Link to home
Start Free TrialLog in
Avatar of sglee
sglee

asked on

Setting up L2TP/IPsec in RRAS

User generated imageUser generated imageUser generated imageI like to set up L2TP VPN using Windows 2012 Server with two network adapter cards:
NIC1: Local 192.,168.1.90    NIC2: Public IP 64.xxx.xxx.xxx
I setup RRAS with Preshared Key for L2TP.

----------------------------------------
This is what I found as far as ports/protocols to opened on both inbound and outbound.
For L2TP:
IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=1701 <- Used by L2TP control/data path.
IP Protocol Type=50 <- Used by data path (ESP)
----------------------------------------
In windows firewall, I opened UDP Ports: 500, 1701, 4500 for both Inbound and Outbound.
I created custom protocol with protocol number 50 ---> I am not sure if I did it right?

Anyway, on my windows 10 PC, I created L2TP VPN connection and when I tried to connect, I get the following error:
"The L2TP connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer."

Can you help?
Avatar of sglee
sglee

ASKER

Out of curiosity, I tested PPTP connection after adding port 1723 and GRE protocol 47 in Windows firewall, but I am getting an error "The remote connection was denied because the user name and password combination you provided is not recognized or the selected authentication protocol is not permitted on the remote access server".
ASKER CERTIFIED SOLUTION
Avatar of Muhammad Burhan
Muhammad Burhan
Flag of Pakistan image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sglee

ASKER

@Muhammad
do I have to follow both links - elastichosts and spiceworks - or just one of two?
Avatar of sglee

ASKER

User generated image@Muhammad
I followed 2nd link - spiceworks  - and I was able to connect to the VPN server from iPhone or iPad.
I have a question about "send all traffic" in VPN settings.
When I disabled it and made VPN connection, I can surf the internet, but "Bytes out:" hardly changes even if I am straming a movie from youtube.com. (please see the screenshot).
When I enabled "send all traffic" and made VPN connection, I can't surf the internet at all. When I checked the connection status, I see numbers changing in "Bytes in:", but "Bytes out:" does not change much.
Should I enable or disable "send all traffic"?
The whole purpose of setting up VPN server was for travelling people in China to stay connected to our VPN server and surf the internet as Chinese government blocks so many websites.
Avatar of sglee

ASKER

User generated imageI got it working and it is all good except VPN is only working for domain admin group users.
How can I add an individual domain user who will connecting to the VPN server without making them "Domain Admins"?
As seen in the screenshot, I added Domain\Domain users and Domain\VPN Group (that I created fresh new and added a couple of domain users to it), but to no avail.