clients (either using addresses that the VPN server obtains from a DHCP server or by using addresses from a specified range of addresses that you configure).

  • Forwarding of authorization and authentication messages to a Remote Authentication Dial-In User Service (RADIUS) server (configuration of the VPN server as a RADIUS client).

After you run the wizard, the following RRAS settings are automatically configured:

  • Network interfaces

  • IKEv2, SSTP, PPTP, and L2TP ports (five or 128 of each, depending on your choices when running the wizard)

  • Multicast support using Internet Group Management Protocol (IGMP)

  • IP routing

  • Installation of the DHCP Relay Agent component

In order to create L2TP/IPsec remote access VPN connections using computer certificate authentication for IPsec, you must install computer certificates on the VPN client and the VPN server. For more information, see Implementing Security for a VPN Solution.

If you are using a firewall, you need to configure L2TP/IPsec packet filters on your firewall to allow L2TP/IPsec traffic between Internet-based VPN clients and the VPN server computer. For more information, see Appendix B: VPN Servers and Firewall Configuration.

For an access-by-user administrative model, you need to set the network access permission to Allow access on the user accounts for those users who will be making VPN connections. For an access-by-policy model, use Network Policy Server (NPS) to create remote access network policies. For more information, see Configure a Remote Access Network Policy.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft