sglee
asked on
Setting up L2TP/IPsec in RRAS
I like to set up L2TP VPN using Windows 2012 Server with two network adapter cards:
NIC1: Local 192.,168.1.90 NIC2: Public IP 64.xxx.xxx.xxx
I setup RRAS with Preshared Key for L2TP.
-------------------------- ---------- ----
This is what I found as far as ports/protocols to opened on both inbound and outbound.
For L2TP:
IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path.
IP Protocol Type=50 <- Used by data path (ESP)
-------------------------- ---------- ----
In windows firewall, I opened UDP Ports: 500, 1701, 4500 for both Inbound and Outbound.
I created custom protocol with protocol number 50 ---> I am not sure if I did it right?
Anyway, on my windows 10 PC, I created L2TP VPN connection and when I tried to connect, I get the following error:
"The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer."
Can you help?
NIC1: Local 192.,168.1.90 NIC2: Public IP 64.xxx.xxx.xxx
I setup RRAS with Preshared Key for L2TP.
--------------------------
This is what I found as far as ports/protocols to opened on both inbound and outbound.
For L2TP:
IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path.
IP Protocol Type=50 <- Used by data path (ESP)
--------------------------
In windows firewall, I opened UDP Ports: 500, 1701, 4500 for both Inbound and Outbound.
I created custom protocol with protocol number 50 ---> I am not sure if I did it right?
Anyway, on my windows 10 PC, I created L2TP VPN connection and when I tried to connect, I get the following error:
"The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer."
Can you help?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Muhammad
do I have to follow both links - elastichosts and spiceworks - or just one of two?
do I have to follow both links - elastichosts and spiceworks - or just one of two?
ASKER
@Muhammad
I followed 2nd link - spiceworks - and I was able to connect to the VPN server from iPhone or iPad.
I have a question about "send all traffic" in VPN settings.
When I disabled it and made VPN connection, I can surf the internet, but "Bytes out:" hardly changes even if I am straming a movie from youtube.com. (please see the screenshot).
When I enabled "send all traffic" and made VPN connection, I can't surf the internet at all. When I checked the connection status, I see numbers changing in "Bytes in:", but "Bytes out:" does not change much.
Should I enable or disable "send all traffic"?
The whole purpose of setting up VPN server was for travelling people in China to stay connected to our VPN server and surf the internet as Chinese government blocks so many websites.
I followed 2nd link - spiceworks - and I was able to connect to the VPN server from iPhone or iPad.
I have a question about "send all traffic" in VPN settings.
When I disabled it and made VPN connection, I can surf the internet, but "Bytes out:" hardly changes even if I am straming a movie from youtube.com. (please see the screenshot).
When I enabled "send all traffic" and made VPN connection, I can't surf the internet at all. When I checked the connection status, I see numbers changing in "Bytes in:", but "Bytes out:" does not change much.
Should I enable or disable "send all traffic"?
The whole purpose of setting up VPN server was for travelling people in China to stay connected to our VPN server and surf the internet as Chinese government blocks so many websites.
ASKER
I got it working and it is all good except VPN is only working for domain admin group users.
How can I add an individual domain user who will connecting to the VPN server without making them "Domain Admins"?
As seen in the screenshot, I added Domain\Domain users and Domain\VPN Group (that I created fresh new and added a couple of domain users to it), but to no avail.
How can I add an individual domain user who will connecting to the VPN server without making them "Domain Admins"?
As seen in the screenshot, I added Domain\Domain users and Domain\VPN Group (that I created fresh new and added a couple of domain users to it), but to no avail.
ASKER