Setup an L2TP Server with Remote Access on Windows Server 2012

Published on: Wed, Oct 7, 2015 at 4:59 am EST

In this guide, I will explain how to setup an L2TP VPN server on Windows Server 2012. The steps presented here build on a previous guide for configuring a PPTP VPN server. Start by reading through that guide, and configure a PPTP VPN server using the Remote Access role. Once you have finished, returned to this guide and you will learn how to turn it into an L2TP VPN.

L2TP is often chosen instead of PPTP as the VPN protocol because PPTP is not secure at all and with a little bit of knowledge about hacking, it can be cracked. L2TP, however, is a lot more secure and therefore it is encouraged to use L2TP for your VPN.

Step 1: Confirming the existing setup

Make sure your existing setup (PPTP) is configured correctly, you can connect to it, and the corresponding services are started. Once you have verified this, continue to the next step.

If there are issues with your VPN, try following the PPTP guide again and deploying Remote Access again.

Step 2: Adding a static IP address pool (optional)

If you'd rather assign static IP addresses to VPN clients, rather than via DHCP, open Routing and Remote Access, right-click your server name and click "Properties". A window with the Routing and Remote Access settings will open. Click the "IPv4" tab, and select "Static address pool" for the address assignment. You can now add IP ranges, such as 10.0.0.1-10.0.0.50. Windows will automatically calculate the number of IP addresses that can be assigned. In this case, it would be 50 addresses. Click "OK" to save the changes.

Step 3: Configuring a preshared key

Aside from a username and password, L2TP requires a preshared key that's the same for all connections. This can be anything, for example MySecureVPN. Everybody will need to enter this preshared key for security. We can add a preshared key by, again, opening Routing and Remote Access, right-clicking the server name and going to "Properties". Go to the "Security" tab and check "Allow custom IPsec policy for L2TP/IKEv2 connection". You can now enter a preshared key. Once entered, click "OK".

You will get a warning that you'll have to restart the Routing and Remote Access service. We can ignore this for now so just click "OK", we'll restart the server later.

Step 4: Blocking PPTP connections

In order to allow L2TP connections, and not PPTP connections, open the Routing and Remote Access program and right-click "Ports" in the sidebar. Click "Properties". Now, you will see a list of available protocols. Double-click "WAN Miniport (PPTP)". In order to block PPTP connections, deselect "Remote access connections (inbound only)". Click "OK" in order to save the changes. Don't close the properties window yet, as we will need to enable L2TP from here.

Step 5: Enabling L2TP connections

Now that we've disabled all PPTP connections, we'll need to enable L2TP connections. Actually, L2TP connections are already enabled, but if you want to configure how many people can simultaneously connect to the VPN, that's possible. All you need to do is double-click "WAN Miniport (L2TP)", and change the maximum ports options. This will determine how many users can simultaneously connect.

Step 6: Restarting the service

In order to be able to use the VPN, we'll need to restart the Routing and Remote Access service now. We can do this by right-clicking our server name, click "Restart" under "All Tasks". This will restart the Routing and Remote Access service.

Step 7: Allowing users to connect

Just like with our PPTP VPN, you will need to allow VPN access for every Active Directory user separately. This can be done by double-clicking an Active Directory user, going to the "Dial-in" tab, and selecting "Allow Access" under "Network Access Permission".

Congratulations! You have now setup your L2TP VPN. Because everything is handled by the same system, all other settings and permissions will be identical to your PPTP VPN.