Following tutorial shows how to setup Windows Server 2016 (single NIC, behind NAT/Firewall) as a L2TP / IPSec VPN Server.

Install Remote Access Role

  • Open Server Manager > Manage > Add Roles and Features and add Remote Access role.
  • On Role Services screen choose only DirectAccess and VPN (RAS).

Enable and Configure Routing and Remote Access

  • Open Server Manager > Tools > Routing and Remote Access
  • Right click on server name and choose Configure Routing and Remote Access.
    • Follow the wizard and choose options Custom Configuration and VPN Access.
  • Right click on server name and choose Properties.
    • General: Leave default settings
    • Security: select "Allow custom IPsec policy for L2TP/IKEv2 connection" and enter your chosen Preshared key.
    • IPv4: Leave default settings (if you have existing DHCP server)
    • Settings in other tabs can left as they are.

Create Active Directory VPN Group

  • Open Active Directory Users and Computers.
  • Create a new security group and add all users that will have permission to connect via VPN.

Create and Configure Remote Access Policy

  • Open  Server Manager > Tools Network Policy Server
  • Open Policies, right click on Network Policies and click on New
  • Configure as follows:
    • Policy name: Allow VPN Access
    • Type of Network Access Server: Remote Access Server (VPN-Dial up)
    • Conditions > Add > Users Groups. Add VPN Users group you created in previously.
    • Specify Access Permission: Access Granted
    • EAP Types: Add Microsoft: Secured password (EAP-MSCHAP v2)
    • Constraints: Setup as required...
    • Complete rest of the wizard and move the policy up to Processing Order: 1

Make registry changes to allow L2TP behind NAT

This registry change needs to be done on the VPN server and all Windows VPN clients:

  • Open regedit.exe
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  • Create a new DWORD 32 type value:
    • NameAssumeUDPEncapsulationContextOnSendRule
    • Data2
      0 - No connection to servers behind NAT (Default).
      1 - Connection where VPN server is behind NAT.
      2 - Connection where VPN server and client are behind NAT.
  •  Reboot computer for changes to take effect.


April 2018
Windows Server Standard 2016



No comments

Leave your comment

In reply to Some User
Captcha Image